Invite SIP fail to authenticate


(Adam Kayden) #1

i need help

hi, how can i block these type of messages?

My last FreePBX server die after i ignore all these messages as it was blocked by the responsive firewall.

Now with a fresh new server (11 hours old), i still do get these.

[2020-07-09 10:54:54] ERROR[2347] pjproject: sip_transport.c Error processing 687 bytes packet from UDP 156.96.112.199:59429 : PJSIP syntax error exception when parsing 'Request Line' header on line 1 col 12:

INVITE sip: 46462607565@my.pbx.ip.here SIP/2.0
Via: SIP/2.0/UDP 156.96.112.199:59429;branch=z9hG4bK1602718160
Max-Forwards: 70
From: sip:8888@my.pbx.ip.here;tag=1225011894
To: <sip: 46462607565@my.pbx.ip.here>
Call-ID: 1841676633-1355977225-935501252
CSeq: 1 INVITE
Contact: sip:8888@156.96.112.199:59429
Content-Type: application/sdp
Content-Length: 208
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH

v=0
o=8888 16264 18299 IN IP4 192.168.1.83
s=call
c=IN IP4 192.168.1.83
t=0 0
m=audio 25282 RTP/AVP 0 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11

– end of packet.
[2020-07-09 10:58:44] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘sip:8001@my.pbx.ip.here’ failed for ‘156.96.128.154:52360’ (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:44] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘sip:8001@my.pbx.ip.here’ failed for ‘156.96.128.154:52360’ (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘sip:8001@my.pbx.ip.here’ failed for ‘156.96.128.154:52360’ (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘sip:8001@my.pbx.ip.here’ failed for ‘156.96.128.154:52360’ (callid: 908764754-2098712799-869297688) - No matching endpoint found after 5 tries in 1.229 ms
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘sip:8001@my.pbx.ip.here’ failed for ‘156.96.128.154:52360’ (callid: 908764754-2098712799-869297688) - Failed to authenticate

need help…


(Dave Burgess) #2

We need more info:

  1. How is your system connected to the Internet? Is it direct, or NAT, or behind a firewall, or not?
  2. Do you have the Integrated Firewall turned on?
  3. Are you using the Adaptive Firewall, and if so, on purpose?

In general, you do not want your SIP port exposed to the Internet without some kind of prophylactic measure in place. This can be an external firewall redirecting specific hosts traffic to your SIP port or the Integrated Firewall blocking traffic from any place that you don’t want traffic to come in from.

If you MUST allow inbound traffic unrestricted access to your SIP port (you have a roaming sales force that uses McDonald’s WiFi for their phones), using the Adaptive Firewall can limit the exposure by blocking access after a given number of failed connection attempts.

If you have “external” (not in your phone system’s LAN) phones that connect to the server, consider setting up a VPN for those phones to connect through. Yes, it can be a hassle and if you don’t want to do it, the Adaptive Firewall is an option.

Bottom line - there’s no reason why anyone should ever see your SIP port unless you want them to. There are lots of solutions built into to the system, so I’m sure we can steer you in a direction that will work for you.


(Adam Kayden) #3

thank you sir @cynjut

  1. How is your system connected to the Internet? Is it direct, or NAT, or behind a firewall, or not?
    Me: yes, it is NAT

  2. Do you have the Integrated Firewall turned on?
    Me: Yes, it’s ON

  3. Are you using the Adaptive Firewall, and if so, on purpose?
    Me: Yes. i like this

yes - the phone system is installed in a cloud server and us (users) are connected from home on IP Phone or native Android phone SIP dialer via dynamic IP ISP.

VPN will be a hassle as the cloud provider charge time.

that will make it less economical.

i like the Adaptive Firewall. so with that, can i ignore the sipvicious messages?

what is the implication of changing custom extension SIP port while maintaining 5060 to the trunk side?

What i did to change port:
Settings >> Asterisk SIP Settings >> SIP Settings [chan_pjsip] >> Port to Listen On: 34567

i open port 5060 - 5061 on my cloud portal firewall.

but in FreePBX SIP Settings, i cannot find anything on 5061 to change to 34568.

please let know if i am doing this correctly? in the meantime, i will test to see what can happen.


(Dave Burgess) #4

OK - there are two connections. One going out to your provider and one coming in from them to you. They both use 5060, but that’s just a coincidence.

5060 on your end could be anything. You just configure your phones to use that port and set up your ITSP to send your traffic to x.x.x.x:whatever instead of the standard x.x.x.x. When you send traffic to your ITSP, you will still use port 5060 for your outgoing connections. They don’t have to match.

5061 uses TLS (IIRC) so if you are using that, it should allow you to filter the connecting phones much more easily.

5160 (which is the ‘standard’ Chan-SIP port address) can likewise be set to anything you want. You simply set anyone with an incoming connection (that you want to connect to Chan-SIP) to that port and away you go.

Important note - all three of these need to be ‘redirected’ differently. You can’t set PJ-SIP and Chan-SIP (5060 and 5160, typically) to the same port number, and 5061 (being the default TLS port) shouldn’t probably be modified.

Generally, yes. The point of the Adaptive Firewall is that if someone tries to connect too many times in a given period, their IP address is banned. So, you might get a few connection attempts from a host, but after that, they’re blocked. I expect more improvements in that area in the next few months, since we’re a couple of major versions behind on the fail2ban stuff that it interfaces with.


(Adam Kayden) #5

thank you!

i was able to absorb the information.

as a result, my server is silent of attacks now.

i now look for days ahead with these changes…

and the improvements when FreePBX fail2ban catch up…


(system) closed #6

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.