What causing so much security events that fill fail2ban.log

serinfbco · October 2, 2018, 9:43am

Fresh install of FreePBX 14 distro with around 300 endpoints. All is working fine but I noticed an huge amount of security events that seems coming from the Asterisk Manager. There is around 20 security events per seconds that fill the fail2ban log file. Around 1Gb at the end of the day.

FreePBX: 14.0.3.13
Asterisk: 13.22.0

Here what we see in the /var/log/asterisk/fail2ban

**[2018-10-02 05:02:02] SECURITY[2177] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-10-02T05:02:02.312-0400",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="386",SessionID="[email protected]",LocalAddress="IPV4/UDP/192.18.100.2/5060",RemoteAddress="IPV4/UDP/192.18.100.174/5060",UsingPassword="1"**
**[2018-10-02 05:02:02] SECURITY[2177] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2018-10-02T05:02:02.329-0400",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="106",SessionID="[email protected]",LocalAddress="IPV4/UDP/192.18.100.2/5060",RemoteAddress="IPV4/UDP/192.18.100.194/5060",Challenge=""**
**[2018-10-02 05:02:02] SECURITY[2177] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2018-10-02T05:02:02.348-0400",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="106",SessionID="[email protected]",LocalAddress="IPV4/UDP/192.18.100.2/5060",RemoteAddress="IPV4/UDP/192.18.100.194/5060",UsingPassword="1"**
**[2018-10-02 05:02:02] SECURITY[2177] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2018-10-02T05:02:02.370-0400",Severity="Informational",Service="PJSIP",EventVersion="1",AccountID="309",SessionID="[email protected]",LocalAddress="IPV4/UDP/192.18.100.2/5060",RemoteAddress="IPV4/UDP/192.18.100.133/5060",Challenge=""**

And here a sample of the traffic that is going on (tcpdump -i lo -A -s0 port 5038)

05:14:28.039964 IP localhost.53628 > localhost.5038: Flags [.], ack 74494, win 6146, options [nop,nop,TS val 1557381226 ecr 1557381226], length 0
E..4t.@.@............|[email protected]...<.....(.....
\..j\..j
05:14:28.118549 IP localhost.5038 > localhost.53628: Flags [P.], seq 74494:74808, ack 1, win 342, options [nop,nop,TS val 1557381304 ecr 1557381226], length 314
E..nkf@.@..!...........|...<@y.k...V.b.....
\...\..jEvent: ChallengeSent
Privilege: security,all
EventTV: 2018-10-02T05:14:28.118-0400
Severity: Informational
Service: PJSIP
EventVersion: 1
AccountID: 248
SessionID: [email protected]
LocalAddress: IPV4/UDP/192.18.100.2/5060
RemoteAddress: IPV4/UDP/192.18.100.81/5060
Challenge:


05:14:28.118574 IP localhost.53628 > localhost.5038: Flags [.], ack 74808, win 6146, options [nop,nop,TS val 1557381304 ecr 1557381304], length 0
E..4t/@.@............|[email protected].....(.....
\...\...
05:14:28.135823 IP localhost.5038 > localhost.53628: Flags [P.], seq 74808:75128, ack 1, win 342, options [nop,nop,TS val 1557381322 ecr 1557381304], length 320
E..tkg@.@..............|[email protected].....
\...\...Event: SuccessfulAuth
Privilege: security,all
EventTV: 2018-10-02T05:14:28.135-0400
Severity: Informational
Service: PJSIP
EventVersion: 1
AccountID: 248
SessionID: [email protected]
LocalAddress: IPV4/UDP/192.18.100.2/5060
RemoteAddress: IPV4/UDP/192.18.100.81/5060
UsingPassword: 1

serinfbco · October 5, 2018, 5:40pm

Found the culprit after analysing network traffic. The problem comes from wrong configuration of our phones for MWI subscription. Each endpoint was trying to subscribe every 10 seconds to the same wrong contact… We fix it and now the fail2ban.log file goes from 1Gb per day to less than 10Mo.

system · October 12, 2018, 5:40pm

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.