On Fri, Sep 27, 2019, at 11:31 AM, Administrator TOOTAI wrote: > Hi list, > > I would like to now what is the sense of such type of entry in security.log > > [2019-09-27 15:12:24] SECURITY[26964] res_security_log.c: > SecurityEvent="ChallengeSent",EventTV="2019-09-27T15:12:24.181+0200",Severity="Informational",Servic > e="PJSIP",EventVersion="1",AccountID="<unknown>", > SessionID="[email protected]",LocalAddress="IPV4/UDP/<MyAddress>/5060", > RemoteAddress="IPV4/UDP/<attackerIP>/5213",Challenge="" > > We have a lot of such tries coming from IPs not allowed and fail2ban > fail to ban them because of SecurityEvent not treated and Severity > Informational. > > We add a fail2ban filter to ban those IPs which is OK on our side but > also means that attacker knows that account is not existing. > > Any comment appreciate
SIP uses a challenge/response mechanism for authentication. The above indicates that a challenge was sent. The remote side is under no obligation to retry with authentication and may choose not to. If they did and failed another message would occur. -- Joshua C. Colp Digium - A Sangoma Company | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
