Fail2ban 0.9.7 And Vicibox 8.0

Any and all non-support discussions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Fail2ban 0.9.7 And Vicibox 8.0

Postby dpochet » Sun Dec 10, 2017 10:08 pm

Fail2ban 0.9.7 And Vicibox 8.0

Hi I fund a issue on asterisk, that allow fail2ban to fail to ban some IP, I discover this today, and I dont know how to fix if some can help with a good idea

this the issue that I found working with fail2ban 0.9.7 on opensuse 43.2

My asterisk can block some IP at is show here

Lines: 97239 lines, 0 ignored, 2291 matched, 94948 missed

but the trouble is with this ip 158.69.248.156 when I use iftop I can see that my asterisk is send SIP traffic to that IP, some thing that can not be because I dont configured any trunk configured yet.

so when I make a sip debug I see that this IP send me an INVITE but he try to register with my own IP with an Peer 100

here is the log

[Dec 10 21:48:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:48:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:48:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:48:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:48:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:48:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:48:37]
[Dec 10 21:48:37] <--- SIP read from UDP:158.69.248.156:60136 --->
[Dec 10 21:48:37] INVITE sip:901146406829422@X.X.X.X SIP/2.0
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK99071379
[Dec 10 21:48:37] Max-Forwards: 70
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 1 INVITE
[Dec 10 21:48:37] Contact: <sip:100@158.69.248.156:60136>
[Dec 10 21:48:37] Content-Type: application/sdp
[Dec 10 21:48:37] Content-Length: 207
[Dec 10 21:48:37] Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
[Dec 10 21:48:37] User-Agent: amanda25
[Dec 10 21:48:37]
[Dec 10 21:48:37] v=0
[Dec 10 21:48:37] o=100 16264 18299 IN IP4 192.168.1.83
[Dec 10 21:48:37] s=call
[Dec 10 21:48:37] c=IN IP4 192.168.1.83
[Dec 10 21:48:37] t=0 0
[Dec 10 21:48:37] m=audio 25282 RTP/AVP 0 101
[Dec 10 21:48:37] a=rtpmap:0 pcmu/8000
[Dec 10 21:48:37] a=rtpmap:8 pcma/8000
[Dec 10 21:48:37] a=rtpmap:101 telephone-event/8000
[Dec 10 21:48:37] a=fmtp:101 0-11
[Dec 10 21:48:37] <------------->
[Dec 10 21:48:37] --- (12 headers 10 lines) ---
[Dec 10 21:48:37] Sending to 158.69.248.156:60136 (NAT)
[Dec 10 21:48:37] Sending to 158.69.248.156:60136 (NAT)
[Dec 10 21:48:37] Using INVITE request as basis request - 553707481-1964631866-554468479
[Dec 10 21:48:37] No matching peer for '100' from '158.69.248.156:60136'
[Dec 10 21:48:37]
[Dec 10 21:48:37] <--- Reliably Transmitting (NAT) to 158.69.248.156:60136 --->
[Dec 10 21:48:37] SIP/2.0 401 Unauthorized
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK99071379;received=158.69.248.156;rport=60136
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 1 INVITE
[Dec 10 21:48:37] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:37] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:37] Supported: replaces, timer
[Dec 10 21:48:37] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="48368265"
[Dec 10 21:48:37] Content-Length: 0
[Dec 10 21:48:37]
[Dec 10 21:48:37]
[Dec 10 21:48:37] <------------>
[Dec 10 21:48:37] Scheduling destruction of SIP dialog '553707481-1964631866-554468479' in 32000 ms (Method: INVITE)
[Dec 10 21:48:37]
[Dec 10 21:48:37] <--- SIP read from UDP:158.69.248.156:60136 --->
[Dec 10 21:48:37] ACK sip:901146406829422@X.X.X.X SIP/2.0
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK99071379
[Dec 10 21:48:37] Max-Forwards: 70
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 1 ACK
[Dec 10 21:48:37] Content-Length: 0
[Dec 10 21:48:37] User-Agent: amanda25
[Dec 10 21:48:37]
[Dec 10 21:48:37] <------------->
[Dec 10 21:48:37] --- (9 headers 0 lines) ---
[Dec 10 21:48:37]
[Dec 10 21:48:37] <--- SIP read from UDP:158.69.248.156:60136 --->
[Dec 10 21:48:37] INVITE sip:901146406829422@X.X.X.X SIP/2.0
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143
[Dec 10 21:48:37] Max-Forwards: 70
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 2 INVITE
[Dec 10 21:48:37] Contact: <sip:100@158.69.248.156:60136>
[Dec 10 21:48:37] Content-Type: application/sdp
[Dec 10 21:48:37] Content-Length: 207
[Dec 10 21:48:37] Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
[Dec 10 21:48:37] Authorization: Digest username="100",uri="sip:901146406829422@X.X.X.X",algorithm=MD5,realm="asterisk",nonce="48368265",response="21d71244251c42b3dee4dbda753bd4de"
