How to capture bad registration requests

NoSoup4You2 · January 3, 2019, 6:50pm

I am wondering if there is a way to capture via AMI or so all bad / failed reservation attempts. Ideally i would like to monitor my system and then when i get a notification check against a db and some rules to add the IP to a Firewall Black List. For example if they try to register more then 5 times in hr from Same ip with bad password and if it is an Ip not in my whitelist etc. I can see stuff in my debug console like this

[2019-01-03 10:25:22] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.91.27:5070' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:25:22] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.91.27:5070' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:40:10] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.88.18:6773' - blacklisted useragent 'friendly-scanner'
[2019-01-03 10:40:11] NOTICE[2288]: chan_sip.c:28864 handle_incoming: Ignore 'OPTIONS' from '"sipvicious"<sip:100@1.1.1.1>' for '185.53.88.18:6773' - blacklisted useragent 'friendly-scanner'

but i am wondering how can i access it via AMI or any other way ?

cerien.jean · January 3, 2019, 8:51pm

that is more or less the function of fail2ban - however, I am quite puzzled by the messages ‘blacklisted useragent’ - it appears as if they are produced by chan_sip, however, I see no such message in the code, and no such message in the doc !
what version are you using ?

NoSoup4You2 · January 3, 2019, 9:07pm

Its Asterisk 13.24.0 running on thirdlane. I know that fail2ban will handle some but i like to actually move a step further and add them to the edge firewall. So is there a way to capture any failed registrations

cerien.jean · January 3, 2019, 9:22pm

I dont really know about thirdlane, but it looks like they’ve altered the code to blacklist some useragents. You may want to look at the /var/log/asterisk/security.log file (as stated in /etc/asterisk/logger.conf) - if the feature has been correctly implemented, you should find an entry in there. I also believe you can configure the fail2ban action to do whatever you want, and to prompt for any message you want, so I’d still think that is the tool you need.

ambiorixg12 · January 4, 2019, 2:38am

Asterisk fire events when there is wrong authentication attemp like https://wiki.asterisk.org/wiki/display/AST/Asterisk+13+ManagerEvent_InvalidPassword