Attack to Asterisk 11.2.1 ,"Sending fake auth ..." BUG?

Hey all,
i have a asterisk 11.2.1 to learn it and testing what’s going on with AST 11 . i have 2 trunk and 1 provider to test , i bought it.
asterisk had 2 easy peer like 101 and 10 number password. only udp and 5060 port is opened , and has a fail2ban and it is realtime asterisk.
Last weekend a hacker attacked my server. he sent my server to

[2013-02-24 08:58:49] NOTICE[1748][C-0000003f] chan_sip.c: Sending fake auth rejection for device 510<sip:510@my-serverip>;tag=ccc4762a [2013-02-24 08:58:49] NOTICE[1748][C-0000003f] chan_sip.c: Sending fake auth rejection for device 520<sip:520@my-serverip>;tag=ccc4762a [2013-02-24 08:58:49] NOTICE[1748][C-0000003f] chan_sip.c: Sending fake auth rejection for device 530<sip:530@my-serverip>;tag=ccc4762a
it is trying all peers. but my fail2ban couldnt ban hacker coz cannot pick his ip but picks server-ip!
i cant see 101 in logs and cant see any registiration ,nothing about 101 ! but he managed to connect 101 and called international numbers.
And after i realized all things , closed my server.

Real problem is that Why dont astersik write hacker’s ip in the “Sending fake auth …” to prevent attackers
is it bug Asterisk 11.2.X ?

i configured my sip.conf and other stuff on the way 7 steps digium sip security.
and yes “there isnt default context”


After that i tried some test on my asterisk and i saw that. after send “Subscribe packet” if there is a peer/friend as it , my asterisk sends “Register packet” and "401 unauthorized packet"
so easy to undestand has a peer as it.
and Big question is that why i cant see any log about why dont have any “-wrong number-” !
How to call without registration my server!

This problem has already been noted on the forum once or twice. This definitly is a debate for the dev mailing list. Someone must have reported this problem before, so you will probably find it on the bug/wish list.

If you are connecting your Asterisk box to the Internet, I would definitly recommend the following thing:
- don’t use extension numbers are usernames for SIP accounts. Use something more complex (i.e. Device MAC number). Attackers usually try to brute-force register to an extension number. If you don’t have extension numbers for your username, it’s highly unlikely that an attacker will guess the correct username and password

  • if you don’t need to have your Asterisk server available for SIP Phones that are on the Internet, set up your server firewall so it allows VoIP traffic only to your VoIP provider.

You should, in any case, be using the security logging features, not the normal log.

The current main log behaviour is considered intended, so can only be changed by a feature request. Feature requests without patches must be made on the developer mailing list or IRC channel.

The intent of the main log message is to help someone debug a misconfigured, legitimate, client, not to allow rate limiting of hostile ones.

Just to clarify what has already been said: add the line

to logger.conf, and /var/log/asterisk/security (or wherever your log files are) will contain all the information you and fail2ban require, and a lot more besides.


Thanks for replies;
i enabled security in my log.conf and close all default and other context. Well i should say about , he can call international call because

i fixed it to “no” so nobody can call without registiration. if it is like above , when he have only username (with wrong password) he can call. ! it is really dangerous.

i hope nobody finds another a crack on my server

When you build asterisk, it tells you to read the best practices document. That says things like don’t name your SIP devices after extension numbers.

i saw weird thing in log files. it was sending fake auth 101 -> 102 -> 200 -> 201 -> 202
it isnt trying 103? 104? or asterisk dont write it on log ? or hacker trying another method to find user?
Because hacker found a user without trying or we cant see in logs.

Attackers don’t want to waste time. If the low 100s respond with 404, it is likely that all the 100s will. This is why you should not use extensions numbers, it is too easy to infer the existence of others once you have found one.

Thanks for reply.
I found something how to ban attacker who sends “sending fake auth” . when we enable security log, it writes all security problem and attacker’s ip in a section. i tried to configure fail2ban reading security log but failed.