Intrusion Detection is not working properly

wifx · May 23, 2022, 7:29pm

Hello,

My log is filled with this :

744174	[2022-05-23 21:23:05] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: AW_BN6nwUqjU8kO9uVq3ew..) - Failed to authenticate	
744175	[2022-05-23 21:23:11] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 7jVQv6r3LLFv4yprQufXEw..) - Failed to authenticate	
744176	[2022-05-23 21:23:11] NOTICE[21978] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: C9__beTnawGnT7OEIPukgg..) - Failed to authenticate	
744177	[2022-05-23 21:23:17] NOTICE[4072] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: iRqq53uUPdLxQcbCnAmrqQ..) - Failed to authenticate	
744178	[2022-05-23 21:23:17] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: E9EE8IcbUATupinoPAsMSQ..) - Failed to authenticate	
744179	[2022-05-23 21:23:23] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: znM4elVEICMYmgT4Tsa2cQ..) - Failed to authenticate	
744180	[2022-05-23 21:23:23] NOTICE[17259] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 4AGiFIpgbys5Cxau2PcldA..) - Failed to authenticate	
744181	[2022-05-23 21:23:29] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: CjhPvxReuFQqdUvWfZ6C2A..) - Failed to authenticate	
744182	[2022-05-23 21:23:29] NOTICE[15965] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: cLKuE60SzhQ3XEdwKtuj0A..) - Failed to authenticate	
744183	[2022-05-23 21:23:35] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: 02aHfz6dISGEgvuR_hGS4g..) - Failed to authenticate	
744184	[2022-05-23 21:23:35] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 8cOTi0j6WecXwmHpjNCJZQ..) - Failed to authenticate	
744185	[2022-05-23 21:23:41] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: thxYWTJOXqbOgU7sLQWzOQ..) - Failed to authenticate	
744186	[2022-05-23 21:23:41] NOTICE[15965] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: J6ADvU0TEqzMg_KbjkToZQ..) - Failed to authenticate	
744187	[2022-05-23 21:23:47] NOTICE[9269] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: DOjBcBDOU_u9ZH3YXXgKFg..) - Failed to authenticate	
744188	[2022-05-23 21:23:47] NOTICE[15965] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: ziSqxaNZp-_P_TDJ43lDsA..) - Failed to authenticate	
744189	[2022-05-23 21:23:53] NOTICE[9269] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: NdJ6kiRf8jaxIr3MNdlIjQ..) - Failed to authenticate	
744190	[2022-05-23 21:23:53] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: JXBMrzrXvi1pEE_VNdMxXg..) - Failed to authenticate	
744191	[2022-05-23 21:23:59] NOTICE[17259] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: WRjCAW7QJhrUv6JkIN3WYQ..) - Failed to authenticate	
744192	[2022-05-23 21:23:59] NOTICE[21978] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: VMXlQDRzS2zRKeP0QwJ0_A..) - Failed to authenticate	
744647	[2022-05-23 21:24:05] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: upkrnt6oA_YTR0lKSzp2DQ..) - Failed to authenticate	
744648	[2022-05-23 21:24:05] NOTICE[21978] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: pBnO7pdeLJYhGdCwWQAZcQ..) - Failed to authenticate	
744649	[2022-05-23 21:24:11] NOTICE[4072] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 8RykJSyIGGP5noVMxUCI1w..) - Failed to authenticate	
744650	[2022-05-23 21:24:11] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: rrXJsrMuWbBqwJk-g6CKDA..) - Failed to authenticate	
744653	[2022-05-23 21:24:17] NOTICE[793] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: lviJPiycDjKKaCGIDZ_ghw..) - Failed to authenticate	
744654	[2022-05-23 21:24:17] NOTICE[15965] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: fzAwZOGNnLwmDch-dVV_kA..) - Failed to authenticate	
744655	[2022-05-23 21:24:23] NOTICE[21978] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: OOOJj4kVP3STWC37FjTKQA..) - Failed to authenticate	
744656	[2022-05-23 21:24:23] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: NkxAls1G3A4Ie-ASuDSiAA..) - Failed to authenticate	
744666	[2022-05-23 21:24:29] NOTICE[17259] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: FdbbBFqw_cJZQ_2xNC-Qug..) - Failed to authenticate	
744667	[2022-05-23 21:24:29] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 11IOJIqbV3yw8WQIOworsQ..) - Failed to authenticate	
744674	[2022-05-23 21:24:35] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: GnTdouRLDfJ2UqVnU63QCg..) - Failed to authenticate	
744675	[2022-05-23 21:24:35] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: opHouXgZGavvAqHuFbUDSQ..) - Failed to authenticate	
744678	[2022-05-23 21:24:41] NOTICE[15965] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: cViLBkXMNbTM1TBAgHp8BA..) - Failed to authenticate	
744679	[2022-05-23 21:24:41] NOTICE[21978] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: d1gVCID89skvoYsJRj3_dQ..) - Failed to authenticate	
744684	[2022-05-23 21:24:47] NOTICE[17259] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: YjQErqEhn8gPZeUqKXYY2w..) - Failed to authenticate	
744685	[2022-05-23 21:24:47] NOTICE[12714] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: zLsYnykRHs1lblPDAUFuYg..) - Failed to authenticate	
744686	[2022-05-23 21:24:53] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: t2xT1gJtV1fbVqAsQeDJhA..) - Failed to authenticate	
744687	[2022-05-23 21:24:53] NOTICE[1143] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: cEEh14Tpcvk6gIAe5xhrxw..) - Failed to authenticate	
744694	[2022-05-23 21:24:59] NOTICE[793] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59231' (callid: 4zp4csKwDw15iQI1s3vZdA..) - Failed to authenticate	
744695	[2022-05-23 21:24:59] NOTICE[4072] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"2011" <sip:[email protected]>' failed for '[2002:8d62:a84::8d62:a84]:59230' (callid: 8XfwtEZ6cDq0RYDbedCmJQ..) - Failed to authenticate

