Securing with Fail2Ban, can't explain how this get's through

katit · May 5, 2015, 8:51pm

Ok. I got fail2ban running and pretty much all password attempts get stopped on their tracks. However, I still see following logs. What is this? I know it’s not me. But I don’t understand why there is no “Invalid password” follow ups being written in log?

[2015-05-05 15:40:20] SECURITY[2635] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2015-05-05T15:40:20.663-0500",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:8888@192.168.100.100:5060",SessionID="0x7f4b80000998",LocalAddress="IPV4/UDP/1.2.3.4/5060",RemoteAddress="IPV4/UDP/62.210.244.73/5070",Challenge="4d6e2c9c"

RemoteAddress is hacker’s address. But there is no other security events other than “ChallengeSent” in logs. And obviously - this IP not getting banned. So, how is this possible in Asterisk?

david55 · May 5, 2015, 9:44pm

The attacker didn’t attempt to supply a password, or the attempt got blocked by the firewall.

Note: fail2ban rate limits. Some attacks have to reach Asterisk for it to learn the attacker’s address.

katit · May 5, 2015, 10:18pm

I’m still not sure how is this possible. fail2ban goes strictly by logs. But it won’t ban until it sees SecurityEvent about bad password. This one is like a request that never get’s answered by Asterisk… How do I check in details?

No firewall involved.

david55 · May 6, 2015, 7:59am

fail2ban will not work without a firewall as it works by manipulating the firewall rules.

The normal sequence for an authenticated request is that the client sends an unauthenticated one, the server responds with 401, given the authentication type and and any cryptographic challenge, and the client repeats with the authentication. The repeat hasn’t happened. My guess is that that is because this was a genuine misconfiguration, not an attack.