vicidial.org

[dhijrwn]

Hi guys, I'm having a lot of warning message like this
WARNING[2354]: chan_sip.c:4128 retrans_pkt: Timeout on 936484740-1667659206-1445942090 on non-critical invite transaction.

so i turned on the sip debug and I got an ip address and a non existing phone (46.105.113.12 and 7085).
I already setup fail2ban and it is working and I whitelisted my ipaddress and my carrier ipaddress but this ip address 46.105.113.12 always shows up and it show the warning message. What I did is I manually ban the ipaddress 46.105.113.12 and it fixed the problem. How can I automatically block this by using fail2ban? Why fail2ban doesn't detect this? and what 46.105.113.12 is doing to my server? is like connecting it self?

I am new to asterisk and when it comes to debugging. Please help me. Thank you.

(11 headers 10 lines) ---
[Jul 20 05:30:50] Sending to 46.105.113.12:61166 (NAT)
[Jul 20 05:30:50] Sending to 46.105.113.12:61166 (NAT)
[Jul 20 05:30:50] Using INVITE request as basis request - 936484740-1667659206-1445942090
[Jul 20 05:30:50] No matching peer for '7085' from '46.105.113.12:61166'
[Jul 20 05:30:50]
[Jul 20 05:30:50] <--- Reliably Transmitting (NAT) to 46.105.113.12:61166 --->
[Jul 20 05:30:50] SIP/2.0 401 Unauthorized
[Jul 20 05:30:50] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:50] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:50] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:50] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:50] CSeq: 1 INVITE
[Jul 20 05:30:50] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:50] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:50] Supported: replaces, timer
[Jul 20 05:30:50] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:50] Content-Length: 0
[Jul 20 05:30:50]
[Jul 20 05:30:50]
[Jul 20 05:30:50] <------------>
[Jul 20 05:30:50] Scheduling destruction of SIP dialog '936484740-1667659206-1445942090' in 32000 ms (Method: INVITE)
[Jul 20 05:30:51] Retransmitting #1 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:51] SIP/2.0 401 Unauthorized
[Jul 20 05:30:51] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:51] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:51] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:51] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:51] CSeq: 1 INVITE
[Jul 20 05:30:51] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:51] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:51] Supported: replaces, timer
[Jul 20 05:30:51] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:51] Content-Length: 0
[Jul 20 05:30:51]
[Jul 20 05:30:51]
[Jul 20 05:30:51] ---
[Jul 20 05:30:52] Retransmitting #2 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:52] SIP/2.0 401 Unauthorized
[Jul 20 05:30:52] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:52] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:52] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:52] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:52] CSeq: 1 INVITE
[Jul 20 05:30:52] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:52] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:52] Supported: replaces, timer
[Jul 20 05:30:52] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:52] Content-Length: 0
[Jul 20 05:30:52]
[Jul 20 05:30:52]
[Jul 20 05:30:52] ---
[Jul 20 05:30:54] Retransmitting #3 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:54] SIP/2.0 401 Unauthorized
[Jul 20 05:30:54] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:54] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:54] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:54] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:54] CSeq: 1 INVITE
[Jul 20 05:30:54] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:54] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:54] Supported: replaces, timer
[Jul 20 05:30:54] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:54] Content-Length: 0
[Jul 20 05:30:54]
[Jul 20 05:30:54]
[Jul 20 05:30:54] ---
[Jul 20 05:30:58] Retransmitting #4 (NAT) to 46.105.113.12:61166:
[Jul 20 05:30:58] SIP/2.0 401 Unauthorized
[Jul 20 05:30:58] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:30:58] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:30:58] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:30:58] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:30:58] CSeq: 1 INVITE
[Jul 20 05:30:58] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:30:58] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:30:58] Supported: replaces, timer
[Jul 20 05:30:58] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:30:58] Content-Length: 0
[Jul 20 05:30:58]
[Jul 20 05:30:58]
[Jul 20 05:30:58] ---
[Jul 20 05:31:01] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 20 05:31:01] == Manager 'sendcron' logged on from 127.0.0.1
[Jul 20 05:31:01] == Manager 'sendcron' logged off from 127.0.0.1
[Jul 20 05:31:02] Retransmitting #5 (NAT) to 46.105.113.12:61166:
[Jul 20 05:31:02] SIP/2.0 401 Unauthorized
[Jul 20 05:31:02] Via: SIP/2.0/UDP 46.105.113.12:61166;branch=z9hG4bK337232991;received=46.105.113.12;rport=61166
[Jul 20 05:31:02] From: <sip:7085@my.ip.address.xx>;tag=1866032968
[Jul 20 05:31:02] To: <sip:+441519470494@my.ip.address.xx>;tag=as49f662e9
[Jul 20 05:31:02] Call-ID: 936484740-1667659206-1445942090
[Jul 20 05:31:02] CSeq: 1 INVITE
[Jul 20 05:31:02] Server: Asterisk PBX 13.29.2-vici
[Jul 20 05:31:02] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[Jul 20 05:31:02] Supported: replaces, timer
[Jul 20 05:31:02] WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="39c34c3a"
[Jul 20 05:31:02] Content-Length: 0


Cluster setup
ViciBox v.8.1.2 ISO
VERSION: 2.14-733a
BUILD: 200115-1702
Asterisk 13.29.2-vici

[williamconley]

FAIL2BAN is a crutch. Useful in certain ways, but counterproductive in others.

FAIL2BAN has modules/code/configuration options to detect and "fail" specific instances of bad behavior. Each of those types of bad behavior has to be coded or FAIL2BAN will ... (lol) Fail to Ban. So whenever someone comes up with a new way to test the security of your system, you'll need to activate a new FAIL2BAN matching configuration. Unless, of course, there is no such option as yet in FAIL2BAN, in which case it's time to create a method to detect and kill that new attack vector.

Which is why FAIL2BAN can be problematic. Especially if someone ever points a botnet at your system with a rotating IP brute force attack. No matter how large your bandwidth pipe, on that day you'll lose the use of your internet until you (a) find their attack vector and code fail2ban to kill the IPs of all the attackers and (b) wait for the attack to wear off since the attacker won't know you've blocked them and will continue to use your bandwidth even though you are now dropping all their packets.

Eventually, however, the guys analysing the resutls of the scripts will see Zero responses from your system and either point their cannon elsewhere or merely NOT renew your attack when the next cycle starts (because, no response). Can be a couple hours. Can also "regenerate" once or twice into the future when they test to see if you're vulnerable again. Generally scripting systems will re-test you on a weird schedule, but just for a little while each time to see if you're open for attack. During those attacks (long or short) of course you (like all the banks and other major corporations who have experienced this in the past) will be experiencing a DDOS condition which is not fun. This is why places like cloudflare exist, they do this for a living.

On the other side of the spectrum is Pure Whitelisting. Nobody (nobody) sees your server or gets a packet through to your server unless they are first listed in that whitelist. As if you are not actually there, drop all packets. Could actually be a "no server here!" IP address or a "closed to the public" IP address. No point in attacking, no possibility for profit. And: No FAIL2BAN, since only authorized IPs have access in the first place. With this method, you don't garner attention from these asshats and never come up on the radar of the botnet guys at all. No rotating IP attacks, no DDOS. At least not in the last decade or so since we published Dynamic Good Guys.