[Dec 10 21:48:37] User-Agent: amanda25
[Dec 10 21:48:37]
[Dec 10 21:48:37] v=0
[Dec 10 21:48:37] o=100 16264 18299 IN IP4 192.168.1.83
[Dec 10 21:48:37] s=call
[Dec 10 21:48:37] c=IN IP4 192.168.1.83
[Dec 10 21:48:37] t=0 0
[Dec 10 21:48:37] m=audio 25282 RTP/AVP 0 101
[Dec 10 21:48:37] a=rtpmap:0 pcmu/8000
[Dec 10 21:48:37] a=rtpmap:8 pcma/8000
[Dec 10 21:48:37] a=rtpmap:101 telephone-event/8000
[Dec 10 21:48:37] a=fmtp:101 0-11
[Dec 10 21:48:37] <------------->
[Dec 10 21:48:37] --- (13 headers 10 lines) ---
[Dec 10 21:48:37] Sending to 158.69.248.156:60136 (NAT)
[Dec 10 21:48:37] Using INVITE request as basis request - 553707481-1964631866-554468479
[Dec 10 21:48:37] No matching peer for '100' from '158.69.248.156:60136'
[Dec 10 21:48:37] NOTICE[12712][C-0000000f]: chan_sip.c:25909 handle_request_invite: Failed to authenticate device <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37]
[Dec 10 21:48:37] <--- Reliably Transmitting (NAT) to 158.69.248.156:60136 --->
[Dec 10 21:48:37] SIP/2.0 403 Forbidden
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 2 INVITE
[Dec 10 21:48:37] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:37] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:37] Supported: replaces, timer
[Dec 10 21:48:37] Content-Length: 0
[Dec 10 21:48:37]
[Dec 10 21:48:37]
[Dec 10 21:48:37] <------------>
[Dec 10 21:48:37] Scheduling destruction of SIP dialog '553707481-1964631866-554468479' in 32000 ms (Method: INVITE)
[Dec 10 21:48:37] Retransmitting #1 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:37] SIP/2.0 403 Forbidden
[Dec 10 21:48:37] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:37] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:37] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:37] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:37] CSeq: 2 INVITE
[Dec 10 21:48:37] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:37] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:37] Supported: replaces, timer
[Dec 10 21:48:37] Content-Length: 0
[Dec 10 21:48:37]
[Dec 10 21:48:37]
[Dec 10 21:48:37] ---
[Dec 10 21:48:38] Retransmitting #2 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:38] SIP/2.0 403 Forbidden
[Dec 10 21:48:38] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:38] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:38] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:38] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:38] CSeq: 2 INVITE
[Dec 10 21:48:38] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:38] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:38] Supported: replaces, timer
[Dec 10 21:48:38] Content-Length: 0
[Dec 10 21:48:38]
[Dec 10 21:48:38]
[Dec 10 21:48:38] ---
[Dec 10 21:48:40] Retransmitting #3 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:40] SIP/2.0 403 Forbidden
[Dec 10 21:48:40] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:40] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:40] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:40] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:40] CSeq: 2 INVITE
[Dec 10 21:48:40] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:40] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:40] Supported: replaces, timer
[Dec 10 21:48:40] Content-Length: 0
[Dec 10 21:48:40]
[Dec 10 21:48:40]
[Dec 10 21:48:40] ---
[Dec 10 21:48:44] Retransmitting #4 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:44] SIP/2.0 403 Forbidden
[Dec 10 21:48:44] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:44] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:44] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:44] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:44] CSeq: 2 INVITE
[Dec 10 21:48:44] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:44] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:44] Supported: replaces, timer
[Dec 10 21:48:44] Content-Length: 0
[Dec 10 21:48:44]
[Dec 10 21:48:44]
[Dec 10 21:48:44] ---
[Dec 10 21:48:48] Retransmitting #5 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:48] SIP/2.0 403 Forbidden
[Dec 10 21:48:48] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:48] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:48] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:48] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:48] CSeq: 2 INVITE
