Still getting INVITE sip traffic from blocked up address


#1

Running out of ideas. Still getting INVITE SIP traffic from known, blocked bad IP address. The [me]'s are my personal IP address. These three bolded IP addresses are blocked at the router and also on the freepbx iptables. Still getting through…

[root@freepbx ~]# tcpdump -i eth0 port sip -l -A |egrep -i ‘INVITE sip’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:21:01.754687 IP 193.123.67.66.62463 > freepbx.sangoma.local.sip: SIP: INVITE sip:011442037693506@[me] SIP/2.0
E …Q6…v.*…{CB…-…,INVITE sip:011442037693506@[me] SIP/2.0
02:21:06.955959 IP 193.107.216.113.55395 > freepbx.sangoma.local.sip: SIP: INVITE sip:011441954616300@[me] SIP/2.0
E …?..u…k.q…-.c…u.INVITE sip:011441954616300@[me] SIP/2.0
02:21:26.340358 IP 45.134.144.30.49292 > freepbx.sangoma.local.sip: SIP: INVITE sip:901146842002959@[me] SIP/2.0
…f…-…-…|.INVITE sip:901146842002959@[me] SIP/2.0
^C37 packets captured
38 packets received by filter
0 packets dropped by kernel

[root@freepbx ~]#


#2

Easier to just run sngrep and filter just invites, if any INVITE’s from bad guys result in a reply then you have a problem, mostly they can be ignored or better dropped at an upline firewall if there is one.


#3

tcpdump captures traffic before the FreePBX firewall, so INVITES you see there may still have been blocked from reaching Asterisk.

However, there is a problem with your router configuration; packets from the blocked addresses should not have reached FreePBX.


(Dave Burgess) #4

A common misconfiguration on these is to block just TCP traffic, while your SIP INVITEs are probably coming in on UDP.