[asterisk-users] SIP invite timeouts : how is someone sending invites from our server ??

Tue Jan 2 17:10:01 CST 2018

On 01/02/2018 05:30 PM, sean darcy wrote:
> On 12/30/2017 08:18 PM, Dovid Bender wrote:
>> Script kiddies trying to find vulnerable systems that they can make 
>> calls on. Lock down the box with iptables and use fail2ban to block 
>> them. The via is probably bogus unless a box at the DoD was comprimised.
>>
>>
>>
>> On Sat, Dec 30, 2017 at 6:49 PM, sean darcy <seandarcy2 at gmail.com 
>> <mailto:seandarcy2 at gmail.com>> wrote:
>>
>>     I've been getting a lot of timeouts on non-critical invite
>>     transactions. I turned on sip debug. They were the result of SIP
>>     invites like this:
>>
>>     Retransmitting #10 (NAT) to 185.107.94.10:13057
>>     <http://185.107.94.10:13057>:
>>     SIP/2.0 401 Unauthorized
>>     Via: SIP/2.0/UDP
>> 215.45.145.211:5060;branch=z9hG4bK-524287-1---zg4cfkl50hpwpv4p;received=185.107.94.10;rport=13057
>>     From: <sip:a'or'3=3--@<myip-address>;transport=UDP>;tag=fptfih1e
>>     To: <sip:00141225184741@<myip-address>;transport=UDP>;tag=as2913c67b
>>     Call-ID: 5YpLDUSIs6l3xbDXsurYTu..
>>     CSeq: 1 INVITE
>>     Server: Asterisk PBX 13.19.0-rc1
>>     Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY,
>>     INFO, PUBLISH, MESSAGE
>>     Supported: replaces, timer
>>     WWW-Authenticate: Digest algorithm=MD5, realm="asterisk_home",
>>     nonce="14be1363"
>>     Content-Length: 0
> I don't see how fail2ban would help. asterisk isn't rejecting 
> anything. There's no attempt with username/password.
>
> How could I use iptables to "lock it down" ? We get sip calls from all 
> over. Is there something about the incoming packet we could use ? For 
> instance , any packet containing a VIA instruction ? For that matter, 
> can SIP be configured to drop any VIA request?
>

fail2ban is most useful for blocking registration attempts.    I handle 
non-registration call attempts by allowing guests, point them to a jail 
context, which runs Log(WARNING,fail2ban='${CHANNEL(peerip)}')   I set a 
fail2ban rule to match that line logged from Asterisk.