Problem on non-critical invite

All installation and configuration problems and questions

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Problem on non-critical invite

Postby dhijrwn » Mon Jul 20, 2020 7:44 am

Hi guys, I'm having a lot of warning message like this
WARNING[2354]: chan_sip.c:4128 retrans_pkt: Timeout on 936484740-1667659206-1445942090 on non-critical invite transaction.

so i turned on the sip debug and I got an ip address and a non existing phone (46.105.113.12 and 7085).
I already setup fail2ban and it is working and I whitelisted my ipaddress and my carrier ipaddress but this ip address 46.105.113.12 always shows up and it show the warning message. What I did is I manually ban the ipaddress 46.105.113.12 and it fixed the problem. How can I automatically block this by using fail2ban? Why fail2ban doesn't detect this? and what 46.105.113.12 is doing to my server? is like connecting it self?

I am new to asterisk and when it comes to debugging. Please help me. Thank you.

(11 headers 10 lines) ---
[Jul 20 05:30:50] Sending to 46.105.113.12:61166 (NAT)
[Jul 20 05:30:50] Sending to 46.105.113.12:61166 (NAT)
[Jul 20 05:30:50] Using INVITE request as basis request - 936484740-1667659206-1445942090
[Jul 20 05:30:50] No matching peer for '7085' from '46.105.113.12:61166'
[Jul 20 05:30:50]
[Jul 20 05:30:50] <--- Reliably Transmitting (NAT) to 46.105.113.12:61166 --->
[Jul 20 05:30:50] SIP/2.0 401 Unauthorized
[Jul 20 05:30:50] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:50] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:50] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:50] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:50] CSeq: 1 INVITE
[Jul 20 05:30:50] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:50] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:50] Supported: replaces, timer
[Jul 20 05:30:50] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:50] Content-Length: 0
[Jul 20 05:30:50]
[Jul 20 05:30:50]
[Jul 20 05:30:50] <------------>
[Jul 20 05:30:50] Scheduling destruction of SIP dialog '936484740-1667659206-1445942090' in 32000 ms (Method: INVITE)
[Jul 20 05:30:51] Retransmitting #1 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:51] SIP/2.0 401 Unauthorized
[Jul 20 05:30:51] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:51] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:51] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:51] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:51] CSeq: 1 INVITE
[Jul 20 05:30:51] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:51] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:51] Supported: replaces, timer
[Jul 20 05:30:51] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:51] Content-Length: 0
[Jul 20 05:30:51]
[Jul 20 05:30:51]
[Jul 20 05:30:51] ---
[Jul 20 05:30:52] Retransmitting #2 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:52] SIP/2.0 401 Unauthorized
[Jul 20 05:30:52] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:52] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:52] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:52] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:52] CSeq: 1 INVITE
[Jul 20 05:30:52] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:52] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:52] Supported: replaces, timer
[Jul 20 05:30:52] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:52] Content-Length: 0
[Jul 20 05:30:52]
[Jul 20 05:30:52]
[Jul 20 05:30:52] ---
[Jul 20 05:30:54] Retransmitting #3 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:54] SIP/2.0 401 Unauthorized
[Jul 20 05:30:54] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:54] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:54] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:54] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:54] CSeq: 1 INVITE
[Jul 20 05:30:54] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:54] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:54] Supported: replaces, timer
[Jul 20 05:30:54] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:54] Content-Length: 0
[Jul 20 05:30:54]
[Jul 20 05:30:54]
[Jul 20 05:30:54] ---
[Jul 20 05:30:58] Retransmitting #4 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:58] SIP/2.0 401 Unauthorized
[Jul 20 05:30:58] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:58] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:58] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:58] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:58] CSeq: 1 INVITE
[Jul 20 05:30:58] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:58] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:58] Supported: replaces, timer
[Jul 20 05:30:58] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:58] Content-Length: 0
[Jul 20 05:30:58]
[Jul 20 05:30:58]
[Jul 20 05:30:58] ---
[Jul 20 05:31:01] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 20 05:31:01] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 20 05:31:01] == Manager 'sendcron' logged off from 127.0.0.1
[Jul 20 05:31:02] Retransmitting #5 (NAT) to 46.105.113.12:61166:
[Jul 20 05:31:02] SIP/2.0 401 Unauthorized
[Jul 20 05:31:02] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:31:02] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:31:02] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:31:02] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:31:02] CSeq: 1 INVITE
[Jul 20 05:31:02] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:31:02] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:31:02] Supported: replaces, timer
[Jul 20 05:31:02] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:31:02] Content-Length: 0


Cluster setup
ViciBox v.8.1.2 ISO
VERSION: 2.14-733a
BUILD: 200115-1702
Asterisk 13.29.2-vici
Cluster setup i7-9700 cpu @ 3.00ghz 32GB ram 1xDB WEB ARCH 11xTEL 4core
ViciBox v.9.0.3 ISO VERSION:2.14-853a BUILD: 220328-1420
SVN: 3595 DB Schema: 1657 | Asterisk 13.29.2-vici
Zoiper 5 | VICIPhone| No Digium/Sangoma Hardware
dhijrwn
 
Posts: 149
Joined: Tue Jan 07, 2020 6:12 am

Re: Problem on non-critical invite

Postby williamconley » Thu Aug 13, 2020 10:15 pm

FAIL2BAN is a crutch. Useful in certain ways, but counterproductive in others.

FAIL2BAN has modules/code/configuration options to detect and "fail" specific instances of bad behavior. Each of those types of bad behavior has to be coded or FAIL2BAN will ... (lol) Fail to Ban. So whenever someone comes up with a new way to test the security of your system, you'll need to activate a new FAIL2BAN matching configuration. Unless, of course, there is no such option as yet in FAIL2BAN, in which case it's time to create a method to detect and kill that new attack vector.

Which is why FAIL2BAN can be problematic. Especially if someone ever points a botnet at your system with a rotating IP brute force attack. No matter how large your bandwidth pipe, on that day you'll lose the use of your internet until you (a) find their attack vector and code fail2ban to kill the IPs of all the attackers and (b) wait for the attack to wear off since the attacker won't know you've blocked them and will continue to use your bandwidth even though you are now dropping all their packets.

Eventually, however, the guys analysing the resutls of the scripts will see Zero responses from your system and either point their cannon elsewhere or merely NOT renew your attack when the next cycle starts (because, no response). Can be a couple hours. Can also "regenerate" once or twice into the future when they test to see if you're vulnerable again. Generally scripting systems will re-test you on a weird schedule, but just for a little while each time to see if you're open for attack. During those attacks (long or short) of course you (like all the banks and other major corporations who have experienced this in the past) will be experiencing a DDOS condition which is not fun. This is why places like cloudflare exist, they do this for a living.

On the other side of the spectrum is Pure Whitelisting. Nobody (nobody) sees your server or gets a packet through to your server unless they are first listed in that whitelist. As if you are not actually there, drop all packets. Could actually be a "no server here!" IP address or a "closed to the public" IP address. No point in attacking, no possibility for profit. And: No FAIL2BAN, since only authorized IPs have access in the first place. With this method, you don't garner attention from these asshats and never come up on the radar of the botnet guys at all. No rotating IP attacks, no DDOS. At least not in the last decade or so since we published Dynamic Good Guys.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20256
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)


Return to Support

Who is online

Users browsing this forum: Google [Bot] and 110 guests