vicidial.org

[gservices]

Hello
I receive failed authentication from local server Ip on asterisk. Local server IP is the IP of vicibox IP.
But the interesting is that I not have "Sip 6002"

Code: Select all

NOTICE[2491]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 6002<sip:6002@95.107.1xx.xxx>;tag=38c84d9e

Can give me answer please

[bbakirtas]

i think someone attacking your server.i got this problem.I closed my server connection to other country.

[gservices]

Thanks bbakirtas
My server is with public server with public IP on WAN, i use for work out of office.
And the IP <sip:6002@95.107.1xx.xxx>; is vicibox ip.
I use Fail2Ban and i receive anytime email from Fail2Ban that: ASTERISK: banned 95.107.1xx.xxx. This is own server IP

[williamconley]

Ordinarly this means that a user failed to register a phone. Do you have a sip phone extension 6002?

[gservices]

thank Williamconley
I don't have sip phone 6002.
Every time i receive the same mesage on asterisk with diferent sip phone. i don't have this sip phone on my vici.
now i receve this mesage

Code: Select all

NOTICE[2491]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2012<sip:2012@myvicibox>;tag=50d9f59d

[williamconley]

assuming you are correct and that these are not merely "old phones" still trying to connect even though they were for an old system on this same IP address (prior install of Vicidial?) ... you are experiencing a "brute force sip attack". You need to IP Whitelist lock your system NOW. Seriously.

[gservices]

this is a new system, is stand Up 2 month ago, in all are 6 sip phone number. I no had such sip phone number before.
For BRUTE FORCE SIP ATTACH i have install fail2ban and work correctly, i receive email:

Code: Select all

Hi,
The IP 64.120.249.178 has just been banned by Fail2Ban after
21 attempts against ASTERISK.
Here are more information about 64.120.249.178:
Regards,
Fail2Ban

The message that give me astrerisk is different from attacker login from another IP

[williamconley]

Which is why we use IP whitelisting instead of fail2ban. Fail2ban will not stop a DOS attack, as it has to "get" the packets before dropping them. It will slow down a brute force, or require that the attacker rotate IPs, but will not stop a brute force from becoming a DOS attack if the attacker is unaware that fail2ban has locked them out. They may continue to send packets and lock up your server even though fail2ban is dropping the packets.

Whitelist, on the other hand, does not Ever respond to the attacker. They never find out Asterisk (or ssh, or any other process) is running on the server. So ... nothing to attack. A pure whitelist system will even make it appear that there is No Server present. An even better "nothing to attack" scenario.

[Eksbaks]

can we block the IP range of the attacker in the router optionally?

[williamconley]

of course you can. but they will notice that they have been blocked and change IP addresses and hit you again. perhaps in a few minutes, perhaps in a few hours. but they will be back. and they may note the time they were cut off and hit during a different period to avoid ... interaction with you.

but if you whitelist, only ALLOW good users, then you are safe (at the present state of the internet, LOL).

http://viciwiki.com/index.php/DGG

[Eksbaks]

thanks wiliamconley !

[gservices]

Today i Receive many request for authenticate users. This are from my VICI ip.
I can't have one answer for this problem!

