Summary: | ASTERISK-25338: Failed to authenticate device messages don't report connection ip | ||
Reporter: | John Fawcett (john fawcett) | Labels: | |
Date Opened: | 2015-08-22 17:10:23 | Date Closed: | 2015-08-23 11:33:16 |
Priority: | Minor | Regression? | |
Status: | Closed/Complete | Components: | Channels/chan_sip/Security Framework |
Versions: | 11.19.0 | Frequency of Occurrence | |
Related Issues: | |||
Environment: | Centos 7.1 | Attachments: | |
Description: | I use fail2ban to parse asterisk logs and block ips originating failed authentication attemps. I noticed that fail2ban picks up requests which included my own external ip (w.x.y.z in the log below). While I can whitelist my ip in fail2ban, it is a missed opportunity to block the real ip from which the attack is coming.
Would it be possible to log the source ip rather than the my ip which I presume was forged in the sip header? Example log mesasge containing my ip w.x.y.z [2015-08-22 23:55:47] NOTICE[9171][C-000000b4] chan_sip.c: Failed to authenticate device 401<sip:401@w.x.y.z>;tag=9988cc3e Example invite request showing the real ip is 199.48.164.236 <--- SIP read from UDP:199.48.164.236:5071 ---> INVITE sip:000972597803794@w.x.y.z SIP/2.0 To: 000972597803794<sip:000972597803794@w.x.y.z> From: 401<sip:401@w.x.y.z>;tag=9988cc3e Via: SIP/2.0/UDP 199.48.164.236:5071;branch=z9hG4bK-9605c9e790e0d0dd9b8445fa89c72c50;rport Call-ID: c2746e206bee6ac4d99357b08827a641 CSeq: 2 INVITE Contact: <sip:401@199.48.164.236:5071> Max-Forwards: 70 Allow: INVITE, ACK, CANCEL, BYE User-Agent: sipcli/v1.8 Content-Type: application/sdp Authorization: Digest username="401",realm="asterisk",nonce="08fb1042",uri="sip:000972597803794@w.x.y.z",response="77a5c887dbd175ab54fb30a0d6b12ca4",algorithm=MD5 Content-Length: 284 | ||
Comments: | By: Asterisk Team (asteriskteam) 2015-08-22 17:10:26.471-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. By: Michael L. Young (elguero) 2015-08-23 08:59:01.495-0500 I would recommend using the security log for this. Fail2ban even has information on their wiki on how to set this up for use with fail2ban. http://www.fail2ban.org/wiki/index.php/Asterisk Also, make sure you are using a newer version of fail2ban that comes with recent filters. By: John Fawcett (john fawcett) 2015-08-23 11:31:22.690-0500 Thanks, the security log did contain the remote ips, so I will use that for monitoring. This probably means that I can do away with having fail2ban watch the messages log if every authentication event is also logged to the security log. Also much of fail2ban's regex for asterisk can be elminated leaving only the one that matches on security log format. This issue can be closed. |