| Summary: | ASTERISK-29678: Asterisk not logging IP addresses associated with device authentication failures | ||
| Reporter: | Fake Name (drizzelle) | Labels: | security |
| Date Opened: | 2021-10-02 17:34:15 | Date Closed: | |
| Priority: | Minor | Regression? | |
| Status: | Open/New | Components: | Channels/chan_sip/Security Framework |
| Versions: | 16.2.1 | Frequency of Occurrence | |
| Related Issues: | |||
| Environment: | Fresh, BRAND new Ubuntu 20 server installation, completely fresh out of the box with absolutely zero customizations whatsoever | Attachments: | |
| Description: | This problem has been reported numerous times by other users dating as far back as 2010. There are threads about it on the asterisk forums such as here for example: https://community.asterisk.org/t/missing-ip-address-in-log-cant-ban-with-fail2ban/32177/18
Unfortunately, this problem has NEVER been fixed even a decade later. My asterisk log files are filling up with stuff like this: [Oct 2 22:28:56] WARNING[10592]: chan_sip.c:4178 retrans_pkt: Timeout on 1960475124-185555950-1418451360 on non-critical invite transaction. [Oct 2 22:28:57] NOTICE[10592][C-0000018a]: chan_sip.c:26601 handle_request_invite: Failed to authenticate device <sip:300@MY_SERVER_IP_IS_HERE>;tag=1117068098 This traffic is driving up the load average on my server and is also filling up my hard drive with excessive log data. There is no way to configure fail2ban to automatically ban these attempts, because the log file is not including the IP address of the host that is triggering these messages. It only includes my own server's IP. This makes it impossible to implement any sort of automated intrusion protection without doing extremely convoluted hacks with packet sniffers or modifying the C source code files (as was suggested in that 10-year old forum thread) of asterisk so that it includes the IP in these messages and then recompiling it (also not an option for vast majority of asterisk users) This is a very serious problem and we really need a fix. We've been waiting over 10 years for this to be resolved | ||
| Comments: | By: Asterisk Team (asteriskteam) 2021-10-02 17:34:25.500-0500 This issue has been automatically restricted and set to a blocker due to being a security type issue. If this is not a security vulnerability issue it will be moved to the appropriate issue type when triaged. Please DO NOT put a code review up for this change at this time. Attach any applicable patches to this issue. By: Asterisk Team (asteriskteam) 2021-10-02 17:34:25.707-0500 Thanks for creating a report! The issue has entered the triage process. That means the issue will wait in this status until a Bug Marshal has an opportunity to review the issue. Once the issue has been reviewed you will receive comments regarding the next steps towards resolution. Please note that log messages and other files should not be sent to the Sangoma Asterisk Team unless explicitly asked for. All files should be placed on this issue in a sanitized fashion as needed. A good first step is for you to review the [Asterisk Issue Guidelines|https://wiki.asterisk.org/wiki/display/AST/Asterisk+Issue+Guidelines] if you haven't already. The guidelines detail what is expected from an Asterisk issue report. Then, if you are submitting a patch, please review the [Patch Contribution Process|https://wiki.asterisk.org/wiki/display/AST/Patch+Contribution+Process]. Please note that once your issue enters an open state it has been accepted. As Asterisk is an open source project there is no guarantee or timeframe on when your issue will be looked into. If you need expedient resolution you will need to find and pay a suitable developer. Asking for an update on your issue will not yield any progress on it and will not result in a response. All updates are posted to the issue when they occur. Please note that by submitting data, code, or documentation to Sangoma through JIRA, you accept the Terms of Use present at [https://www.asterisk.org/terms-of-use/|https://www.asterisk.org/terms-of-use/]. By: Fake Name (drizzelle) 2021-10-02 18:19:15.874-0500 Apparently it is possible to work around this by enabling security logging in /etc/asterisk/logger.conf and then modifying the default asterisk jail in fail2ban to look at /var/log/asterisk/security instead of /var/log/asterisk/messages. Needless to say, this is bad design. This should be default behavior, and hundreds of users would have saved 10 years of confusion and headache by simply having this enabled by default. Asterisk and fail2ban should work together fresh out of the box and should not require additional convoluted configuration changes just to do basic system hardening! By: Joshua C. Colp (jcolp) 2021-10-03 13:10:53.989-0500 I'm marking this issue as acknowledged since from a security logging perspective there's probably areas we can improve here. | ||