Failed INVITES not getting banned automatically

Got a system getting phantom “failed” calls from random extensions. Clearly getting probed. Unclear how this is happening though as the attempts show up in the logs from the same IP but it’s not getting banned.

Anonymous and SIP Guests are both set to NO in FPBX. Pjsip is only transport in use via UDP and the port IS open to the outside, sangoma firewall is on and the interface is set to internet zone and responsive is enabled for pjsip as this system has a lot of mobile workers with changing IP’s. Working on rolling out OpenVPN but working with a couple hundred non-Sangoma phones and we can’t touch the phones/people because of distance and the quarantines going on.

The failed invites are showing up in the logs, and there is a pattern to the attempts. 5 invites that fail, then a pause of a few minutes, then another 5, over and over. The source IP is not getting banned. I can and have manually banned the IP’s but am interested in why they’re not getting banned in the first place.

Sample Invite excerpt:

Request ‘INVITE’ from ‘sip:RANDOMEXTENSION@BOGUSIP1’ failed for ‘BOGUSIP2:53199’ (callid: RANDOMGUIDHERE) - Failed to authenticate

Anything I can check to make sure we didn’t overlook something simple to get these guys banned properly automatically?

Asterisk 13.22.0
FPBX 14.0.13.26

I may have answered my own question. The System Admin -> Intrusion Detection settings tune how sensitive it is.

I raised the “find time” to a wider period of time, and also raised the max retry to accommodate legit requests. Unclear if there are unintended consequences in doing that, short of valid extensions being misconfigured and then getting banned. I pre-emptively white-listed known good IP’s to help mitigate that.

1 Like

The only thing that still stands out is why those were generating phantom calls in the first place. If Guest and Anon are both disallowed, how could those be generating phantom calls at all? Their is no DID’s pointing at the extension receiving the phantom calls. The IVR does not allow direct extension dialing, and no menu options dials this extension directly (only a ring group, which is not being used for the phantom calls, evident by the other phones in the ring group not experiencing this).

I postulate that those script kiddies will start up again as soon as the banhammer time expires (which I expanded to 24 hours), then get banned again, rinse and repeat, and each time that happens a batch of bogus/phantom calls will come through before they’re banned once more.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.