I have the latest version all upgraded and SIP ports open to the world so remote users and soft phones will work. As expected the system is constantly being hammered on with register attempts. The problem is that all attempts show from the gateway ip and not the actual IP of the attacker. The gateway is immediately blocked and then no remote users can connect. I have added the gateway ip to the ignore list which fixes this but allows that constant hammering. How do I get the register attempts to show the attacking IP so the firewall can block them?
Do you have an ALG (aka âSIP Helperâ) enabled on your router?
Not that I am aware of but will check
sngrep would show the results of any SIP header re-writing
There was a sip module loaded in my router which I unloaded. Didnât make any difference. sngrep just shows the same as the âfullâ log, registerâs coming from the gateway IP that are rejected.
Did it unload or do you beed to reboot the router?
a list command shows it unloaded but I will reboot for kicks and giggles
No change
Show a registration attempt in sngrep
[ ] 7 INVITE [email protected] [email protected] 2 192.168.5.1:59064 192.168.5.12:5060 REJECTED
One line
Press F1 and read how to drill down into that session
Thatâs an invite not a registration
This is from the âfullâ log. ConstantlyâŚ
[2020-12-24 09:01:54] NOTICE[8106] res_pjsip/pjsip_distributor.c: Request âREGISTERâ from â<sip:[email protected]>â failed for â192.168.5.1:53582â (callid: 352621920-1655556886-705448573) - Failed to authenticate
It looks like youâve configured the gateway to proxy SIP, not forward it.
Found it. Thank you. The rule was a MASQ rule. Fixed that and now IPâs are being blocked. Thanks again. Merry Christmas!
There is something else fishy here. The Contact header of the posted REGISTER has an address of 100.64.36.4. This is in the range allocated to CGN (Carrier Grade NAT), which is typically used by ISPs that donât provide a public IPv4 address to the end user. These addresses are not publicly routable.
So, a incoming call directed to that Avaya phone would fail, unless it was connected via the same ISP as the PBX.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.