VoIP Mailing List Archives
Mailing list archives for the VoIP community |
|
| View previous topic :: View next topic |
| Author |
Message |
mdupuis at ocg.ca
Guest
|
 Posted: Wed Mar 26, 2014 11:56 pm Post subject: [asterisk-users] Security log format / content |
 |
|
I've noticed that the Asterisk (v11) security log captures attempts do dial without first authenticating, and places the number dialed into the "accountid" field.
I'm trying to distinguish between failed attempts to register and attempts to dial without registering, but the security log treats them identically (using the accountid field for either the username or number dialed). I have noticed that the eventversion field is set to 2 for failed dial attempts, and 1 otherwise.
Is this coincidence? Or can I rely on the eventversion=2 in the future to distinguish these two event types? (I've looked here: https://wiki.asterisk.org/wiki/display/AST/Security+Log+File+Format but it doesn't really help) |
|
| Back to top |
|
 |
myoung at acsacc.com
Guest
|
| Posted: Thu Mar 27, 2014 1:42 pm Post subject: [asterisk-users] Security log format / content |
|
|
----- Original Message -----
| Quote: | From: "Michelle Dupuis" <mdupuis@ocg.ca>
To: "Asterisk Users List" <asterisk-users@lists.digium.com>
Sent: Thursday, March 27, 2014 12:55:21 AM
Subject: [asterisk-users] Security log format / content
|
| Quote: | I've noticed that the Asterisk (v11) security log captures attempts
do dial without first authenticating, and places the number dialed
into the "accountid" field.
|
| Quote: | I'm trying to distinguish between failed attempts to register and
attempts to dial without registering, but the security log treats
them identically (using the accountid field for either the username
or number dialed). I have noticed that the eventversion field is set
to 2 for failed dial attempts, and 1 otherwise.
|
The "eventversion" field is just a way to distinguish different versions of the same event. Between Asterisk 10 and 11, that particular event's logging output changed requiring a bump up in the version. It should not be used to distinguish different events.
What do you mean by "eventversion field is set to 2 for failed dial attempts, and 1 otherwise"? What is the event? I have a feeling those are two different events.
You are correct about the events looking identical whether it is a failed registration or a failed dial attempt. From the standpoint of Asterisk, an attempt was made to either register or place a call but the credentials failed. Therefore, an "InvalidPassword" event is logged.
When an authorized device successfully places a call, you will only have a "ChallengeSent" entry in your log.
If an attempt to place a call is made and it does not respond back with the right credentials to the challenge sent to Asterisk, then you will have a "ChallengeSent" entry with a subsequent "InvalidPassword". You should be able to connect the two events based on the fields in those events.
If a successful attempt to register is made, you will have a "ChallengeSent" with a subsequent "SuccessfulAuth". If it is not successful, then you will have a "ChallengeSent" with a subsequent "InvalidPassword". Again, there should be enough information present with the other fields to help connect the events together.
The security events in Asterisk are designed to present the events. It does not determine anything else for you. You have to create a consumer of those events that can attempt to connect the dots for you. Hopefully we are providing enough information for the consumer to do whatever you would like the consumer to do with the information.
I hope that helps.
Michael
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
mdupuis at ocg.ca
Guest
|
| Posted: Fri Mar 28, 2014 7:36 pm Post subject: [asterisk-users] Security log format / content |
|
|
Why does the failed authentication place the number dialed, instead of the username used, in the account field?
Any way to distinguish a failed dial attempt from a failed register attempt using just the security log? (I couldn't see how looking at the log)
________________________________________
From: asterisk-users-bounces@lists.digium.com <asterisk-users-bounces@lists.digium.com> on behalf of Michael L. Young <myoung@acsacc.com>
Sent: Thursday, March 27, 2014 2:42 PM
To: Asterisk Users List
Subject: Re: [asterisk-users] Security log format / content
----- Original Message -----
| Quote: | From: "Michelle Dupuis" <mdupuis@ocg.ca>
To: "Asterisk Users List" <asterisk-users@lists.digium.com>
Sent: Thursday, March 27, 2014 12:55:21 AM
Subject: [asterisk-users] Security log format / content
|
| Quote: | I've noticed that the Asterisk (v11) security log captures attempts
do dial without first authenticating, and places the number dialed
into the "accountid" field.
|
| Quote: | I'm trying to distinguish between failed attempts to register and
attempts to dial without registering, but the security log treats
them identically (using the accountid field for either the username
or number dialed). I have noticed that the eventversion field is set
to 2 for failed dial attempts, and 1 otherwise.
|
The "eventversion" field is just a way to distinguish different versions of the same event. Between Asterisk 10 and 11, that particular event's logging output changed requiring a bump up in the version. It should not be used to distinguish different events.
What do you mean by "eventversion field is set to 2 for failed dial attempts, and 1 otherwise"? What is the event? I have a feeling those are two different events.
You are correct about the events looking identical whether it is a failed registration or a failed dial attempt. From the standpoint of Asterisk, an attempt was made to either register or place a call but the credentials failed. Therefore, an "InvalidPassword" event is logged.
When an authorized device successfully places a call, you will only have a "ChallengeSent" entry in your log.
If an attempt to place a call is made and it does not respond back with the right credentials to the challenge sent to Asterisk, then you will have a "ChallengeSent" entry with a subsequent "InvalidPassword". You should be able to connect the two events based on the fields in those events.
If a successful attempt to register is made, you will have a "ChallengeSent" with a subsequent "SuccessfulAuth". If it is not successful, then you will have a "ChallengeSent" with a subsequent "InvalidPassword". Again, there should be enough information present with the other fields to help connect the events together.
The security events in Asterisk are designed to present the events. It does not determine anything else for you. You have to create a consumer of those events that can attempt to connect the dots for you. Hopefully we are providing enough information for the consumer to do whatever you would like the consumer to do with the information.
I hope that helps.
Michael
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
Powered by phpBB © 2001, 2005 phpBB Group
|
Search
