Responsive firewall blocking gateway IP

I have the latest version all upgraded and SIP ports open to the world so remote users and soft phones will work. As expected the system is constantly being hammered on with register attempts. The problem is that all attempts show from the gateway ip and not the actual IP of the attacker. The gateway is immediately blocked and then no remote users can connect. I have added the gateway ip to the ignore list which fixes this but allows that constant hammering. How do I get the register attempts to show the attacking IP so the firewall can block them?

Do you have an ALG (aka ‘SIP Helper’) enabled on your router?

Not that I am aware of but will check

sngrep would show the results of any SIP header re-writing

There was a sip module loaded in my router which I unloaded. Didn’t make any difference. sngrep just shows the same as the “full” log, register’s coming from the gateway IP that are rejected.

Did it unload or do you beed to reboot the router?

a list command shows it unloaded but I will reboot for kicks and giggles

No change

Show a registration attempt in sngrep

[ ] 7 INVITE [email protected] [email protected] 2 192.168.5.1:59064 192.168.5.12:5060 REJECTED

One line

Press F1 and read how to drill down into that session

That’s an invite not a registration

This is from the “full” log. Constantly…

[2020-12-24 09:01:54] NOTICE[8106] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘192.168.5.1:53582’ (callid: 352621920-1655556886-705448573) - Failed to authenticate

It looks like you’ve configured the gateway to proxy SIP, not forward it.

Found it. Thank you. The rule was a MASQ rule. Fixed that and now IP’s are being blocked. Thanks again. Merry Christmas!

1 Like

There is something else fishy here. The Contact header of the posted REGISTER has an address of 100.64.36.4. This is in the range allocated to CGN (Carrier Grade NAT), which is typically used by ISPs that don’t provide a public IPv4 address to the end user. These addresses are not publicly routable.

So, a incoming call directed to that Avaya phone would fail, unless it was connected via the same ISP as the PBX.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.