Endless sip_inv.c errors

(Ablock) #1

Greetings all. FreePBX/Asterisk novice here. I recently installed FreePBX using the RasPBX distro. Got everything up and running with a SIP trunk and handful of PJSIP and legacy SIP devices (Grandstream wifi phones and Cisco 8841s respectively).

When I look at the logs, even when all devices are idle (or even fully disconnected), I see a constant stream of messages like the following:

[2020-10-04 09:42:33] SECURITY[2331] res_security_log.c: SecurityEvent="SuccessfulAuth",EventTV="2020-10-04T09:42:33.064-0700",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0xb4302228",LocalAddress="IPV4/TCP/",RemoteAddress="IPV4/TCP/",UsingPassword="0",SessionTV="2020-10-04T09:42:33.064-0700"
[2020-10-04 09:42:43] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:55] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:56] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2020-10-04 09:42:59] ERROR[2272] pjproject: 	     sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)

This occurs about once a minute. The LocalAddress is always while the remote address is also localhost but on a random port above 50000. Edit: it appears the security warning is benign and unrelated to the SIP errors.

I don’t know that this is a material issue but it bothers me (in addition to clogging the logs), so if anyone has suggestions on how to rectify it I’d appreciate the insight.


(Jared Busch) #2

Do not know anything about your problem, but you do not need SIP for “legacy” devices.

The device does not know or care what driver the PBX is using to provide SIP.

(Ablock) #3

@sorvani The Cisco devices need an Asterisk patch to add some Cisco-specific commands, as detailed at usecallmanager.nz. However, I had this same issue when using the unpatched Asterisk 16 distro included with RasPBX (which is managed by apt).

(Jared Busch) #4

Of course.

(Ablock) #5

Note that the patch does not touch sip_inv.c or pjproject.


(Ablock) #6

So it seems that per this post:

The security warnings are expected, and probably unrelated to the sip_inv.c errors. Would still be great to figure those out.

(Lorne Gaetz) #7

It’s conventional to disable SECURITY level logging to the Asterisk full log since it tends to be verbose. Unless you require it for intrusion detection (in which case it’s better to have a log file specifically for ID) you will find it easier to only enable when you need it.


(Ablock) #8

Thanks, @lgaetz. I understand that and do have a separate fail2ban log. It appears that the errors I am seeing are unrelated to the security warnings which I will remove from the main log.

(Ablock) #9

Okay, so this seems to be an attack. I turned on PJSIP history and waited for a couple of the errors to come through, then ran pjsip show history. The relevant rows in the table:

No.   Timestamp  (Dir) Address                  SIP Message                        
===== ========== ============================== ===================================
00000 1601832405 * <==     INVITE sip:9999297006468256426@ SIP/2.0
00001 1601832405 * ==>     SIP/2.0 400 Bad Request

That IP address in France and should not be connecting to my PBX.

The details for that invite entry are:

<--- History Entry 33 Received from at 1601832717 --->;
INVITE sip:9999323244556468256426@ SIP/2.0
Via: SIP/2.0/UDP;rport=54753;received=;branch=z9hG4bK17052342956
Max-Forwards: 70
From: &lt;sip:1001@;;tag=2029311865
To: &lt;sip:9999320006468256426@;
Call-ID: 1212621415-1894932257-351572944
Contact: &lt;sip:1001@;
User-Agent: Cisco-SIPGateway
Content-Type: application/sdp
Content-Length: 203
Content-Type: application/sdp
Content-Length: 203
o=1001 16264 18299 IN IP4
c=IN IP4
t=0 0
m=audio 25282 RTP/AVP 100 6 0 8 3 18 5 101
a=rtpmap:0 pcmu/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11

The requested extension is invalid so obviously the intent here is fishy.

Manually adding the offending IP to fail2ban slowed down the frequency of these errors, but running pjsip history shows that they are still happening. They don’t seem to generate a parseable error in the log (there is no IP address to pass to fail2ban), so I’m not sure how I can prevent these other than by whitelisting the trunk IPs.

(Jared Busch) #10

If you were on the distro version, the built in firewall does that by default. All things are blocked and thunk IP’s are automatically whitelisted. Even so far as to using SRV records.

I would highly recommend implementing some kind of firewall. Fail2ban is not a firewall, it is reactive.

(Ablock) #11

Thanks @sorvani. I have a hardware firewall so will whitelist the SIP trunk provider IPs for 5060 and the RTP ports. I am also going to add deny/permit rules to all my extensions.