Code: Select all

[2013-03-22 09:10:39] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3961<sip:3961@myvicidialserver>;tag=6dbb7457
[2013-03-22 09:10:40] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3961<sip:3961@myvicidialserver>;tag=061011a1
[2013-03-22 09:10:46] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2990<sip:2990@myvicidialserver>;tag=e649393b
[2013-03-22 09:10:47] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2990<sip:2990@myvicidialserver>;tag=6ff92f44
[2013-03-22 09:10:56] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3962<sip:3962@myvicidialserver>;tag=6a06599a
[2013-03-22 09:10:56] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3962<sip:3962@myvicidialserver>;tag=8384a79e
[2013-03-22 09:11:01]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:11:01] Found
[2013-03-22 09:11:01]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:11:01]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:11:01] Found
[2013-03-22 09:11:01]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:11:01]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:11:02]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:11:06]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:11:06] Found
[2013-03-22 09:11:06]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:11:06]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:11:07] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2991<sip:2991@myvicidialserver>;tag=cd8a4024
[2013-03-22 09:11:09] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3963<sip:3963@myvicidialserver>;tag=97215f97
[2013-03-22 09:11:10] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3963<sip:3963@myvicidialserver>;tag=e3602866
[2013-03-22 09:11:21] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2992<sip:2992@myvicidialserver>;tag=0da0b68f
[2013-03-22 09:11:22] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2992<sip:2992@myvicidialserver>;tag=5191642c
[2013-03-22 09:11:26] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3964<sip:3964@myvicidialserver>;tag=01b9ee07
[2013-03-22 09:11:26] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3964<sip:3964@myvicidialserver>;tag=c19c3ca2
[2013-03-22 09:11:37] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2993<sip:2993@myvicidialserver>;tag=cca26f81
[2013-03-22 09:11:37] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2993<sip:2993@myvicidialserver>;tag=0fc4ac56
[2013-03-22 09:11:39]   == Refreshing DNS lookups.
[2013-03-22 09:11:42] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3965<sip:3965@myvicidialserver>;tag=ebfa070c
[2013-03-22 09:11:43] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3965<sip:3965@myvicidialserver>;tag=d1190fbe
[2013-03-22 09:11:53] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2994<sip:2994@myvicidialserver>;tag=c02c89be
[2013-03-22 09:11:53] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2994<sip:2994@myvicidialserver>;tag=6392b7e5
[2013-03-22 09:11:56] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3966<sip:3966@myvicidialserver>;tag=2a6f3e04
[2013-03-22 09:11:57] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3966<sip:3966@myvicidialserver>;tag=9497abc2
[2013-03-22 09:12:02]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:12:02] Found
[2013-03-22 09:12:02]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:12:02]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:12:02]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:12:02] Found
[2013-03-22 09:12:02]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:12:02]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:12:07]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:12:07] Found
[2013-03-22 09:12:07]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:12:07]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:12:08] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2995<sip:2995@myvicidialserver>;tag=b6bc7895
[2013-03-22 09:12:09] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2995<sip:2995@myvicidialserver>;tag=a1e76b01
[2013-03-22 09:12:13] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3967<sip:3967@myvicidialserver>;tag=43f8dec0
[2013-03-22 09:12:13] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3967<sip:3967@myvicidialserver>;tag=d8cf2d67
[2013-03-22 09:12:25] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2996<sip:2996@myvicidialserver>;tag=5195ddfc
[2013-03-22 09:12:25] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2996<sip:2996@myvicidialserver>;tag=c3e448f3
[2013-03-22 09:12:26] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3968<sip:3968@myvicidialserver>;tag=c4031ff7
[2013-03-22 09:12:27] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3968<sip:3968@myvicidialserver>;tag=97d928c4
[2013-03-22 09:12:40] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2997<sip:2997@myvicidialserver>;tag=92e8b610
[2013-03-22 09:12:41] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2997<sip:2997@myvicidialserver>;tag=5a537d87
[2013-03-22 09:12:44] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3969<sip:3969@myvicidialserver>;tag=c815b508
[2013-03-22 09:12:45] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3969<sip:3969@myvicidialserver>;tag=328155ef
[2013-03-22 09:12:56] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2998<sip:2998@myvicidialserver>;tag=6fe3172f
[2013-03-22 09:12:57] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2998<sip:2998@myvicidialserver>;tag=6c2e6c1b
[2013-03-22 09:13:01] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3970<sip:3970@myvicidialserver>;tag=74a7c868
[2013-03-22 09:13:01]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:13:01] Found
[2013-03-22 09:13:01]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:13:01]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:13:01] Found
[2013-03-22 09:13:01]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:13:01]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:13:01] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3970<sip:3970@myvicidialserver>;tag=59a160c8
[2013-03-22 09:13:01]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:13:06]   == Parsing '/etc/asterisk/manager.conf': [2013-03-22 09:13:06] Found
[2013-03-22 09:13:06]   == Manager 'sendcron' logged on from 127.0.0.1
[2013-03-22 09:13:06]   == Manager 'sendcron' logged off from 127.0.0.1
[2013-03-22 09:13:12] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2999<sip:2999@myvicidialserver>;tag=18abcee2
[2013-03-22 09:13:12] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 2999<sip:2999@myvicidialserver>;tag=ae287fff
[2013-03-22 09:13:17] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3971<sip:3971@myvicidialserver>;tag=3d3937b6
[2013-03-22 09:13:18] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3971<sip:3971@myvicidialserver>;tag=feebaca4
[2013-03-22 09:13:27] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3000<sip:3000@myvicidialserver>;tag=25c98524
[2013-03-22 09:13:28] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3000<sip:3000@myvicidialserver>;tag=ff053831


