How to capture bad registration requests


#1

I am wondering if there is a way to capture via AMI or so all bad / failed reservation attempts. Ideally i would like to monitor my system and then when i get a notification check against a db and some rules to add the IP to a Firewall Black List. For example if they try to register more then 5 times in hr from Same ip with bad password and if it is an Ip not in my whitelist etc. I can see stuff in my debug console like this

[2019-01-03 10:25:22] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.91.27:5070' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:25:22] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.91.27:5070' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:40:10] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.88.18:6773' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:40:11] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.88.18:6773' - blacklisted useragent 'friendly-scanner'

but i am wondering how can i access it via AMI or any other way ?


#2

that is more or less the function of fail2ban - however, I am quite puzzled by the messages ‘blacklisted useragent’ - it appears as if they are produced by chan_sip, however, I see no such message in the code, and no such message in the doc !
what version are you using ?


#3

Its Asterisk 13.24.0 running on thirdlane. I know that fail2ban will handle some but i like to actually move a step further and add them to the edge firewall. So is there a way to capture any failed registrations


#4

I dont really know about thirdlane, but it looks like they’ve altered the code to blacklist some useragents. You may want to look at the /var/log/asterisk/security.log file (as stated in /etc/asterisk/logger.conf) - if the feature has been correctly implemented, you should find an entry in there. I also believe you can configure the fail2ban action to do whatever you want, and to prompt for any message you want, so I’d still think that is the tool you need.


#5

Asterisk fire events when there is wrong authentication attemp like https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+ManagerEvent_InvalidPassword