[Dec 10 21:48:48] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:48] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:48] Supported: replaces, timer
[Dec 10 21:48:48] Content-Length: 0
[Dec 10 21:48:48]
[Dec 10 21:48:48]
[Dec 10 21:48:48] ---
[Dec 10 21:48:52] Retransmitting #6 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:52] SIP/2.0 403 Forbidden
[Dec 10 21:48:52] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:52] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:52] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:52] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:52] CSeq: 2 INVITE
[Dec 10 21:48:52] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:52] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:52] Supported: replaces, timer
[Dec 10 21:48:52] Content-Length: 0
[Dec 10 21:48:52]
[Dec 10 21:48:52]
[Dec 10 21:48:52] ---
[Dec 10 21:48:56] Retransmitting #7 (NAT) to 158.69.248.156:60136:
[Dec 10 21:48:56] SIP/2.0 403 Forbidden
[Dec 10 21:48:56] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:48:56] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:48:56] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:48:56] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:48:56] CSeq: 2 INVITE
[Dec 10 21:48:56] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:48:56] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:48:56] Supported: replaces, timer
[Dec 10 21:48:56] Content-Length: 0
[Dec 10 21:48:56]
[Dec 10 21:48:56]
[Dec 10 21:48:56] ---
[Dec 10 21:49:00] Retransmitting #8 (NAT) to 158.69.248.156:60136:
[Dec 10 21:49:00] SIP/2.0 403 Forbidden
[Dec 10 21:49:00] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:49:00] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:49:00] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:49:00] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:49:00] CSeq: 2 INVITE
[Dec 10 21:49:00] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:49:00] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:49:00] Supported: replaces, timer
[Dec 10 21:49:00] Content-Length: 0
[Dec 10 21:49:00]
[Dec 10 21:49:00]
[Dec 10 21:49:00] ---
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:01] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:02] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:02] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:02] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:04] Retransmitting #9 (NAT) to 158.69.248.156:60136:
[Dec 10 21:49:04] SIP/2.0 403 Forbidden
[Dec 10 21:49:04] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:49:04] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:49:04] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:49:04] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:49:04] CSeq: 2 INVITE
[Dec 10 21:49:04] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:49:04] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:49:04] Supported: replaces, timer
[Dec 10 21:49:04] Content-Length: 0
[Dec 10 21:49:04]
[Dec 10 21:49:04]
[Dec 10 21:49:04] ---
[Dec 10 21:49:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:06] == Manager 'sendcron' logged on from 127.0.0.1
[Dec 10 21:49:06] == Manager 'sendcron' logged off from 127.0.0.1
[Dec 10 21:49:08] Retransmitting #10 (NAT) to 158.69.248.156:60136:
[Dec 10 21:49:08] SIP/2.0 403 Forbidden
[Dec 10 21:49:08] Via: SIP/2.0/UDP 158.69.248.156:60136;branch=z9hG4bK1967617143;received=158.69.248.156;rport=60136
[Dec 10 21:49:08] From: <sip:100@X.X.X.X>;tag=1690293665
[Dec 10 21:49:08] To: <sip:901146406829422@X.X.X.X>;tag=as001a7a0f
[Dec 10 21:49:08] Call-ID: 553707481-1964631866-554468479
[Dec 10 21:49:08] CSeq: 2 INVITE
[Dec 10 21:49:08] Server: Asterisk PBX 11.25.3-vici
[Dec 10 21:49:08] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Dec 10 21:49:08] Supported: replaces, timer
[Dec 10 21:49:08] Content-Length: 0
[Dec 10 21:49:08]
[Dec 10 21:49:08]
[Dec 10 21:49:08] ---
[Dec 10 21:49:09] WARNING[12712]: chan_sip.c:4039 retrans_pkt: Retransmission timeout reached on transmission 553707481-1964631866-554468479 for seqno 2 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/ ... nsmissions
Packet timed out after 32000ms with no response
[Dec 10 21:49:09] Really destroying SIP dialog '553707481-1964631866-554468479' Method: INVITE
-----------------------------------------------------------------------------
the X.X.X.X is where my IP goes

