vicidial.org

[Acidshock]

Hi Guys,

I just encountered a brute force attempt on a box that wasn't throwing any errors into the CLI. It was using 1.4.44-vici that came with Vicibox 4.0.3. Has anyone experienced this yet? I strace'd asterisk and got this:

close(39) = 0
sendto(10, "SIP/2.0 100 Trying\r\nVia: SIP/2.0"..., 368, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, 16) = 368
sendto(10, "SIP/2.0 401 Unauthorized\r\nVia: S"..., 465, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, 16) = 465
poll([{fd=10, events=POLLIN}], 1, 1) = 1 ([{fd=10, revents=POLLIN}])
recvfrom(10, "REGISTER sip:209.X.X.X SIP/2."..., 4095, 0, {sa_family=AF_INET, sin_port=htons(5102), sin_addr=inet_addr("198.7.57.40")}, [16]) = 333
socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 39
connect(39, {sa_family=AF_INET, sin_port=htons(5060), sin_addr=inet_addr("198.7.57.40")}, 16) = 0

However nothing was showing in the logs or CLI for something like fail2ban to catch. They were probably running somewhere in the neighborhood of 1000 queries or more a second. Just wondering if anyone else has encountered this and if its just an issue with that version of asterisk. Unfortunately there are remotely logged in agents on this system and it needs to allow registration from outside.

[williamconley]

1) if registration attempts were not tossing errors, and you are the sort capable of this sort of level of packet capture, I'm going to operate under the assumption that YOU turned off some level of warning in the console. Have you edited logger.conf?

2) http://www.viciwiki.com/index.php/DGG
DGG Includes the ability for remote agents to self-authorize their IP, until which they CANNOT get a packet into asterisk to even verify that there is an asterisk server on the IP address. Very handy. (and using the existing Vicidial logon screen ... but without any logos or "vicidial" indicators until AFTER they log in). No extra steps for the agent, just a new "first" login page.

[Acidshock]

[logfiles]
console => notice,warning,error,dtmf
messages => notice,warning,error,debug,verbose,dtmf

That's what is in logger. It should spit it out shouldn't it?

[williamconley]

check "message" in var/log/asterisk and see if it has sip registration failures. you may find they are "verbose" and not sent to the console.

also be sure you have rebooted since then for new settings to be sure to take effect.