I am running Asterisk 1.8 and have the following problem (which also happened with 1.6 in the past)
My Asterisk box was under a brute force attack which went unnoticed for a few months.
The only result of the attack was that they identified a valid SIP username (denoted user in the log entry below).
Now they are trying to brute force the password for this user.
To prevent this (and other brute force attacks) I have installed and configured fail2ban. It works nicely and prevents about 2 SSH attacks per day.
Unfortunately, it does not do anything to prevent the SIP attacks, because Asterisk is not logging the originating IP address of the brute force attack. The log entries in messages & full are:
…where user is the valid username they were able to find via brute force and asterisk-ip is MY IP address, not the attacker’s. Obviously, based on this log entry, fail2ban cannot create an iptables rule to block further attacks.
Although I did some research on this (and some other people seem to have reported the same problem) I could not find a solution.
Many thanks in advance for all the help I will get!
This would, arguably, be considered a new feature request, so you need to write a patch against the trunk SVN version and submit it. I imagine it is quite easy to add the IP address to this message, by changing the source code - cut and paste coding is probably enough.
Note that I doubt that any of the log messages represent a guaranteed interface to asterisk. Whilst this means it would be OK to change the message, it also means that you have no comeback if there are incompatible changes in any message in furture.
If I understand your answer correctly, this is not a bug or a misconfiguration of the logging mechanism but expected behavior. However, I am not sure if Asterisk 1.4 was doing the same thing, or it was including the IP. Do you think that using 1.4 would solve the problem?
A new feature request ? Is this a joke ? Asterisk can be bruteforced to pieces and nothing shows in the logs and you are asking the user to write a patch for it ?
The first is that in the past, Asterisk 1.4 and 1.6.2 responded differently to SIP requests from an invalid SIP user than they did to a user configured on the system. This was resolved in Asterisk Security Advisory AST-2011-011, and is corrected in versions 1.4.41.2, 1.6.2.18.2, and 1.8.4.4.
IT IS ABSOLUTELY IMPERATIVE that users of Asterisk 1.4 and 1.6.2 set alwaysauthreject=yes in the general section of sip.conf. Please read the advisory for more details.
The second claim is that Asterisk does not properly log the IP address. This may have been true for certain conditions prior to the security patch, but all current versions of Asterisk report the IP address in registration failures:
This works great with fail2ban and other monitoring/reporting/intrusion-detection systems.