I got Asterisk 16.8.0 with fail2ban in place, which works great for the usual authenticate attack-scheme.
When I go to asterisk -rvc console I see a lot of Invite attacks like this:
<— Transmitting SIP response (496 bytes) to UDP:126.96.36.199:26032 —>
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 188.8.131.52:5060;rport=26032;received=184.108.40.206;branch=z9hG4bK-524287-1—q0un46kg91c5lvrx
CSeq: 1 INVITE
WWW-Authenticate: Digest realm=“asterisk”,nonce=“1586034566/c87a37e229e2dacf5706a31857ec93c0”,opaque=“6c3777fa2ac4575c”,algorithm=md5,qop=“auth”
It does not show in the normal logs, how can I repell these attacks?
There is no single method to repel unneeded invites, but here is the one I use: An invite will produce a ‘ChallengeSent’ line in security log, like this:
[Apr 4 22:07:12] SECURITY res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“2020-04-04T22:07:12.775-0400”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“101”**,SessionID=“0x7fe460022080”,LocalAddress=“IPV4/UDP/220.127.116.11/5060”,RemoteAddress=“IPV4/UDP/18.104.22.168/60725”,Challenge=“4a765ad0”
So, someone wants to register as extension 101 - he is actually checking if that extension exists with ‘ChallengeSent’. You can not block ‘ChallengeSent’ transactions, as your telephones will fail to register. What I did is to have all my accounts follow a format - they look like ‘AF1234567890’ - and now I block with fail2ban anyone sending ‘ChallengeSent’, but have following in the filter:
So, all Invites for an account not following that format get a ban, and the asterisk is quite happy.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.