I can see IPs that are currently banned, but this one does not … Why ?

Help !

jgttgns · May 24, 2022, 4:45am

Without having more information about what you have configured, it’s difficult to say why. At first glance it looks as if someone is attacking your system or repeatedly trying to call without authentication. A SIP trace would provide the details. It would mean that your PBX is not configured correctly.

wifx · May 24, 2022, 6:34am

Here is how it is configured :

It’s FreePBX 15, up to date.

I dont see any banned IPv6 adressses, is fail to ban enabled for IPv6 has well ?

jgttgns · May 24, 2022, 8:15am

I can’t comment on IPv6 and it could be that Asterisk is not listening for IPv6 requests.

You get a SIP trace with entering “pjsip set logger on” in a console window. You should delete any junk and edit all private data.

wifx · May 25, 2022, 8:36am

Asterisk is listening, we have 25 endpoints using IPv6.
I will enable “pjsip set logger on” when I see this happing again. But I guess something is wrong with fail2ban and IPv6.

dicko · May 25, 2022, 8:51am

fail2ban started to support ipv6 tsgs at vrrsion 0.10 you are at ?

fail2ban-client version

wifx · May 25, 2022, 9:02am

[root@sbc ~]# fail2ban-client version
ERROR  NOK: ('Invalid command',)
Invalid command

So I did a

[root@sbc ~]# fail2ban-client -i
Fail2Ban v0.8.14 reads log file that contains password failure report
and bans the corresponding IP addresses using firewall rules.

Well, I apparently have an old version, it is not updated by the GUI of FreePBX?
How to update? Some advice ?

wifx · May 25, 2022, 9:05am

I did the same on my FreePBX 16, and it is also Fail2Ban v0.8.14 …
Really ?

dicko · May 25, 2022, 10:06am

Nobody seems able to answer that, consider it “a riddle, wrapped in a mystery, inside an enigma”

wifx · May 25, 2022, 12:54pm

I dug the mystery, the version currently installed on FreePBX is the last one considered as stable.
The version 0.10 that supports IPv6 is considered experimental, which is why it is not installed on FreePBX I guess …
So, there is no anti-intrusion on FreePBX for IPv6… Too bad… Sad.

dicko · May 25, 2022, 1:31pm

Yeah, but we can’t find out who at Sangoma believes that, F2B 0.8 went ‘maintainance only’ in 2014, the current ‘experiments’ are in the 1.0 branch, current stable version 0.11.

sholinaty · May 25, 2022, 10:25pm

honestly, using IPv6 at this stage just feels like overkill.

dicko · May 26, 2022, 12:35am

Unless your service is only ipv6 , that was the warning 20 years ago, (starting to become more apparent )

Good read,

https://www.cloudflare.com/learning/dns/dns-records/dns-aaaa-record/#:~:text=What%20is%20a%20DNS%20AAAA,the%20Internet%20Protocol%20(IP).

wifx · May 26, 2022, 4:14am

Overkill, really ? Many of the major network operators In the U.S., Europe and Asia have massively deployed IPv6. For example, in the U.S. T-Mobile has 93 percent, in India Reliance Jio has 87 percent, in the U.K. British Sky Broadcasting has 86 percent and in Belgium VOO has 73 percent IPv6 deployment.

