[Home]

Summary:ASTERISK-13931: IAX2 failed registration notices are spamming the CLI until /var/log/asterisk/messages file fills hard drive 100%
Reporter:David Brillert (aragon)Labels:
Date Opened:2009-04-09 00:42:13Date Closed:2009-06-04 14:47:57
Priority:MinorRegression?No
Status:Closed/CompleteComponents:Channels/chan_iax2
Versions:Frequency of
Occurrence
Related
Issues:
Environment:Attachments:
Description:The CLI is getting spammed with tonnes of this stuff in the CLI since upgrading to Asterisk 1.4.24.1
The CLI is now completely useless if a IAX2 friend is deleted and the remote keeps trying to authenticate.
Eventually drive will fill and Asterisk will fail because /var/log/asterisk/messages file will consume drive very quickly.
This was not an issue in 1.4.23

Getting tonnes of these messages if remote friend fails authentication

[Apr 9 01:20:18] NOTICE[24061]: chan_iax2.c:5753 register_verify: Host x.x.x.x failed MD5 authentication for 'friend' (848b0a7791266fe45e26718bf5d4374f != 2ff7a17c272b51c08c2ded94a6952b96)
[Apr 9 01:20:19] NOTICE[24061]: chan_iax2.c:5753 register_verify: Host x.x.x.x failed MD5 authentication for 'friend' (cc94d7df8db98552a4641d4df9a2de93 != 98d89984d389d6a9f3ae412e0b677b98)

Getting tonnes of these messages if I delete the friend
[Apr 9 01:22:20] NOTICE[24066]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
[Apr 9 01:22:20] NOTICE[24062]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
[Apr 9 01:22:20] NOTICE[24069]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
[Apr 9 01:22:20] NOTICE[24067]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
[Apr 9 01:22:20] NOTICE[24061]: chan_iax2.c:5686 register_verify: No registration for peer 'friend' (from x.x.x.x)
Comments:By: David Brillert (aragon) 2009-04-09 00:44:19

I should mention that I deleted the account less than two hours ago and /var/log/asterisk/messages is now over 450MB in size
By: Tilghman Lesher (tilghman) 2009-04-09 00:50:10

Please set authdebug=0 in the [general] section of iax.conf.
By: David Brillert (aragon) 2009-04-09 02:19:34

OK that suppressed all of the notices
But now I don't get any warning that a remote IAX2 friend is trying to authenticate with an invalid password...

How can I suppress the millions of notices and still some receive notice that someone is trying to register an account?

this is my iax.conf general config

[general]
context         =  default-incoming-guest
enabled         =  yes
port            =  4569
bindaddr        =  0.0.0.0
allowfwdownload =  no
delayreject     =  1
trunkfreq       =  20
jitterbuffer    =  yes
dropcount       =  1
maxjitterbuffer =  500
minexcessbuffer =  10
maxexcessbuffer =  80
bandwidth       =  high
tos             =  ef
minregexpire    =  60
maxregexpire    =  3600
iaxthreadcount  =  10
maxiaxthreadcount =  250
authdebug=0

I didn't get the spam until upgrading to 1.4.24... even with no authdebug=0 line in my iax.conf


By: Tilghman Lesher (tilghman) 2009-04-09 10:09:49

It's a quick workaround to fix the MAJOR part of your issue.
By: David Brillert (aragon) 2009-04-09 10:14:55

Ok, thanks

Why is ticket still in feedback state?

;)
By: tomsullivan (tomsullivan) 2009-04-20 03:10:08

I'm experiencing the major part of this issue, ie the excessive registration on failure. Is there a ticket which documents this?

We are currently using Asterisk 1.4.24.

Edit: To clarify, our Asterisk server is attempting to register an excessive number of times / sec to another Asterisk server. The username and password are known bad, but I would imagine that the registration timeout would preclude this kind of behaviour.

