Page 1 of 1

Asterisk 1.8.23.0-vici source patch

PostPosted: Mon Dec 09, 2013 11:13 am
by marcin
I understand that source code for Asterisk 1.8.23.0-vici is available for download at http://download.vicidial.com/required-a ... ici.tar.gz.
due to this asterisk version logging issues of the attacker IP:
[2013-12-09 08:21:35] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=23754701
[2013-12-09 08:21:35] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=e865f2fe
[2013-12-09 08:21:36] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=6c9d1e0e
[2013-12-09 08:21:36] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=31c166f0
[2013-12-09 08:21:37] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=568c5031

I attempted to recompile the chan_sip.c module with patch by hand in 4 diferent places

/* ast_log(LOG_NOTICE, "Failed to authenticate device %s\n", get_header(req, "From")); */
ast_log(LOG_NOTICE, "Failed to authenticate device %s [IP: %s]\n", get_header(req, "From"), ast_sockaddr_stringify(addr));

to log the IP of attacker so fail2ban can read it, however the following error appears:

[2013-12-08 21:02:58] WARNING[6025] loader.c: Module 'chan_sip.so' was not compiled with the same compile-time options as this version of Asterisk.
[2013-12-08 21:02:58] WARNING[6025] loader.c: Module 'chan_sip.so' will not be initialized as it may cause instability.
[2013-12-08 21:02:58] WARNING[6025] loader.c: Module 'chan_sip.so' could not be loaded.

and compiled modules are much, much bigger in size:
original module :
-rwxr-xr-x 1 root root 17298 Aug 6 20:27 /usr/lib/asterisk/modules/cdr_csv.so
newly compiled module without any changes:
-rwxr-xr-x 1 root root 214391 Dec 8 20:26 /usr/local/src/asterisk-1.8.23.0/cdr/cdr_csv.so


The installation is vicibox 32 bit

Re: Asterisk 1.8.23.0-vici source patch

PostPosted: Mon Dec 09, 2013 10:58 pm
by williamconley
Let me see if I understand this correctly.

You want the sip protocol to log an ip. But you can already SEE the IP in the NOTICE log on the command line. So you recompiled it instead of modifying "logger.conf" in /etc/asterisk?

Or are you saying that the IP is incorrect (?) and / or it's not actually logging this data?

Also, and this is very important if you ask me: Are you SURE you want fail2ban to kill an ip for a sip registration fail? Your first "oops" when you put the wrong secret in a soft phone or attempt to register to the wrong server of a cluster could lock out an entire call center ... with fail2ban.

We prefer WHITELIST. Lock down the entire server and only allow "known good guys" to access it. You can then take it one step further and create a 'good guys' list that is editable with a simple php web page (so your NON IT STAFF can add/remove IPs from that simple one-purpose web page without command line access). None of which involves the risk of wiping an entire call center off the system until the IT department gets back from lunch. Just sayin' ... LOL

Have a look here: ViciWiki.com ... look for Dynamic Good Guys. Before you install it, DGG requires that full lockdown. If you want the simple web page, install DGG. And then uninstall fail2ban and the guys in china will never know you have a server.

As far as strange sizes in compiled files, I would suggest you compile it before making any changes and perform all of this on a Virtual server. Honestly, we've not recompiled asterisk on a client machine in months. And I don't think we've needed to recompile 1.8 for a client at all yet. Or I'd be more helpful in that regard. 8(

And why 32 bit? We don't even use 32 bit in our virtual servers.

Re: Asterisk 1.8.23.0-vici source patch

PostPosted: Tue Dec 10, 2013 9:19 am
by marcin
I also prefer and practice whitelist firewall setup , but some of the users are on dynamic IP and such option is not available.

this is an example of the attack on sip port:
[2013-12-09 08:21:35] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=23754701
[2013-12-09 08:21:35] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=e865f2fe
[2013-12-09 08:21:36] NOTICE[2226] chan_sip.c: Failed to authenticate device 200<sip:200@MY IP>;tag=6c9d1e0e
The attacker sends INVITE without registration and asterisk 1.8 is not logging the IP address of attacker.
The option does not exist and can not be enabled in logger.conf
I use fail2ban to examine the logs and ban the IPs of attackers after 6 unsuccessful attempts.
In order to log attacker IP in such attack the mentioned pach has to be apply to chan_sip.c.

The result has been successfully achieved on vicidial system build from scratch, but not on systems installed form ISO.

I will look in to DGG solution, but for now do you have any advise, other than reinstalling asterisk with all the modules?

It is a clients 32 bit server.