We are an Internet service provider in Switzerland, we offer IPv6 to all our customers.
We offer 3CX solutions that also work well with IPv6.
But I have a clear preference for Open Source solutions like FreePBX. The phones we use are Yealinks which also work well with IPv6.
No more NAT problems which is a real poison for VOIP, no need for SBC or other SIP ALG which are a real junk.

So folks, it’s time to wake up and propose solutions that are 100% efficient with IPv6 in all its power.

BlazeStudios · May 26, 2022, 11:25am

Flexing that mobile carriers are 90%+ ipv6 really isnt a big flex here. People arent running their PBX and phones off mobile networks all the time.

The reality is there is less than 50% adoption globally with only a handful of countries over a 50% deployment themselves. The estimate is 2045 before ipv6 is used by the majority of users.

The other thing to consider is that while many ISPs have ipv6 and offer it, the support is horrid. It took me two different ISPs and over 6 months with my last one to get Ipv6 working right. The ISP was as helpful as “Well you have to use our CPE and this mode. We havent figured out how passthrough works.”

Ipv6 is still a lackluster roll out with almost no ISP able to provide actual and decent support. Most techs at the ISP I dealt with had no clue about IPv6.

sholinaty · May 26, 2022, 5:12pm

ipv6 WAN to me makes sense, and is a good goal.
I just don’t see very many valid use cases for Ipv4 LAN, or not running a 6-to-4 to access things like your PBX.

wifx · May 26, 2022, 6:21pm

On this PBX there are 300 extensions from 50 different sites, including 70 Sangoma Connect applications.
Why make a 6to4 when all these networks are 80% IPv6?
Why add another layer when IPv6 works so well?
One more layer is also one more potential point of failure.
Now, there is this fail2ban problem, but it can apparently easily be solved by an update.

sorvani · May 26, 2022, 8:00pm

Actually, in FreePBX 15+ the fail2ban in the distro is it’s own fork of fail2ban 0.8 while the normal EPEL fail2ban is available at 0.11.

But you cannot switch, because it breaks the backend. Or it did last time I tried a year or so ago.

dicko · May 26, 2022, 9:38pm

Is the ‘fork’ now non-transient, i.e. on a restart are the bans maintained ?
Does it get bogged down when the bans are more than a few hundred ?

These problems and dozens of others have been fixed in the last 8 years in the un-forked code.

github.com

fail2ban/fail2ban/blob/master/ChangeLog

<!-- vim: syntax=Markdown -->
                         __      _ _ ___ _
                        / _|__ _(_) |_  ) |__  __ _ _ _
                       |  _/ _` | | |/ /| '_ \/ _` | ' \
                       |_| \__,_|_|_/___|_.__/\__,_|_||_|

Fail2Ban: Changelog
===================

ver. 1.0.1-dev-1 (20??/??/??) - development nightly edition
-----------

### Compatibility
* the minimum supported python version is now 2.7, if you have previous python version
  you can use the 0.11 version of fail2ban or upgrade python (or even build it from source).
* potential incompatibility by parsing of options of `backend`, `filter` and `action` parameters (if they
  are partially incorrect), because fail2ban could throw an error now (doesn't silently bypass it anymore).
* to v.0.11:
  - due to change of `actioncheck` behavior (gh-488), some actions can be incompatible as regards
    the invariant check, if `actionban` or `actionunban` would not throw an error (exit code

This file has been truncated. show original

It now allows insertion of it’s chains anywhere you want in your iptables rules.
It maintains data in sqlite3 so bans and the recidivist jail are the same after a restart
It is systemd compliant.
It does IPv6 just fine.
Has a lot more jails than just VOIP
There are 29 ‘fixes’ to the Asterisk jail
A hellova lot quicker
Of course installation or upgrading is not dependent on any 3rd party rpm (or deb) packaging

wifx · May 27, 2022, 4:14am

Well, we need it ASAP in FreeBPX !
At least FreePBX16 … How to convince the people of Sangoma?