The server registering is running:
Asterisk 1.4.24
the server being registered to is running:
Asterisk 1.2.31.1-BRIstuffed-0.3.0-PRE-1y-u


By: David Vossel (dvossel) 2009-05-04 17:58:57

I can easily reproduce this, Asterisk is stuck in a registration loop, never properly sending the REGREJ message to terminate the registration.  I should have a patch for this shortly.
By: David Brillert (aragon) 2009-05-05 13:40:37

ping

Any chance of the patch getting committed to 1.4.25 which I believe is to be released this week?
By: David Vossel (dvossel) 2009-05-05 14:07:34

I've actually got a patch for this up for review right now.  I'll commit it as soon as it gets positive feedback.  I'm not sure how long that will take.  Its a simple patch, but it involves some sensitive code that only a few people are familiar with.
By: David Brillert (aragon) 2009-05-13 08:51:24

ping
By: Digium Subversion (svnbot) 2009-05-15 17:43:22

Repository: asterisk
Revision: 194873

U   branches/1.4/channels/chan_iax2.c

------------------------------------------------------------------------
r194873 | dvossel | 2009-05-15 17:43:22 -0500 (Fri, 15 May 2009) | 17 lines

IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.

(Related to Security fix AST-2009-001)

(closes issue ASTERISK-13931)
Reported by: aragon
Tested by: dvossel

(closes issue ASTERISK-13796)
Reported by: mobeck
Patches:
     regauth_loop_update_patch.diff uploaded by dvossel (license 671)
Tested by: dvossel


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=194873
By: Digium Subversion (svnbot) 2009-05-15 17:44:53

Repository: asterisk
Revision: 194874

_U  trunk/
U   trunk/channels/chan_iax2.c

------------------------------------------------------------------------
r194874 | dvossel | 2009-05-15 17:44:53 -0500 (Fri, 15 May 2009) | 23 lines

Merged revisions 194873 via svnmerge from
https://origsvn.digium.com/svn/asterisk/branches/1.4

........
 r194873 | dvossel | 2009-05-15 17:43:13 -0500 (Fri, 15 May 2009) | 17 lines
 
 IAX2 REGAUTH loop
 
 IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.
 
 (Related to Security fix AST-2009-001)
 
 (closes issue ASTERISK-13931)
 Reported by: aragon
 Tested by: dvossel
 
 (closes issue ASTERISK-13796)
 Reported by: mobeck
 Patches:
       regauth_loop_update_patch.diff uploaded by dvossel (license 671)
 Tested by: dvossel
........

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=194874
By: Digium Subversion (svnbot) 2009-05-15 17:46:00

Repository: asterisk
Revision: 194875

_U  branches/1.6.0/
U   branches/1.6.0/channels/chan_iax2.c

------------------------------------------------------------------------
r194875 | dvossel | 2009-05-15 17:46:00 -0500 (Fri, 15 May 2009) | 30 lines

Merged revisions 194874 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r194874 | dvossel | 2009-05-15 17:44:44 -0500 (Fri, 15 May 2009) | 23 lines
 
 Merged revisions 194873 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r194873 | dvossel | 2009-05-15 17:43:13 -0500 (Fri, 15 May 2009) | 17 lines
   
   IAX2 REGAUTH loop
   
   IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.
   
   (Related to Security fix AST-2009-001)
   
   (closes issue ASTERISK-13931)
   Reported by: aragon
   Tested by: dvossel
   
   (closes issue ASTERISK-13796)
   Reported by: mobeck
   Patches:
         regauth_loop_update_patch.diff uploaded by dvossel (license 671)
   Tested by: dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=194875
By: Digium Subversion (svnbot) 2009-05-15 17:47:03

Repository: asterisk
Revision: 194876

_U  branches/1.6.1/
U   branches/1.6.1/channels/chan_iax2.c

------------------------------------------------------------------------
r194876 | dvossel | 2009-05-15 17:47:03 -0500 (Fri, 15 May 2009) | 30 lines

Merged revisions 194874 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r194874 | dvossel | 2009-05-15 17:44:44 -0500 (Fri, 15 May 2009) | 23 lines
 
 Merged revisions 194873 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r194873 | dvossel | 2009-05-15 17:43:13 -0500 (Fri, 15 May 2009) | 17 lines
   
   IAX2 REGAUTH loop
   
   IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.
   
