Diani
January 26, 2022, 4:56pm
1
Hi,
on my FreePBX 16.0.10.43 I notice this messages:
2022-01-26 17:49:56] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:55741' (callid: 1921743871-1471166675-1252888528) - Failed to authenticate
171957[2022-01-26 17:49:57] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:58970' (callid: 371755196-377925570-2029025935) - Failed to authenticate
171958[2022-01-26 17:49:59] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:62358' (callid: 1461490473-665311722-1874709008) - Failed to authenticate
171959[2022-01-26 17:50:00] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:49412' (callid: 1851994530-428289174-1863637459) - Failed to authenticate
171960[2022-01-26 17:50:01] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:52713' (callid: 1018487886-1886127359-1562415771) - No matching endpoint found after 5 tries in 2.384 ms
I don’t know the reason for it. I had never configured an endpoint like ‘1001’. Why I get suddenly this messages?
Thanks
lgaetz
January 26, 2022, 5:02pm
2
Assuming you don’t recognize the source IP, then the PJSIP signaling port is open to untrusted traffic which allows anyone to attempt a SIP registration.
Diani
January 26, 2022, 5:14pm
3
Okay, is there any way I can ban this? For with Fail2Ban?
david55
January 26, 2022, 5:31pm
4
Block all SIP signalling except from your intranet and ITSP.
Change the SIP port numbers, so it is more difficult to find.
fail2ban doesn’t stop the first attempt and should be considered a backup strategy.
Diani
January 28, 2022, 11:37am
5
With UFW I now have the IP address 93.195.91.164 directly on FreePBXufw reject from 93.195.91.164 to any
Status: active
To Action From
-- ------ ----
192.168.0.208 ssh/tcp ALLOW Anywhere
192.168.0.245 ssh/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
5060/udp ALLOW Anywhere
5061/udp ALLOW Anywhere
10000:20000/udp ALLOW Anywhere
25/tcp ALLOW Anywhere
465/tcp ALLOW Anywhere
Anywhere REJECT 93.195.91.164
However, this does not stop the attacker:
[2022-01-28 12:32:31] NOTICE[1365] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"611" <sip:[email protected] >' failed for '192.168.0.1:5380' (callid: 2886362743) - Failed to authenticate
And why would it? You have an allow for any source above the reject rule. What do you think is going to match first in a top-down list check?
Diani
February 1, 2022, 10:44am
7
Now I found the solution to reject special IPs with UFW. In /etc/ufw/before.rules you makes
# End required lines
-A ufw-before-input -s 93.195.91.164 -j DROP
-A ufw-before-input -s 192.168.0.233 -j DROP
and after this aufw reload
iptables -L -n | grep DROP
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
DROP all -- 93.195.91.164 0.0.0.0/0
DROP all -- 192.168.0.233 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
At 192.168.0.233 it runs. No access to all ports is possible. Unfortunately from extern about the blocked IP address I see accesses from it:[2022-02-01 11:43:26] NOTICE[1475] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:61767' (callid: 1936918811-1778310937-2019221093) - Failed to authenticate
jcolp
February 1, 2022, 10:49am
8
The source IP address is 192.168.0.1 in that notice.
Diani
February 1, 2022, 11:03am
9
That’s the router. The FreePBX stands behind it. But I need a way to stop this requests. The change of the Sip port I will still test.
Diani
February 1, 2022, 11:58am
10
Changing the SIP port 5060 for example to 15060 at Settings>SIP Settings is no solution. After a
fwconsole restart
Uhm, these packets arent forwarding through the system. They are hitting the system. The FORWARD chain is the wrong chain.
1 Like