Bug#706739: Asterisk do not log source IP for Fake auth rejection

[Dominik Strnad]

Package: Asterisk
Version: 1.6.2.9-2+squeeze10

As mentioned on Diginum forum:
http://forums.digium.com/viewtopic.php?t=78988
http://forums.digium.com/viewtopic.php?t=77070
http://forums.asterisk.org/viewtopic.php?t=74947

Problem: Asterisk 1.6 do not log source IP address used for brute force attacks 
in some cases. Thus usage of Fail2ban or other tools is limited.

Details: When using alwaysauthreject=yes in sip.conf, then source IP of 
attacker is not logged when rejecting INVITES from not registered devices 
trying to authenticate at call beginning (only asterisk server IP itself is 
logged).

Solution: As Diginum will not solve this issue even this problem concerns a lot 
of users, I created small patch solving this it, allowing fail2ban correctly 
handling such brute force attacks.

Before patch:

[2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for 
device 1011<sip:1011@10.98.231.154:5060>;tag=3b82edc2

After patch:

[2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for 
device '303<sip:303@10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'

patch:

--- a/channels/chan_sip.c
+++ b/channels/chan_sip.c
@@ -20238,7 +20238,7 @@
                }
                if (res < 0) { /* Something failed in authentication */
                        if (res == AUTH_FAKE_AUTH) {
-                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device 
%s\n", get_header(req, "From"));
+                               ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' 
to '%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                                transmit_fake_auth_response(p, SIP_INVITE, req, 
XMIT_RELIABLE);
                        } else {
                                ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", 
get_header(req, "From"));
@@ -21532,7 +21532,7 @@
                return 0;
        if (res < 0) {
                if (res == AUTH_FAKE_AUTH) {
-                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device 
%s\n", get_header(req, "From"));
+                       ast_log(LOG_NOTICE, "Sending fake auth rejection for device '%s' to 
'%s'\n", get_header(req, "From"), ast_inet_ntoa(sin->sin_addr));
                        transmit_fake_auth_response(p, SIP_SUBSCRIBE, req, 
XMIT_UNRELIABLE);
                } else {
                        ast_log(LOG_NOTICE, "Failed to authenticate device %s for 
SUBSCRIBE\n", get_header(req, "From"));


I would welcome possibility to this patch be inherited in next Debian Asterisk 
package. :-)

Best Regard
Dominik Strnad


--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org