Strange errors from pjproject - Are they attacks?

Autourdupc · February 4, 2022, 11:28am

Hi all.

I’m running Freepbx 15.0.20 on Rapberry Pi 4. Asterisk is 16.21.1
I run fail2ban on the system

Everything works fine, but I use to always have a cli opened via ssh to monitor activity in real time.

Got some stranges logs in the console… Here they are

[2022-02-04 12:17:25] ERROR[8231]: pjproject: <?>:      sip_transport. Error processing 727 bytes packet from UDP 68.69.184.114:58981 : PJSIP syntax error exception when parsing 'Request Line' header on line 1 col 12:
INVITE sip: [email protected] SIP/2.0
Via: SIP/2.0/UDP 172.21.17.132:58981;branch=z9hG4bK1053943668
Max-Forwards: 70
From: <sip:[email protected]>;tag=287453526
To: <sip: [email protected]>
Call-ID: 1780229502-1053047553-1605731537
CSeq: 1 INVITE
Contact: <sip:[email protected]:58981>
Content-Type: application/sdp
Content-Length: 210
Allow: ACK, BYE, CANCEL, INFO, INVITE, MESSAGE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER, SUBSCRIBE, UPDATE, PUBLISH
User-Agent: Linksys-SPA942

v=0
o=123456 16264 18299 IN IP4 192.168.1.83
s=call
c=IN IP4 192.168.1.83
t=0 0
m=audio 25282 RTP/AVP 0 101
a=rtpmap:0 pcmu/8000
a=rtpmap:8 pcma/8000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-11

-- end of packet.

With
UDP 68.69.184.114 → I think it is the IP of the intruder
@82.65.230.115 → It is my public IP (modified for the case)
@172.21.17.132 → It is a bogon network… Strange !
IP4 192.168.1.83 → Not my local network

Is there someone can explain ?
Why does my Fail2ban do not see the attack ?
How can I prevent thoses attacks ?

Thanks for your help.

Laurent.

david55 · February 4, 2022, 11:37am

On the balance of probabilities, it is an attack (although any system open to the internet will be subject to attacks, so attacks should be considered normal).

However, the error is due to a bogus space in the request URI, not to any attack.

Fail2ban will typically be set up to block based on authentication failures, not on malformed requests.

Autourdupc · February 4, 2022, 11:41am

Sure…
But a malformed URI could be also considered as an attack…
Is there a filer that I could add into Fail2ban for this kind of log ?

david55 · February 4, 2022, 1:28pm

The message contains the IP source address, so you could create a fail2ban rule for it

BlazeStudios · February 4, 2022, 1:45pm

Why aren’t you using a proper firewall setup that actively is blocking unknown sources like this? Fail2ban is not a singular solution that should be used. It doesn’t stop attacks from happening the first time, it stops them from happening a second time (if you’re lucky). You should be stopping these things the first time, properly.

Autourdupc · February 7, 2022, 4:56pm

I just did it !
It was a pain to setup correctly my pfsense with OpenVPN for remote access and get all services functionnal.
This is done now and seem that all widely opened access are now closed.

I still monitor cli security details to ensure everything is correct.

system · March 10, 2022, 4:56pm

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.