zoukankan      html  css  js  c++  java
  • Asterisk 11 chan_sip.c: Failed to authenticate device 看不到IP的问题

    Asterisk 11 chan_sip.c: Failed to authenticate device 看不到IP的问题   没有验证过

    原文地址 http://www.coochey.net/?p=61

    Asterisk 11 (FreePBX distribution) fail2ban configuration using the security log.

    I’ve been experimenting with Asterisk again, using the FreePBX distro (2.11.0.4).

    I have noticed that I get a lot of entries in the Asterisk log that look like this:

    [2013-07-06 05:11:06] NOTICE[4106][C-0000001f] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=e9a98a30
    [2013-07-06 05:11:08] NOTICE[4106][C-00000020] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=eebd8857
    [2013-07-06 05:11:12] NOTICE[4106][C-00000021] chan_sip.c: Failed to authenticate device 555<sip:555@aaa.bb.ccc.dd>;tag=243f3815
    [2013-07-06 07:19:42] NOTICE[4106][C-00000022] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=a049427e
    [2013-07-06 07:19:45] NOTICE[4106][C-00000023] chan_sip.c: Failed to authenticate device 5555<sip:5555@7aaa.bb.ccc.dd>;tag=c3c7f81b
    [2013-07-06 07:19:48] NOTICE[4106][C-00000024] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=6be78a0b
    [2013-07-06 07:19:49] NOTICE[4106][C-00000025] chan_sip.c: Failed to authenticate device 5555<sip:5555@aaa.bb.ccc.dd>;tag=1979ada5

    Where, of course, aaa.bb.ccc.dd is the address of my SIP server. Unfortunately, while FreePBX contains a fail2ban module, asterisk doesn’t provide enough information in the log file to act upon these messages.

    The way I have got around this involves making some custom modifications to the Asterisk configuration.

    Firstly, we need to enable Asterisk (v11) security logging feature:

    Edit, /etc/asterisk/logger_logfiles_custom.conf and add the following:

    fail2ban2       => security,notice,warning,error

    This will create an additional log file, called /var/log/asterisk/fail2ban2

    Now we need to edit the fail2ban configuration in /etc/fail2ban to process the security logged items. FreePBX configuration is in jail.local, so we will add ours to jail.conf:

    [asterisk11-iptables]
     enabled  = true
     filter   = asterisk11
     action   = iptables-allports[name=SIP, protocol=all]
     sendmail-whois[name=SIP, dest=alerts@example.com, sender=pbx@example.com]
     logpath  = /var/log/asterisk/fail2ban2
    

    Finally, we create a simple regex to get the IP address that we want to ban, and put it in the /etc/fail2/ban/filter.d/asterisk11.conf

    # Fail2Ban configuration file 
    # 
    # 
    # $Revision: 250 $ 
    #
    [INCLUDES]
    # Read common prefixes. If any customizations available -- read them from 
    # common.local 
    #before = common.conf
    [Definition]
    #_daemon = asterisk
    # Option:  failregex 
    # Notes.:  regex to match the password failures messages in the logfile. The 
    #          host must be matched by a group named "host". The tag "<HOST>" can 
    #          be used for standard IP/hostname matching and is only an alias for 
    #          (?:::f{4,6}:)?(?P<host>S+) 
    # Values:  TEXT 
    # 
    failregex = SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress="IPV4/UDP/<HOST>/
    #VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss-noservice' (language '.*')
    # Option:  ignoreregex 
    # Notes.:  regex to ignore. If this regex matches, the line is ignored. 
    # Values:  TEXT 
    # ignoreregex =

    That’s it, we now intercept messages like this one from the security log, and manage to ban these device attempts:

    [2013-07-06 07:19:42] SECURITY[4078] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1373091582935268",Severity="Error",Service="SIP",EventVersion="2",AccountID="00972597103443",SessionID="0x7fa42c001ac8",LocalAddress="IPV4/UDP/aaa.bb.ccc.dd/5060",RemoteAddress="IPV4/UDP/37.8.1.89/5071",Challenge="61074795",ReceivedChallenge="61074795",ReceivedHash="b469462e8e7de800b54eb50ffe46de86"

    CATEGORIESRAMBINGSTAGS, , , , , , 

  • 相关阅读:
    ....
    CodeForces 375A(同余)
    POJ 2377 Bad Cowtractors (最小生成树)
    POJ 1258 AgriNet (最小生成树)
    HDU 1016 Prime Ring Problem(全排列)
    HDU 4460 Friend Chains(bfs)
    POJ 2236 Wireless Network(并查集)
    POJ 2100 Graveyard Design(尺取)
    POJ 2110 Mountain Walking(二分/bfs)
    CodeForces 1059B Forgery(模拟)
  • 原文地址:https://www.cnblogs.com/xishi/p/7114595.html
Copyright © 2011-2022 走看看