Для индексации полезных и бесполезных разговоров

[notify_ded_bot]

Добрый день, сегодня столкнулся с тем, что fail2ban не может забанить источник брутфорса. Потому что в логах оседает ip из заголовка SIP поле From: XXX@ip-addr, а не реальный ip с которого инициирован диалог. Поле From: в этих диалогах с поддельными ip.
Кто сталкивался с этим? может есть возможность заставить Asterisk записывать правильные ip в сообщениях и логах?

[Sep 25 16:01:32] NOTICE[2233103] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"1099" ' failed for '37.49.225.223:5502' (callid: 2606481475) - No matching endpoint found

Последний адрес смотрите

[notify_ded_bot]

Как это воспроизвести? Есть SIP дамп такого INVITE или REGISTER?

Например sip debug on:
...
<--- SIP read from UDP:173.0.59.58:44695 --->
INVITE sip:580201085316555@78.31.177.13 SIP/2.0
Via: SIP/2.0/UDP 0.0.0.0:44695;branch=z9hG4bK964374818
Max-Forwards: 70
From: ;tag=417248266
To:
Call-ID: 591688773-1299011054-1056406051
CSeq: 2 INVITE
... итд.
Источник INVITE от UDP:173.0.59.58:44695, поле From: явно поддельное (особенно ip)
При внесении 173.0.59.58 вручную в fail2ban атака прекращается

[notify_ded_bot]

Как это воспроизвести? Есть SIP дамп такого INVITE или REGISTER?

В лог и сообщения попадает стока Failed to authenticate device

[notify_ded_bot]

Например sip debug on:
...
<--- SIP read from UDP:173.0.59.58:44695 --->
INVITE sip:580201085316555@78.31.177.13 SIP/2.0
Via: SIP/2.0/UDP 0.0.0.0:44695;branch=z9hG4bK964374818
Max-Forwards: 70
From: ;tag=417248266
To:
Call-ID: 591688773-1299011054-1056406051
CSeq: 2 INVITE
... итд.
Источник INVITE от UDP:173.0.59.58:44695, поле From: явно поддельное (особенно ip)
При внесении 173.0.59.58 вручную в fail2ban атака прекращается

астериск в лог пишет адрес откуда пришел пакет
и он не имеет отношения к сипу вообще

[notify_ded_bot]

астериск в лог пишет адрес откуда пришел пакет
и он не имеет отношения к сипу вообще

В смысле? может я привел не самое начало диалога (вроде INVITE...), АТСка засыпана сообщениями типо:
[Oct 3 14:26:14] NOTICE[1810][C-000a96f9]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=874713514
[Oct 3 14:26:15] NOTICE[1810][C-000a96fa]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2135542105
[Oct 3 14:26:21] NOTICE[1810][C-000a96fb]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=501072759
[Oct 3 14:26:24] NOTICE[1810][C-000a96fc]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1700265016
[Oct 3 14:26:35] NOTICE[1810][C-000a96fd]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=390389298
[Oct 3 14:26:38] NOTICE[1810][C-000a96fe]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1569284933
[Oct 3 14:26:40] NOTICE[1810][C-000a96ff]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=972709912
[Oct 3 14:26:45] NOTICE[1810][C-000a9700]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=739599417
[Oct 3 14:26:48] NOTICE[1810][C-000a9701]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1601876200
[Oct 3 14:26:56] NOTICE[1810][C-000a9702]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=374842519
[Oct 3 14:27:02] NOTICE[1810][C-000a9703]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1935357522
[Oct 3 14:27:06] NOTICE[1810][C-000a9704]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=326176880
[Oct 3 14:27:07] NOTICE[1810][C-000a9705]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1637402024
[Oct 3 14:27:15] NOTICE[1810][C-000a9706]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1133572628
[Oct 3 14:27:17] NOTICE[1810][C-000a9707]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2076693681
[Oct 3 14:27:25] NOTICE[1810][C-000a9708]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=81905603
[Oct 3 14:27:28] NOTICE[1810][C-000a9709]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1887741926
[Oct 3 14:27:33] NOTICE[1810][C-000a970a]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=140142204

[notify_ded_bot]

