Looking for SERIOUS statements on asterisk 1.8 with Fail2ban

Asterisk Asterisk Support
1

Hello geeks,

first of all, I am very disappointed and maybe you can find this frustration in my choice of words. If anybody feels offended, please note that this was not my intention.

I am using asterisk since version 1.2 and while the time went by I decided to choose asterisk 1.8 for a new setup. Now I am facing the problem which has been discussed on many threads in here but for wich I was not able to find a SERIOUS answer - may someone from digium please be so nice and explain in clear words, WHY they changed the code so that I am not able to block attacking IPs?

Yes, you guys know what I mean:

All those discussions that popped up here and their related answers just let me think one thing:“You guys gotta be kidding me.”

I do not know how other voip-admins work on security issues but one of the first things I do is to use SIPVICIOUS against asterisk on the external interface to see what information an attacker might gain. And it is hillarious that I cannot block such IPs (with Fail2Ban or AgentSmith) because asterisk “was re-programmed in such a way” that it lazily does not log the attacking IP.

Of course, I always set alwaysauthreject and allowguest to the suggested values, because with that security issue I do not have a choice ! Of course I never used type=friend as long as I do not need to. All these tips do not shoot the problem and should always be used were appropriate.

I do really wonder how this change of behaviour can be accepted by anyone in the voip-area. Since I do not see any changes on this topic I tend to write some exploits with my fellows at metasploit to prove how this issue can lead to a DoS-attack - maybe then someone wakes up @ digium.

Trying to bring it back to a constructive discussion:

  1. Why did you change the code for logging ?
  2. Is there a patch that corrects the logging of asterisk ?
  3. If there is one patch, why isn’t it integrated in 1.8-CURRENT ?
  4. Does digium really suggests its customers to fall back to version 1.6 or even 1.4 ?
  5. Did you ever use SIPVICIOUS ?
  6. What else plea you got ?

Best wishes, r0n

2

To reach the people who could answer this, or change the behaviour, you need to use the developer mailing list.

(Although it probably won’t actually reach the right people, this is a rare case where Asterisk General would have been the right forum on this board.)

3

Thank you for your answer, david55, i tried answering on this post: viewtopic.php?t=77070 but I wasn’t able to.

What do you suggest ? Posting the same issue here on Asterisk - General ? Or shoud I go directly to the mailing list ?

Meanwhile it seems to me the serious answer to that issue is: “Go back to 1.4”.

4

I can’t see why you wouldn’t be able to reply to that thread.

However, I would go to the developer list if you want any chance of making a difference.

They may try and redirect you back here if they think you want a workaround.

5

Hello david55,

pushing on “post reply” always send me to the main page, but maybe it was due to my fresh registration process. Never mind.

I now installed 1.4.44 and guess what: my attacks with sipvicious do not even appear in the logs. When I started sipvicious with ./svwar.py -m OPTIONS -e100 -vv "my.internal.ip.here" on 1.8 it produced the “sending fake auth” but in 1.4 nothing appears. Maybe I did not configured the system similiar.

It is up to everyone to choose for yourself if you can consider this as a feature or a bug :wink: I should really install both versions and see if my statments are correct.

*Sometimes the SIP-implementation in asterisk reminds me of the smtp-protocol. And surely, voice spam will be the next big thing … *

6

Hi
1.8 doesn’t respond well to attacks in the logs so fail2ban works, There are some tweeks that can be made to the source so the IP is reported, dont have them to hand though.
as to sip security check cyber-cottage.co.uk/en/2012/11/b … -security/ and see if you are setup as per this.