Strange messages from res_pjsip/pjsip_distributor

Hi,

on my FreePBX 16.0.10.43 I notice this messages:

2022-01-26 17:49:56] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:55741' (callid: 1921743871-1471166675-1252888528) - Failed to authenticate
171957[2022-01-26 17:49:57] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:58970' (callid: 371755196-377925570-2029025935) - Failed to authenticate
171958[2022-01-26 17:49:59] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:62358' (callid: 1461490473-665311722-1874709008) - Failed to authenticate
171959[2022-01-26 17:50:00] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:49412' (callid: 1851994530-428289174-1863637459) - Failed to authenticate
171960[2022-01-26 17:50:01] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:52713' (callid: 1018487886-1886127359-1562415771) - No matching endpoint found after 5 tries in 2.384 ms

I don’t know the reason for it. I had never configured an endpoint like ‘1001’. Why I get suddenly this messages?

Thanks
DianiBeach

Assuming you don’t recognize the source IP, then the PJSIP signaling port is open to untrusted traffic which allows anyone to attempt a SIP registration.

Okay, is there any way I can ban this? For with Fail2Ban?

Block all SIP signalling except from your intranet and ITSP.

Change the SIP port numbers, so it is more difficult to find.

fail2ban doesn’t stop the first attempt and should be considered a backup strategy.

With UFW I now have the IP address 93.195.91.164 directly on FreePBX
ufw reject from 93.195.91.164 to any
blocked.

Status: active

To                         Action      From
--                         ------      ----
192.168.0.208 ssh/tcp    ALLOW       Anywhere                  
192.168.0.245 ssh/tcp    ALLOW       Anywhere                  
80/tcp                     ALLOW       Anywhere                  
5060/udp                   ALLOW       Anywhere                  
5061/udp                   ALLOW       Anywhere                  
10000:20000/udp            ALLOW       Anywhere                  
25/tcp                     ALLOW       Anywhere                  
465/tcp                    ALLOW       Anywhere                  
Anywhere                   REJECT      93.195.91.164

However, this does not stop the attacker:

[2022-01-28 12:32:31] NOTICE[1365] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"611" <sip:[email protected]>' failed for '192.168.0.1:5380' (callid: 2886362743) - Failed to authenticate

And why would it? You have an allow for any source above the reject rule. What do you think is going to match first in a top-down list check?

Now I found the solution to reject special IPs with UFW. In /etc/ufw/before.rules you makes

# End required lines
-A ufw-before-input -s 93.195.91.164 -j DROP
-A ufw-before-input -s 192.168.0.233 -j DROP

and after this a
ufw reload
Then you will see

iptables -L -n | grep DROP
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
DROP       all  --  93.195.91.164        0.0.0.0/0           
DROP       all  --  192.168.0.233        0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0

At 192.168.0.233 it runs. No access to all ports is possible. Unfortunately from extern about the blocked IP address I see accesses from it:
[2022-02-01 11:43:26] NOTICE[1475] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '192.168.0.1:61767' (callid: 1936918811-1778310937-2019221093) - Failed to authenticate

The source IP address is 192.168.0.1 in that notice.

That’s the router. The FreePBX stands behind it. But I need a way to stop this requests. The change of the Sip port I will still test.

Changing the SIP port 5060 for example to 15060 at Settings>SIP Settings is no solution. After a
Submit and Apply and

fwconsole restart
incomming calls are running but outgoing calls fails. But the messages disappear in the log file.

Uhm, these packets arent forwarding through the system. They are hitting the system. The FORWARD chain is the wrong chain.