Still getting INVITE sip traffic from blocked up address


Running out of ideas. Still getting INVITE SIP traffic from known, blocked bad IP address. The [me]'s are my personal IP address. These three bolded IP addresses are blocked at the router and also on the freepbx iptables. Still getting through…

[root@freepbx ~]# tcpdump -i eth0 port sip -l -A |egrep -i ‘INVITE sip’
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
02:21:01.754687 IP > freepbx.sangoma.local.sip: SIP: INVITE sip:011442037693506@[me] SIP/2.0
E …Q6…v.*…{CB…-…,INVITE sip:011442037693506@[me] SIP/2.0
02:21:06.955959 IP > freepbx.sangoma.local.sip: SIP: INVITE sip:011441954616300@[me] SIP/2.0
E …?..u…k.q…-.c…u.INVITE sip:011441954616300@[me] SIP/2.0
02:21:26.340358 IP > freepbx.sangoma.local.sip: SIP: INVITE sip:901146842002959@[me] SIP/2.0
…f…-…-…|.INVITE sip:901146842002959@[me] SIP/2.0
^C37 packets captured
38 packets received by filter
0 packets dropped by kernel

[root@freepbx ~]#


Easier to just run sngrep and filter just invites, if any INVITE’s from bad guys result in a reply then you have a problem, mostly they can be ignored or better dropped at an upline firewall if there is one.


tcpdump captures traffic before the FreePBX firewall, so INVITES you see there may still have been blocked from reaching Asterisk.

However, there is a problem with your router configuration; packets from the blocked addresses should not have reached FreePBX.

(Dave Burgess) #4

A common misconfiguration on these is to block just TCP traffic, while your SIP INVITEs are probably coming in on UDP.

(system) closed #5

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.