So the asteisk log just show me this line

NOTICE[12712][C-0000000f]: chan_sip.c:25909 handle_request_invite: Failed to authenticate device <sip:100@X.X.X.X>;tag=1690293665

I can not make a fail2ban reg with this because it have my own IP, so the only line that I can use is this one

No matching peer for '100' from '158.69.248.156:60136'

but this line do not appear as a normal log, it only show me that, when I enable the asterisk SIP SET DEBUG ON...

you have some solution for that thank you
dpochet
 
Posts: 6
Joined: Fri Apr 01, 2016 9:47 am

Re: Fail2ban 0.9.7 And Vicibox 8.0

Postby blackbird2306 » Wed Dec 20, 2017 7:28 pm

I faced the same problem some time ago. With Asterisk <= 1.8 there is no solution for this type of attack, but in Asterisk >= 11 it's possible to change "/etc/asterisk/logger.conf":
Add "security" into logging format and change dateformat:
Code: Select all
[general]
dateformat=%F %T

[logfiles]
console => notice,warning,error,dtmf,security
messages => notice,warning,error,debug,verbose,dtmf,security

then restart asterisk or only logger from cli:
Code: Select all
asterisk -rx "logger reload"

Now there is a new security line with information of attacker's IP --> RemoteAddress="IPV4/UDP/67.231.250.214 , where 67.231.250.214 is the relevant IP:
Code: Select all
[Dec 16 01:50:11] NOTICE[2233][C-000461ab] chan_sip.c: Failed to authenticate device 5001<sip:5001@xx.xx.xx.xx>;tag=3edd100b
[Dec 16 01:50:11] SECURITY[2160] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="15133853321-15770",Severity="Error",Service="SIP",EventVersion="2",AccountID="0
00971112984422",SessionID="0x7f23256337fd8",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/67.231.250.214/5084",Challenge="33b9824420",ReceivedChallenge="3
3b94420",ReceivedHash="5117e51487882619eae7ee998"


Fail2ban 0.9.7 usually should have the right filter line in /etc/fail2ban/filter.d/asterisk.conf something like:
Code: Select all
^(%(__prefix_line)s|\[\]\s*)%(log_prefix)s Failed to authenticate (user|device) [^@]+@<HOST>\S*$
Vicibox 6.0.2 from Vicibox_v.6.0.x86_64-6.0.2.iso | Vicidial 2.12-560a build: 160617-1427 | Asterisk 1.8.32.3
blackbird2306
 
Posts: 409
Joined: Mon Jun 23, 2014 5:31 pm


Return to General Discussion

Who is online

Users browsing this forum: No registered users and 88 guests