Responsive firewall blocking gateway IP


#1

I have the latest version all upgraded and SIP ports open to the world so remote users and soft phones will work. As expected the system is constantly being hammered on with register attempts. The problem is that all attempts show from the gateway ip and not the actual IP of the attacker. The gateway is immediately blocked and then no remote users can connect. I have added the gateway ip to the ignore list which fixes this but allows that constant hammering. How do I get the register attempts to show the attacking IP so the firewall can block them?


#2

Do you have an ALG (aka ‘SIP Helper’) enabled on your router?


#3

Not that I am aware of but will check


#4

sngrep would show the results of any SIP header re-writing


#5

There was a sip module loaded in my router which I unloaded. Didn’t make any difference. sngrep just shows the same as the “full” log, register’s coming from the gateway IP that are rejected.


#6

Did it unload or do you beed to reboot the router?


#7

a list command shows it unloaded but I will reboot for kicks and giggles


#8

No change


#9

Show a registration attempt in sngrep


#10

[ ] 7 INVITE 402@24.142.168.174 712093600126@24.142.168.1 2 192.168.5.1:59064 192.168.5.12:5060 REJECTED

One line


#11

Press F1 and read how to drill down into that session


#12

39%20AM


#13

That’s an invite not a registration


#14

This is from the “full” log. Constantly…

[2020-12-24 09:01:54] NOTICE[8106] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:8588@24.142.168.174>’ failed for ‘192.168.5.1:53582’ (callid: 352621920-1655556886-705448573) - Failed to authenticate


#15

59%20AM


(Lorne Gaetz) #16

It looks like you’ve configured the gateway to proxy SIP, not forward it.


#17

Found it. Thank you. The rule was a MASQ rule. Fixed that and now IP’s are being blocked. Thanks again. Merry Christmas!


#18

There is something else fishy here. The Contact header of the posted REGISTER has an address of 100.64.36.4. This is in the range allocated to CGN (Carrier Grade NAT), which is typically used by ISPs that don’t provide a public IPv4 address to the end user. These addresses are not publicly routable.

So, a incoming call directed to that Avaya phone would fail, unless it was connected via the same ISP as the PBX.