Disable replies to INVITE messages from any IP

dicko · November 21, 2013, 9:48pm

google? then perhaps

vi /etc/asterisk/sip_general_custom.conf

mic778 · November 21, 2013, 10:14pm

ok; but if I’m not wrong you said that you just get the traffic from a different port for remote users. how ?

dicko · November 21, 2013, 10:18pm

Not the traffic, that is rtp, but the sip signaling, usually something like server = 1.2.3.4:48123 on the client and the extension set to use port 48123 also, same rules for nat/firewall traversal as 5060.

mic778 · November 22, 2013, 11:33am

ok. but how do I make asterisk listen on that port ?

dicko · November 22, 2013, 3:08pm

I thought I covered that in my last post . . . Oh yes, I did:-)

mic778 · November 24, 2013, 10:56pm

thanks to everyone giving ideas.
I’ve now secured my ip pbx. Running on a different port and asking authorization from every ip address who is not in trunks.

I would prefer to not have any response for those IP addresses but 407 message is also good.

dicko · November 25, 2013, 12:33am

You are welcome.

(For the non paranoids, Just because You have fail2ban installed, it doesn’t mean they are not messing with you ;-))

mic778 · November 25, 2013, 7:14pm

I was not aware of fail2ban. Thanks. I2ll check that as well.

mic778 · December 1, 2013, 10:49am

Hi,

I’ve installed fail2ban but I couldn’t find an Asterisk log to monitor with fail2ban.
I have everything (warning, notice, error, debug) logged to /var/log /asterisk/full
But I can only see following log format for failing invite authorisation:

“[Dec 1 12:43:22] NOTICE[2345] chan_sip.c: Sending fake auth rejection for device 1004sip:[email protected];tag=a57239b9”

x.x.x.x is my IP address, so this log does not give any idea about the attacking IP.

any ideas ?

mic778 · December 1, 2013, 10:51am

I have found some information here:
http://www.fail2ban.org/wiki/index.php/Asterisk

But it mostly includes Registration attack logs. In my case, invite attacks are more…

mic778 · December 3, 2013, 8:48pm

what log files and log types can I use ?

dicko · December 3, 2013, 9:31pm

I suggest you use the one you create especially for intrusion detection.

A very good discsuuion of the how’s and why’s at

http://sourceforge.net/p/raspbx/discussion/tutorials/thread/6288a838/

don’t worry that it’s Debian based, the concept is OS agnostic.

You will have to add your own regex for your particular scenario . . .

mic778 · December 4, 2013, 8:23pm

thanks. but apparently security log of Asterisk is only available after 10.x version. I use 1.8.x
So, does it support ?

I tried adding it. Module is there and I don’t get any errors. But securitylog is empty.

dicko · December 4, 2013, 8:56pm

No you need >= 10 for SECURITY, but the NOTICE events should be there if you followed it well.