Diani
(DianiBeach)
January 26, 2022, 4:56pm
1
Hi,
on my FreePBX 16.0.10.43 I notice this messages:
2022-01-26 17:49:56] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:55741' (callid: 1921743871-1471166675-1252888528) - Failed to authenticate
171957[2022-01-26 17:49:57] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:58970' (callid: 371755196-377925570-2029025935) - Failed to authenticate
171958[2022-01-26 17:49:59] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:62358' (callid: 1461490473-665311722-1874709008) - Failed to authenticate
171959[2022-01-26 17:50:00] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:49412' (callid: 1851994530-428289174-1863637459) - Failed to authenticate
171960[2022-01-26 17:50:01] NOTICE[1303] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:52713' (callid: 1018487886-1886127359-1562415771) - No matching endpoint found after 5 tries in 2.384 ms
I don’t know the reason for it. I had never configured an endpoint like ‘1001’. Why I get suddenly this messages?
Thanks
DianiBeach
lgaetz
(Lorne Gaetz)
January 26, 2022, 5:02pm
2
Assuming you don’t recognize the source IP, then the PJSIP signaling port is open to untrusted traffic which allows anyone to attempt a SIP registration.
Diani
(DianiBeach)
January 26, 2022, 5:14pm
3
Okay, is there any way I can ban this? For with Fail2Ban?
david55
(david55)
January 26, 2022, 5:31pm
4
Block all SIP signalling except from your intranet and ITSP.
Change the SIP port numbers, so it is more difficult to find.
fail2ban doesn’t stop the first attempt and should be considered a backup strategy.
Diani
(DianiBeach)
January 28, 2022, 11:37am
5
With UFW I now have the IP address 93.195.91.164 directly on FreePBX
ufw reject from 93.195.91.164 to any
blocked.
Status: active
To Action From
-- ------ ----
192.168.0.208 ssh/tcp ALLOW Anywhere
192.168.0.245 ssh/tcp ALLOW Anywhere
80/tcp ALLOW Anywhere
5060/udp ALLOW Anywhere
5061/udp ALLOW Anywhere
10000:20000/udp ALLOW Anywhere
25/tcp ALLOW Anywhere
465/tcp ALLOW Anywhere
Anywhere REJECT 93.195.91.164
However, this does not stop the attacker:
[2022-01-28 12:32:31] NOTICE[1365] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"611" <sip:[email protected] >' failed for '192.168.0.1:5380' (callid: 2886362743) - Failed to authenticate
And why would it? You have an allow for any source above the reject rule. What do you think is going to match first in a top-down list check?
Diani
(DianiBeach)
February 1, 2022, 10:44am
7
Now I found the solution to reject special IPs with UFW. In /etc/ufw/before.rules you makes
# End required lines
-A ufw-before-input -s 93.195.91.164 -j DROP
-A ufw-before-input -s 192.168.0.233 -j DROP
and after this a
ufw reload
Then you will see
iptables -L -n | grep DROP
Chain INPUT (policy DROP)
Chain FORWARD (policy DROP)
DROP all -- 93.195.91.164 0.0.0.0/0
DROP all -- 192.168.0.233 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
DROP all -- 0.0.0.0/0 0.0.0.0/0
At 192.168.0.233 it runs. No access to all ports is possible. Unfortunately from extern about the blocked IP address I see accesses from it:
[2022-02-01 11:43:26] NOTICE[1475] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected] >' failed for '192.168.0.1:61767' (callid: 1936918811-1778310937-2019221093) - Failed to authenticate
jcolp
(Joshua Colp)
February 1, 2022, 10:49am
8
The source IP address is 192.168.0.1 in that notice.
Diani
(DianiBeach)
February 1, 2022, 11:03am
9
That’s the router. The FreePBX stands behind it. But I need a way to stop this requests. The change of the Sip port I will still test.
Diani
(DianiBeach)
February 1, 2022, 11:58am
10
Changing the SIP port 5060 for example to 15060 at Settings>SIP Settings is no solution. After a
Submit and Apply and
fwconsole restart
incomming calls are running but outgoing calls fails. But the messages disappear in the log file.
Uhm, these packets arent forwarding through the system. They are hitting the system. The FORWARD chain is the wrong chain.
1 Like