Bug#781881: Improve security log on asterisk 1.8

Sat, 04 Apr 2015 02:13:10 -0700 

Package: asterisk
Version: 1:1.8.13.1~dfsg1-3+deb7u3
Tags: wheezy,security

I found this message on my asterisk log and begin research how to prevent this 
attack using fail2ban but this message do not have the remote ip

[Apr  4 04:18:56] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 200<sip:[email protected]>;tag=54c80643
[Apr  4 04:22:21] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 200<sip:[email protected]>;tag=5d4982ba
[Apr  4 04:35:06] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 300<sip:[email protected]>;tag=0f0225aa
[Apr  4 04:36:58] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 300<sip:[email protected]>;tag=82b0bd6e
[Apr  4 04:40:09] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 300<sip:[email protected]>;tag=83fc8936
[Apr  4 04:43:11] NOTICE[6054]: chan_sip.c:22653 handle_request_invite: Failed 
to authenticate device 300<sip:[email protected]>;tag=2c1c50cf

many other messages has remote ip and make pissible to write a fail2ban filter 
to block this DoS just like this: 

[Apr  1 00:13:09] NOTICE[17938] chan_sip.c: Call from '' (108.161.136.44:5081) 
to extension '0015207200160' rejected because extension not found in context 
'default'.


this patch solve the problem: 

--- a/channels/chan_sip.c       2015-04-04 05:20:01.458550294 -0300
+++ b/channels/chan_sip.c       2015-04-04 05:25:33.640466116 -0300
@@ -22650,7 +22650,7 @@ static int handle_request_invite(struct
                        goto request_invite_cleanup;
                }
                if (res < 0) { /* Something failed in authentication */
-                       ast_log(LOG_NOTICE, "Failed to authenticate device 
%s\n", get_header(req, "From"));
+                       ast_log(LOG_NOTICE, "Failed to authenticate device %s 
for '%s'\n", get_header(req, "From"), ast_sockaddr_stringify(addr));
                        transmit_response_reliable(p, "403 Forbidden", req);
                        p->invitestate = INV_COMPLETED;
                        sip_scheddestroy(p, DEFAULT_TRANS_TIMEOUT);


--
Fernando Toledo
15 5515-3794
PressEnter Coop. Ltda.
http://www.pressenter.com.ar
tw: @PressEnterComAr


--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]

Reply via email to