asterisk users - Jan 2018 - SIP invite timeouts : how is someone sending invites from our server ??

On 12/30/2017 08:18 PM, Dovid Bender wrote:
> Script kiddies trying to find vulnerable systems that they can make 
> calls on. Lock down the box with iptables and use fail2ban to block 
> them. The via is probably bogus unless a box at the DoD was comprimised.
> 
> 
> 
> On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com 
> <mailto:seandarcy2 at gmail.com>> wrote:
> 
>     I've been getting a lot of timeouts on non-critical invite
>     transactions. I turned on sip debug. They were the result of SIP
>     invites like this:
> 
>     Retransmitting #10 (NAT) to 185.107.94.10:13057
>     <http://185.107.94.10:13057>:
>     SIP/2.0 401 Unauthorized
>     Via: SIP/2.0/UDP
>    
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
>     From:
<sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
>     To:
<sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
>     Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
>     CSeq: 1 INVITE
>     Server: Asterisk PBX 13.19.0-rc1
>     Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>     INFO, PUBLISH, MESSAGE
>     Supported: replaces, timer
>     WWW-Authenticate: Digest algorithm=MD5,
realm="asterisk_home",
>     nonce="14be1363"
>     Content-Length: 0
> 
>     ---
>      ?WARNING[1868]: chan_sip.c:4065 retrans_pkt: Retransmission timeout
>     reached on transmission 5YpLDUSIs6l3xbDXsurYTu.. for seqno 1
>     (Non-critical Response) -- See
>     https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
>     <https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions>
>     Packet timed out after 32000ms with no response
>      ?WARNING[1868]: chan_sip.c:4124 retrans_pkt: Timeout on
>     5YpLDUSIs6l3xbDXsurYTu.. on non-critical invite transaction.
> 
>     Looking up the ip addresses :
> 
>     whois 185.107.94.10
>     .............
>     inetnum:? ? ? ? 185.107.94.0 - 185.107.94.255
>     netname:? ? ? ? NFORCE_ENTERTAINMENT
>     descr:? ? ? ? ? Serverhosting
>     ..................
>     organisation:? ?ORG-NE3-RIPE
>     org-name:? ? ? ?NForce Entertainment B.V.
>     org-type:? ? ? ?LIR
>     address:? ? ? ? Postbus 1142
>     address:? ? ? ? 4700BC
>     address:? ? ? ? Roosendaal
>     address:? ? ? ? NETHERLANDS
>     phone: +31206919299 <tel:%2B31206919299>
>     ...................
> 
>     whois 215.45.145.211
>     .................
>     NetRange:? ? ? ?215.0.0.0 - 215.255.255.255
>     CIDR: 215.0.0.0/8 <http://215.0.0.0/8>
>     NetName:? ? ? ? DNIC-NET-215
>     NetHandle:? ? ? NET-215-0-0-0-1
>     Parent:? ? ? ? ? ()
>     NetType:? ? ? ? Direct Assignment
>     OriginAS:
>     Organization:? ?DoD Network Information Center (DNIC)
>     RegDate:? ? ? ? 1998-06-04
>     Updated:? ? ? ? 2011-06-21
>     Ref: https://whois.arin.net/rest/net/NET-215-0-0-0-1
>     <https://whois.arin.net/rest/net/NET-215-0-0-0-1>
> 
> 
> 
>     OrgName:? ? ? ? DoD Network Information Center
>     OrgId:? ? ? ? ? DNIC
>     Address:? ? ? ? 3990 E. Broad Street
>     City:? ? ? ? ? ?Columbus
>     StateProv:? ? ? OH
> 
>     So how is someone on a Dutch ISP using my server to mess with a US
>     DoD ip address ?
> 
> 
>     -- 
I don't see how fail2ban would help. asterisk isn't rejecting anything. 
There's no attempt with username/password.

How could I use iptables to "lock it down" ? We get sip calls from all
over. Is there something about the incoming packet we could use ? For 
instance , any packet containing a VIA instruction ? For that matter, 
can SIP be configured to drop any VIA request?

sean

On 01/02/2018 05:30 PM, sean darcy wrote:
> On 12/30/2017 08:18 PM, Dovid Bender wrote:
>> Script kiddies trying to find vulnerable systems that they can make 
>> calls on. Lock down the box with iptables and use fail2ban to block 
>> them. The via is probably bogus unless a box at the DoD was
comprimised.
>>
>>
>>
>> On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com
>> <mailto:seandarcy2 at gmail.com>> wrote:
>>
>> ??? I've been getting a lot of timeouts on non-critical invite
>> ??? transactions. I turned on sip debug. They were the result of SIP
>> ??? invites like this:
>>
>> ??? Retransmitting #10 (NAT) to 185.107.94.10:13057
>> ??? <http://185.107.94.10:13057>:
>> ??? SIP/2.0 401 Unauthorized
>> ??? Via: SIP/2.0/UDP
>>
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
>> ??? From:
<sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
>> ??? To:
<sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
>> ??? Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
>> ??? CSeq: 1 INVITE
>> ??? Server: Asterisk PBX 13.19.0-rc1
>> ??? Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>> ??? INFO, PUBLISH, MESSAGE
>> ??? Supported: replaces, timer
>> ??? WWW-Authenticate: Digest algorithm=MD5,
realm="asterisk_home",
>> ??? nonce="14be1363"
>> ??? Content-Length: 0
> I don't see how fail2ban would help. asterisk isn't rejecting 
> anything. There's no attempt with username/password.
>
> How could I use iptables to "lock it down" ? We get sip calls
from all
> over. Is there something about the incoming packet we could use ? For 
> instance , any packet containing a VIA instruction ? For that matter, 
> can SIP be configured to drop any VIA request?
>
fail2ban is most useful for blocking registration attempts.??? I handle 
non-registration call attempts by allowing guests, point them to a jail 
context, which runs Log(WARNING,fail2ban='${CHANNEL(peerip)}')?? I set a
fail2ban rule to match that line logged from Asterisk.

> fail2ban is most useful for blocking registration attempts.??? I
> handle?
> non-registration call attempts by allowing guests, point them to a
> jail?
> context, which runs Log(WARNING,fail2ban='${CHANNEL(peerip)}')?? I
> set a?
> fail2ban rule to match that line logged from Asterisk.

Thanks for the suggestion. Works great! :-)