I need some help understanding SIP dialog. Some actor is trying to access my server, but I can't figure out what he's trying to do ,or how. I'm getting a lot of these warnings. [May 17 10:08:08] WARNING[1532]: chan_sip.c:4068 retrans_pkt: Retransmission timeout reached on transmission _zIr9tDtBxeTVTY5F7z8kD7R.. for seqno 101 With SIP DEBUG I tracked the Call-ID to this INVITE : <--- SIP read from UDP:192.111.139.146:29281 ---> INVITE sip:+48223079992 at 67.80.191.250:5060 SIP/2.0 Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;rport=5060 Contact: <sip:9353 at 100.149.241.68:5060>;+sip.instance="<urn:uuid:4B444A32-23FD-4E49-8C99-12077A118D8F>" Max-Forwards: 70 To: <sip:+48223079992@<my-ip>:5060> From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R.. CSeq: 101 INVITE Content-Type: application/sdp Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, REGISTER, SUBSCRIBE, INFO Supported: replaces User-Agent: GSM Allow-Events: hold, talk, conference Accept: application/sdp Content-Length: 771 v=0 o=CiscoSystemsSIP-IPPhone 18338 11953 IN IP4 100.149.241.68 s=SIP Call c=IN IP4 100.149.241.68 t=0 0 m=audio 20000 RTP/AVP 0 8 18 101 a=rtpmap:3 gsm/8000 a=rtpmap:96 speex/8000 a=rtpmap:97 speex/8000 a=fmtp:97 mode=2 a=rtpmap:98 speex/8000 a=fmtp:98 mode=5 a=rtpmap:99 speex/8000 a=fmtp:99 mode=7 a=rtpmap:107 speex/32000 a=fmtp:107 mode=10 a=rtpmap:0 pcmu/8000 a=rtpmap:8 pcma/8000 a=rtpmap:108 ilbc/8000 a=rtpmap:113 g7231/8000 a=rtpmap:18 g729/8000 a=rtpmap:100 G726-16/8000 a=rtpmap:101 G726-24/8000 a=rtpmap:2 G726-32/8000 a=rtpmap:2 G726-32/8000 a=rtpmap:103 G726-40/8000 a=rtpmap:4 g723/8000 a=fmtp:18 annexb=no a=rtpmap:109 ilbc/8000 a=fmtp:109 mode=20 a=rtpmap:110 telephone-event/8000 a=fmtp:110 0-15 a=ptime:20 a=sendrecv <-------------> --- (15 headers 34 lines) --- Sending to 192.111.139.146:29281 (NAT) Sending to 192.111.139.146:29281 (NAT) Using INVITE request as basis request - _zIr9tDtBxeTVTY5F7z8kD7R.. No matching peer for '9353' from '192.111.139.146:29281' .............. Which then generates a lot of transmissions showing Unauthorized: .............. Retransmitting #10 (NAT) to 192.111.139.146:29281: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 100.149.241.68:5060;branch=z4hG4bK-966187-1---q9ft4HdLB4ZeBqs;received=192.111.139.146;rport=29281 From: "Caller"<sip:9353@<my-ip>:5060>;tag=sXPNixD5Ui42V To: <sip:+48223079992@<my-ip>:5060>;tag=as1f60e6dd Call-ID: _zIr9tDtBxeTVTY5F7z8kD7R.. CSeq: 101 INVITE Server: Asterisk PBX 13.21.0-rc1 Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE Supported: replaces, timer WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home", nonce="0794806c" Content-Length: 0 1. What's this guy trying to do ? It looks like he's trying to generate a call from the server to a Polish number. Why bother ? 2. What's the role of the Via and the Contact line ? The 100.149.241.68 seems to be a cell phone. 100.128.0.0/9 is T-mobile. 3. How do I set up the server to block these ? 4. Can I stop the retransmitting of the 401 Unauthorized packets ? Any help appreciated. sean
On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote:> 3. How do I set up the server to block these ? > > 4. Can I stop the retransmitting of the 401 Unauthorized packets ?I'm happy with Fail2Ban protecting my Asterisk 13. Here is my configuration: in /etc/asterisk/logger.conf: messages => security,notice,warning,error in /etc/asterisk/sip.conf: allowguest=yes context=unauthenticated in /etc/asterisk/extensions.conf: [unauthenticated] ;; Incomming calls from unauthenticated caller -> Fail2Ban exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')? exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _X.,3,HangUp() exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}')? exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) exten => _+X.,3,HangUp() in /etc/fail2ban/jail.conf: [asterisk] filter???= asterisk action = iptables-allports[name=ASTERISK] logpath??= /var/log/asterisk/messages maxretry = 1 findtime = 86400 bantime??= 518400 enabled = true in /etc/fail2ban/filter.d # Fail2Ban configuration file # # # $Revision: 250 $ # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local #before = common.conf [Definition] #_daemon = asterisk # Option:??failregex # Notes.:??regex to match the password failures messages in the logfile. The #??????????host must be matched by a group named "host". The tag "<HOST>" can #??????????be used for standard IP/hostname matching and is only an alias for #??????????(?:::f{4,6}:)?(?P<host>\S+) # Values:??TEXT # failregex =? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Wrong password NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0- 9]{1,5})?\) to extension '.*' rejected because extension not found in context 'unauthenticated' ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Username/auth name mismatch ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Not a local domain ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Peer is not supposed to register ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device does not match ACL ???????? NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - Device not configured to use this transport type ???????? NOTICE.* .*: No registration for peer '.