[DomeDan]

They are not from your vicidial server. They are TO your sever.

A work-around to be able to see where they come from is to add this to your sip configuration (Account Entry, Carrier in admin-section):
alwaysauthreject=yes
allowguest=no

my sources:
http://forums.digium.com/viewtopic.php?t=74947
http://forums.digium.com/viewtopic.php?t=77070

What asterisk version do you got?

[gservices]

Thank DomeDan.
I have changed: alwaysauthreject=yes, allowguest=no
And now i receved only:

Code: Select all

NOTICE[2513]: chan_sip.c:15730 handle_request_invite: Sending fake auth rejection for user 4552<sip:4552@myvicidialserver>;tag=7bd98b62
[2013-03-22 11:46:51] NOTICE[2513]: chan_sip.c:15730 handle_request_invite: Sending fake auth rejection for user 4552<sip:4552@myvicidialserver>;tag=7bd98b62
[2013-03-22 11:46:51] NOTICE[2513]: chan_sip.c:15730 handle_request_invite: Sending fake auth rejection for user 4552<sip:4552@myvicidialserver>;tag=08f92778
[2013-03-22 11:46:52] NOTICE[2513]: chan_sip.c:15730 handle_request_invite: Sending fake auth rejection for user 4552<sip:4552@myvicidialserver>;tag=08f92778

How to modify to view the source IP, and my Fail2ban to lock attacked from the Ip

[DomeDan]

What asterisk version do you got?

[gservices]

Asterisk v.1.4.44-vici

[DomeDan]

This problem is deeper then I thought, here is more reading on the topic: http://forums.digium.com/viewtopic.php?t=78988

post all the content in your Account Entry.

The settings I'm interested in is type and insecure, here's a quote from the digium forum

It is also worth mentioning, if people used type=peer instead of type=friend, none of these attacks would have a chance of succeeding as type=peer forces registration which fail2ban already knows how to protect.

[williamconley]

Today i Receive many request for authenticate users. This are from my VICI ip.
I can't have one answer for this problem!

Code: Select all

[2013-03-22 09:10:39] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3961<sip:3961@myvicidialserver>;tag=6dbb7457
[2013-03-22 09:10:40] NOTICE[2513]: chan_sip.c:15733 handle_request_invite: Failed to authenticate user 3961<sip:3961@myvicidialserver>;tag=061011a1
...


They are not actually from your vici ip. The asterisk system is identifying the user that failed to authenticate and the machine on which the user account resides, which is of course your asterisk server. You can use iftop to identify the actual IP of the caller and shut it off again. But as I said, they will just change IP addresses again. Whitelist! LOL But a properly configured fail2ban should have killed this connection upon failure unless it actually relies on the IP address in the asterisk log file ..? But we never use anything until after we have the whitelist in place. To date nobody has ever needed more than that (although adding fail2ban back in would be fairly easy, no one has ever asked for it because it's not necessary so far).