Re: [asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

Tue, 02 Jan 2018 15:11:29 -0800 


On 01/02/2018 05:30 PM, sean darcy wrote:

On 12/30/2017 08:18 PM, Dovid Bender wrote:

Script kiddies trying to find vulnerable systems that they can make 
calls on. Lock down the box with iptables and use fail2ban to block 
them. The via is probably bogus unless a box at the DoD was comprimised.





On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandar...@gmail.com 
<mailto:seandar...@gmail.com>> wrote:


    I've been getting a lot of timeouts on non-critical invite
    transactions. I turned on sip debug. They were the result of SIP
    invites like this:

    Retransmitting #10 (NAT) to 185.107.94.10:13057
    <http://185.107.94.10:13057>:
    SIP/2.0 401 Unauthorized
    Via: SIP/2.0/UDP
215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
    From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
    To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
    Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
    CSeq: 1 INVITE
    Server: Asterisk PBX 13.19.0-rc1
    Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
    INFO, PUBLISH, MESSAGE
    Supported: replaces, timer
    WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
    nonce="14be1363"
    Content-Length: 0

I don't see how fail2ban would help. asterisk isn't rejecting 
anything. There's no attempt with username/password.



How could I use iptables to "lock it down" ? We get sip calls from all 
over. Is there something about the incoming packet we could use ? For 
instance , any packet containing a VIA instruction ? For that matter, 
can SIP be configured to drop any VIA request?





fail2ban is most useful for blocking registration attempts.    I handle 
non-registration call attempts by allowing guests, point them to a jail 
context, which runs Log(WARNING,fail2ban='${CHANNEL(peerip)}')   I set a 
fail2ban rule to match that line logged from Asterisk.



--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
     https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
  http://lists.digium.com/mailman/listinfo/asterisk-users





















					Reply via email to