В смысле? может я привел не самое начало диалога (вроде INVITE...), АТСка засыпана сообщениями типо:
[Oct 3 14:26:14] NOTICE[1810][C-000a96f9]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=874713514
[Oct 3 14:26:15] NOTICE[1810][C-000a96fa]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2135542105
[Oct 3 14:26:21] NOTICE[1810][C-000a96fb]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=501072759
[Oct 3 14:26:24] NOTICE[1810][C-000a96fc]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1700265016
[Oct 3 14:26:35] NOTICE[1810][C-000a96fd]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=390389298
[Oct 3 14:26:38] NOTICE[1810][C-000a96fe]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1569284933
[Oct 3 14:26:40] NOTICE[1810][C-000a96ff]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=972709912
[Oct 3 14:26:45] NOTICE[1810][C-000a9700]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=739599417
[Oct 3 14:26:48] NOTICE[1810][C-000a9701]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1601876200
[Oct 3 14:26:56] NOTICE[1810][C-000a9702]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=374842519
[Oct 3 14:27:02] NOTICE[1810][C-000a9703]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1935357522
[Oct 3 14:27:06] NOTICE[1810][C-000a9704]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=326176880
[Oct 3 14:27:07] NOTICE[1810][C-000a9705]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1637402024
[Oct 3 14:27:15] NOTICE[1810][C-000a9706]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1133572628
[Oct 3 14:27:17] NOTICE[1810][C-000a9707]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2076693681
[Oct 3 14:27:25] NOTICE[1810][C-000a9708]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=81905603
[Oct 3 14:27:28] NOTICE[1810][C-000a9709]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1887741926
[Oct 3 14:27:33] NOTICE[1810][C-000a970a]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=140142204

это chan_sip, на pjsip таких проблем нет.

[notify_ded_bot]

это chan_sip, на pjsip таких проблем нет.

Это возможно, на pjsip в лог ложатся настоящие ip?

[notify_ded_bot]

это chan_sip, на pjsip таких проблем нет.

золотые слова

[notify_ded_bot]

В смысле? может я привел не самое начало диалога (вроде INVITE...), АТСка засыпана сообщениями типо:
[Oct 3 14:26:14] NOTICE[1810][C-000a96f9]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=874713514
[Oct 3 14:26:15] NOTICE[1810][C-000a96fa]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2135542105
[Oct 3 14:26:21] NOTICE[1810][C-000a96fb]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=501072759
[Oct 3 14:26:24] NOTICE[1810][C-000a96fc]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1700265016
[Oct 3 14:26:35] NOTICE[1810][C-000a96fd]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=390389298
[Oct 3 14:26:38] NOTICE[1810][C-000a96fe]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1569284933
[Oct 3 14:26:40] NOTICE[1810][C-000a96ff]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=972709912
[Oct 3 14:26:45] NOTICE[1810][C-000a9700]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=739599417
[Oct 3 14:26:48] NOTICE[1810][C-000a9701]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1601876200
[Oct 3 14:26:56] NOTICE[1810][C-000a9702]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=374842519
[Oct 3 14:27:02] NOTICE[1810][C-000a9703]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1935357522
[Oct 3 14:27:06] NOTICE[1810][C-000a9704]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=326176880
[Oct 3 14:27:07] NOTICE[1810][C-000a9705]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1637402024
[Oct 3 14:27:15] NOTICE[1810][C-000a9706]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1133572628
[Oct 3 14:27:17] NOTICE[1810][C-000a9707]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=2076693681
[Oct 3 14:27:25] NOTICE[1810][C-000a9708]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=81905603
[Oct 3 14:27:28] NOTICE[1810][C-000a9709]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=1887741926
[Oct 3 14:27:33] NOTICE[1810][C-000a970a]: chan_sip.c:25557 handle_request_invite: Failed to authenticate device ;tag=140142204

Это же лог Астериска, а жалуетесь вы на Fail2ban.
В fail2ban у вас же тоже лог есть, что в нем ?

[notify_ded_bot]

Это же лог Астериска, а жалуетесь вы на Fail2ban.
В fail2ban у вас же тоже лог есть, что в нем ?

В нем очевидно... Попытки забанить 78.31.177.13, безуспешные....
2025-10-03 14:00:54,512 fail2ban.actions[20168]: INFO [asterisk-tcp] 78.31.177.13 already banned
2025-10-03 14:00:54,515 fail2ban.actions[20168]: INFO [asterisk-udp] 78.31.177.13 already banned
2025-10-03 14:01:07,530 fail2ban.actions[20168]: INFO [asterisk-tcp] 78.31.177.13 already banned
2025-10-03 14:01:07,530 fail2ban.actions[20168]: INFO [asterisk-udp] 78.31.177.13 already banned
2025-10-03 14:01:21,548 fail2ban.actions[20168]: INFO [asterisk-udp] 78.31.177.13 already banned
2025-10-03 14:01:21,548 fail2ban.actions[20168]: INFO [asterisk-tcp] 78.31.177.13 already banned
2025-10-03 14:01:35,566 fail2ban.actions[20168]: INFO [asterisk-tcp] 78.31.177.13 already banned