*' \(from <HOST>\) ???????? NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' \(.*\) ???????? NOTICE.* .*: Host <HOST> denied access to register peer '.*' ???????? NOTICE.* .*: Host <HOST> did not provide proper plaintext password for '.*' ???????? NOTICE.* .*: Registration of '.*' rejected: '.*' from: '<HOST>' ???????? NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>) ???????? NOTICE.* .*: Host <HOST> denied access to register peer '.*' ???????? SECURITY.* .*: SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" ???????? SECURITY.* .*: SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss- noservice' \(language '.*'\) SECURITY.* .*: SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL S)/<HOST>/[0-9]+ WARNING.* .*: fail2ban='<HOST>' # Option:??ignoreregex # Notes.:??regex to ignore. If this regex matches, the line is ignored. # Values:??TEXT # ignoreregex =
On 05/17/2018 11:38 AM, Frank Vanoni wrote:> On Thu, 2018-05-17 at 11:18 -0400, sean darcy wrote: > >> 3. How do I set up the server to block these ? >> >> 4. Can I stop the retransmitting of the 401 Unauthorized packets ? > > I'm happy with Fail2Ban protecting my Asterisk 13. Here is my > configuration: > > in /etc/asterisk/logger.conf: > > messages => security,notice,warning,error > > > in /etc/asterisk/sip.conf: > > allowguest=yes > context=unauthenticated > > > in /etc/asterisk/extensions.conf: > > [unauthenticated] > ;; Incomming calls from unauthenticated caller -> Fail2Ban > exten => _X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') > exten => _X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) > exten => _X.,3,HangUp() > > exten => _+X.,1,Log(WARNING,fail2ban='${CHANNEL(peerip)}') > exten => _+X.,2,Set(CDR(UserField)=SIP PEER IP: ${CHANNEL(peerip)}) > exten => _+X.,3,HangUp() > > > > in /etc/fail2ban/jail.conf: > > [asterisk] > filter???= asterisk > action = iptables-allports[name=ASTERISK] > logpath??= /var/log/asterisk/messages > maxretry = 1 > findtime = 86400 > bantime??= 518400 > enabled = true > > > in /etc/fail2ban/filter.d > > # Fail2Ban configuration file > # > # > # $Revision: 250 $ > # > > [INCLUDES] > > # Read common prefixes. If any customizations available -- read them > from > # common.local > #before = common.conf > > > [Definition] > > #_daemon = asterisk > > # Option:??failregex > # Notes.:??regex to match the password failures messages in the > logfile. The > #??????????host must be matched by a group named "host". The tag > "<HOST>" can > #??????????be used for standard IP/hostname matching and is only an > alias for > #??????????(?:::f{4,6}:)?(?P<host>\S+) > # Values:??TEXT > # > failregex =? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Wrong password > NOTICE.* .*: Call from '.*' \(<HOST>(:[0-9]{1,5})?\) to > extension '.*' rejected because extension not found in context > 'unauthenticated' > NOTICE.* chan_sip.c: Call from '.*' \(<HOST>(:[0- > 9]{1,5})?\) to extension '.*' rejected because extension not found in > context 'unauthenticated' > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Username/auth name mismatch > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - No matching peer found > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Not a local domain > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Peer is not supposed to register > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Device does not match ACL > ???????? NOTICE.* .*: Registration from '.*' failed for > '<HOST>:.*' - Device not configured to use this transport type > ???????? NOTICE.* .*: No registration for peer '.*' \(from > <HOST>\) > ???????? NOTICE.* .*: Host <HOST> failed MD5 authentication for > '.*' \(.*\) > ???????? NOTICE.* .*: Host <HOST> denied access to register peer > '.*' > ???????? NOTICE.* .*: Host <HOST> did not provide proper > plaintext password for '.*' > ???????? NOTICE.* .*: Registration of '.*' rejected: '.*' from: > '<HOST>' > ???????? NOTICE.* .*: Peer '.*' is not dynamic (from <HOST>) > ???????? NOTICE.* .*: Host <HOST> denied access to register peer > '.*' > ???????? SECURITY.* .*: > SecurityEvent="InvalidAccountID".*,Severity="Error",Service="SIP".*,Rem > oteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" > ???????? SECURITY.* .*: > SecurityEvent="FailedACL".*,Severity="Error",Service="SIP".*,RemoteAddr > ess="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" > ???????? SECURITY.* .*: > SecurityEvent="InvalidPassword".*,Severity="Error",Service="SIP".*,Remo > teAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" > ???????? SECURITY.* .*: > SecurityEvent="ChallengeResponseFailed".*,Severity="Error",Service="SIP > ".*,RemoteAddress="IPV[46]/(UDP|TCP|TLS)/<HOST>/[0-9]+" > VERBOSE.* logger.c: -- .*IP/<HOST>-.* Playing 'ss- > noservice' \(language '.*'\) > SECURITY.* .*: > SecurityEvent="ChallengeSent".*,Severity="Informational",Service="SIP". > *,AccountID="sip:.*@93.94.247.123".*,RemoteAddress="IPV[46]/(UDP|TCP|TL > S)/<HOST>/[0-9]+ > WARNING.* .*: fail2ban='<HOST>' > > # Option:??ignoreregex > # Notes.:??regex to ignore. If this regex matches, the line is ignored. > # Values:??TEXT > # > ignoreregex > >Thanks. Very useful as a tutorial for fail2ban. But I don't think it covers this SIP hack. This guy isn't trying to register. That why I find it puzzling. What is he trying to do ? sean