   (Related to Security fix AST-2009-001)
   
   (closes issue ASTERISK-13931)
   Reported by: aragon
   Tested by: dvossel
   
   (closes issue ASTERISK-13796)
   Reported by: mobeck
   Patches:
         regauth_loop_update_patch.diff uploaded by dvossel (license 671)
   Tested by: dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=194876
By: Digium Subversion (svnbot) 2009-05-15 17:48:21

Repository: asterisk
Revision: 194877

_U  branches/1.6.2/
U   branches/1.6.2/channels/chan_iax2.c

------------------------------------------------------------------------
r194877 | dvossel | 2009-05-15 17:48:21 -0500 (Fri, 15 May 2009) | 30 lines

Merged revisions 194874 via svnmerge from
https://origsvn.digium.com/svn/asterisk/trunk

................
 r194874 | dvossel | 2009-05-15 17:44:44 -0500 (Fri, 15 May 2009) | 23 lines
 
 Merged revisions 194873 via svnmerge from
 https://origsvn.digium.com/svn/asterisk/branches/1.4
 
 ........
   r194873 | dvossel | 2009-05-15 17:43:13 -0500 (Fri, 15 May 2009) | 17 lines
   
   IAX2 REGAUTH loop
   
   IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.
   
   (Related to Security fix AST-2009-001)
   
   (closes issue ASTERISK-13931)
   Reported by: aragon
   Tested by: dvossel
   
   (closes issue ASTERISK-13796)
   Reported by: mobeck
   Patches:
         regauth_loop_update_patch.diff uploaded by dvossel (license 671)
   Tested by: dvossel
 ........
................

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=194877
By: Digium Subversion (svnbot) 2009-06-04 14:37:43

Repository: asterisk
Revision: 199204

U   tags/1.4.25.1/channels/chan_iax2.c

------------------------------------------------------------------------
r199204 | dvossel | 2009-06-04 14:37:43 -0500 (Thu, 04 Jun 2009) | 17 lines

IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.

(Related to Security fix AST-2009-001)

(closes issue ASTERISK-13931)
Reported by: aragon
Tested by: dvossel

(closes issue ASTERISK-13796)
Reported by: mobeck
Patches:
     regauth_loop_update_patch.diff uploaded by dvossel (license 671)
Tested by: dvossel


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=199204
By: Digium Subversion (svnbot) 2009-06-04 14:39:17

Repository: asterisk
Revision: 199206

U   tags/1.6.0.10/channels/chan_iax2.c

------------------------------------------------------------------------
r199206 | dvossel | 2009-06-04 14:39:17 -0500 (Thu, 04 Jun 2009) | 17 lines

IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.

(Related to Security fix AST-2009-001)

(closes issue ASTERISK-13931)
Reported by: aragon
Tested by: dvossel

(closes issue ASTERISK-13796)
Reported by: mobeck
Patches:
     regauth_loop_update_patch.diff uploaded by dvossel (license 671)
Tested by: dvossel


------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=199206
By: Digium Subversion (svnbot) 2009-06-04 14:47:56

Repository: asterisk
Revision: 199208

U   tags/1.6.1.1/channels/chan_iax2.c

------------------------------------------------------------------------
r199208 | dvossel | 2009-06-04 14:47:56 -0500 (Thu, 04 Jun 2009) | 16 lines

IAX2 REGAUTH loop

IAX was not sending REGREJ to terminate invalid registrations.  Instead it sent another REGAUTH if the authentication challenge failed.  This caused a loop of REGREQ and REGAUTH frames.

(Related to Security fix AST-2009-001)

(closes issue ASTERISK-13931)
Reported by: aragon
Tested by: dvossel

(closes issue ASTERISK-13796)
Reported by: mobeck
Patches:
regauth_loop_update_patch.diff uploaded by dvossel (license 671)
Tested by: dvossel

------------------------------------------------------------------------

http://svn.digium.com/view/asterisk?view=rev&revision=199208