Hi,
On Sat, May 04, 2013 at 05:43:51AM +0200, Dominik Strnad wrote:
> Package: Asterisk
> Version: 1.6.2.9-2+squeeze10
>
> As mentioned on Diginum forum:
> http://forums.digium.com/viewtopic.php?t=78988
> http://forums.digium.com/viewtopic.php?t=77070
> http://forums.asterisk.org/viewtopic.php?t=74947
>
> Problem: Asterisk 1.6 do not log source IP address used for brute force
> attacks in some cases. Thus usage of Fail2ban or other tools is limited.
>
> Details: When using alwaysauthreject=yes in sip.conf, then source IP of
> attacker is not logged when rejecting INVITES from not registered devices
> trying to authenticate at call beginning (only asterisk server IP itself is
> logged).
>
> Solution: As Diginum will not solve this issue even this problem concerns a
> lot of users, I created small patch solving this it, allowing fail2ban
> correctly handling such brute force attacks.
Thanks,
>
> Before patch:
>
> [2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection
> for device 1011<sip:1011@10.98.231.154:5060>;tag=3b82edc2
>
> After patch:
>
> [2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection
> for device '303<sip:303@10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'
I have not tested it yet. At first glance, I like it. I agree that
breaking fail2ban is a major issue.
--
Tzafrir Cohen
icq#16849755 jabber:tzafrir.co...@xorcom.com
+972-50-7952406 mailto:tzafrir.co...@xorcom.com
http://www.xorcom.com iax:gu...@local.xorcom.com/tzafrir
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
