[asterisk-users] PJSIP tight loop on auth failure

[Kingsley Tart]

Hi,

I felt that fail2ban in this instance was a bit too much of a blunt
tool, so I have for now built a workaround by creating a Perl daemon
that watches the output of

ngrep -TT -d $net_if -q -W single Proxy-Authorization port 5060

where $net_if is the network interface.

If it sees more than 5 Proxy-Authorization invites with the same Call-
ID then it blocks the network route for a second.

I've also added a line in the dialplan to put the Asterisk channel name
into a custom SIP header, and if this is found in the INVITE then it
first connects to the AMI to do a Hangup(38) on that channel, which
gives the user a more accurate error.

Every 20 seconds it purges any stateful data it holds that's older than
20 seconds, in order to stop it eating RAM.

It seems to work quite well.

Cheers,
Kingsley.

On Thu, 2020-10-29 at 08:39 +0100, Olivier wrote:
> Hi,
> What if some fail2ban magic could keep OpenSIPs response from hitting
> Asterisk after N attempts ?
> 
> Le mer. 28 oct. 2020 à 18:32, Kingsley Tart - Barritel Ltd <
> kingsley.tart at barritel.com> a écrit :
> > Hi,
> > 
> > We're using Asterisk 13.17.0 with PJSIP 2.8 bundled.
> > 
> > I've found an issue when Asterisk tries to make a SIP call out
> > using
> > auth, but has the wrong credentials and keeps getting returned a
> > SIP
> > 407, in this example to an OpenSIPs server requiring user auth.
> > 
> > Basically this happens:
> > 
> >    1. Asterisk sends plain INVITE to OpenSIPs
> >    2. OpenSIPs responds with SIP 407 auth required with a Proxy-
> >       Authenticate header
> >    3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization
> >       header, but has the wrong password
> >    4. goto step 2 and repeat forever
[snip]