Responsive Firewall Not Working?


#1

Hi Everyone,

Noticing a potential issue with the responsive firewall. My understanding is that its supposed to rate limit failed registration/authentication attempts and then block them all together when they reach a certain threshold. However, I am observing these attempts in my logs:

29753[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - No matching endpoint found after 234 tries in 3.729 ms

29754[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65055’ (callid: abcdefgh12345678) - No matching endpoint found after 235 tries in 3.735 ms

29755[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65055’ (callid: abcdefgh12345678) - Failed to authenticate

29756[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65090’ (callid: abcdefgh12345678) - No matching endpoint found after 236 tries in 3.788 ms

29757[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65090’ (callid: abcdefgh12345678) - Failed to authenticate

29758[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65074’ (callid: abcdefgh12345678) - No matching endpoint found after 237 tries in 3.794 ms

29759[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65074’ (callid: abcdefgh12345678) - Failed to authenticate

29760[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - No matching endpoint found after 238 tries in 3.795 ms

29761[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65106’ (callid: abcdefgh12345678) - Failed to authenticate

29762[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65153’ (callid: abcdefgh12345678) - No matching endpoint found after 239 tries in 3.892 ms

29763[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65125’ (callid: abcdefgh12345678) - No matching endpoint found after 240 tries in 3.907 ms

29764[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65109’ (callid: abcdefgh12345678) - No matching endpoint found after 241 tries in 3.909 ms

29765[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65146’ (callid: abcdefgh12345678) - No matching endpoint found after 242 tries in 3.910 ms

29766[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65197’ (callid: abcdefgh12345678) - No matching endpoint found after 243 tries in 3.928 ms

29767[2021-09-19 01:11:55] NOTICE[7766] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65191’ (callid: abcdefgh12345678) - No matching endpoint found after 244 tries in 3.931 ms

29768[2021-09-19 01:11:55] NOTICE[6529] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘A.B.C.D:65209’ (callid: abcdefgh12345678) - No matching endpoint found after 245 tries in 3.939 ms

I know the responsive firewall does work when I purposefully test failed registrations, My guesses are that maybe 1) the responsive firewall needs to be tuned on my end more 2) The responsive firewall can’t handle that many failed attempts in such a short period of time 3) Because the attacker is using a different source port with each attempt or group of attempts the responsive firewall is not designed to look for failed attempts from the same source IP but different source port?

Thoughts?


(Yois) #2

Just a hunch…
Responsive Firewall does not use fail2ban, it’s a different code set. The fail2ban version in the distro does not effectively block bad SIP registrations on the PJSIP driver.

Sooo… I think RFW is turned off and your tests are being blocked by fail2ban.

Is your interface set to internet? Do you have RFW set to scan PJSIP? Is W.X.Y.Z within a trusted range?