Hi,
you are welcome any time. :-)
I am running it few day on two asterisk servers without problem and I
have bunch of hits now properly handled by fail2ban.
It would be fine to include it in Debian package so I will not to have
patch each update - as I am terrible lazy. :-)
Best regards
Dominik
Dne 5.5.2013 0:47, Tzafrir Cohen napsal(a):
Hi,
On Sat, May 04, 2013 at 05:43:51AM +0200, Dominik Strnad wrote:
Package: Asterisk
Version: 1.6.2.9-2+squeeze10
As mentioned on Diginum forum:
http://forums.digium.com/viewtopic.php?t=78988
http://forums.digium.com/viewtopic.php?t=77070
http://forums.asterisk.org/viewtopic.php?t=74947
Problem: Asterisk 1.6 do not log source IP address used for brute force attacks
in some cases. Thus usage of Fail2ban or other tools is limited.
Details: When using alwaysauthreject=yes in sip.conf, then source IP of
attacker is not logged when rejecting INVITES from not registered devices
trying to authenticate at call beginning (only asterisk server IP itself is
logged).
Solution: As Diginum will not solve this issue even this problem concerns a lot
of users, I created small patch solving this it, allowing fail2ban correctly
handling such brute force attacks.
Thanks,
Before patch:
[2013-04-28 19:33:01] NOTICE[32446] chan_sip.c: Sending fake auth rejection for
device 1011<sip:1011@10.98.231.154:5060>;tag=3b82edc2
After patch:
[2013-05-04 05:10:07] NOTICE[10851] chan_sip.c: Sending fake auth rejection for
device '303<sip:303@10.98.231.154:5060>;tag=d9210d45' to '94.23.59.135'
I have not tested it yet. At first glance, I like it. I agree that
breaking fail2ban is a major issue.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
