<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <p>Thanks, it's working now.</p>
    <p>Regards,</p>
    <p>Henk<br>
    </p>
    <br>
    <div class="moz-cite-prefix">On 4-2-2019 15:02, Daniel Grotti wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:ad5c624e-c03e-eca7-6c8e-d743f14a523d@sipwise.com">
      <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
      <tt>Hi Henk,<br>
        I checked that, and that's not the proper way to add that.<br>
        You should go in constant.yml, under kamailio.lb.log or
        kamailio.proxy.log (depends where you want to add the field) and
        add the new info there under "request" and/or "request_init"
        and/or "response", for example:<br>
        <br>
        request:<br>
              - R=$ru<br>
              - ID=$ci<br>
              - CT=$ct<br>
              - UA='$ua'<br>
              request_init:<br>
              - M=$rm<br>
              - R=$ru<br>
              - F=$fu<br>
              - T=$tu<br>
              - IP=$pr:$si:$sp<br>
              - CT =$ct<br>
              - ID=$ci<br>
              - UA='$ua'<br>
              - DESTIP=$Ri:$Rp<br>
              response:<br>
        <br>
        <br>
        <br>
      </tt>
      <pre class="moz-signature" cols="72">--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: <a class="moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com" moz-do-not-send="true">dgrotti@sipwise.com</a>                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: <a class="moz-txt-link-abbreviated" href="http://www.sipwise.com" moz-do-not-send="true">www.sipwise.com</a>          FN: 305595f      FG: LG Wiener Neustadt
</pre>
      <div class="moz-cite-prefix">On 2/4/19 2:17 PM, Henk wrote:<br>
      </div>
      <blockquote type="cite"
        cite="mid:4060e01c-8241-2b3a-3ded-9239965f1bb0@voipdigit.nl">
        <meta http-equiv="Content-Type" content="text/html;
          charset=utf-8">
        <p>Hi Daniel,</p>
        I have read the warning, so I changed kamailio.cfg.customtt.tt2
        and did <b>not</b> make a tags_header.customtt.tt2. This time
        with the $ct variable.<br>
        As [%logreq -%] is expanded to R=$ru ID=$ci UA='$ua' I added the
        <u>new</u> CT=$ct with escaped quotes and ; as terminator as
        specified:<br>
        <br>
        <tt>[% argv.service='proxy'; PROCESS
          '/etc/ngcp-config/templates/etc/kamailio/tags_header.tt2' -%]</tt><tt><br>
        </tt><tt>[% # Add here your customizations to parameters
          evaluated in file kamailio/tags_header.tt2 -%]</tt><tt><br>
        </tt><tt>logreq="R=$ru ID=$ci <b>CT=$ct</b> UA=\'$ua\'";</tt><tt><br>
        </tt><tt><br>
        </tt><tt>#!KAMAILIO</tt><br>
        <br>
        So I think exactly as specified, but no result, as the first log
        in the generated auth.cfg still is             <br>
        <tt>xlog("L_NOTICE", "Extracted caller info from PAI,
          subscriber=$var(realm_user)@$var(realm_domain) - </tt><tt><b>R=$ru
            ID=$ci UA='$ua'</b></tt><tt>\n");</tt><tt><br>
        </tt><br>
        I can also change constants.yml, or will this be overwritten by
        an upgrade?<br>
        <br>
        Regards,<br>
        <br>
        Henk<br>
        <br>
        <div class="moz-cite-prefix">On 4-2-2019 13:07, Daniel Grotti
          wrote:<br>
        </div>
        <blockquote type="cite"
          cite="mid:f52844a6-e410-d4d3-4477-2177113946a3@sipwise.com">
          <meta http-equiv="Content-Type" content="text/html;
            charset=utf-8">
          <tt>Hi,<br>
            have you read the ATTENTION warning at the beginning of
            tags_header.tt2 ?<br>
            You can find there how to change it.<br>
            <br>
            Also, please DO NOT change the IP= , but rather ADD a new
            parameter like CT=$ct<br>
            <br>
          </tt>
          <pre class="moz-signature" cols="72">--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: <a class="moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com" moz-do-not-send="true">dgrotti@sipwise.com</a>                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: <a class="moz-txt-link-abbreviated" href="http://www.sipwise.com" moz-do-not-send="true">www.sipwise.com</a>          FN: 305595f      FG: LG Wiener Neustadt
</pre>
          <div class="moz-cite-prefix">On 2/4/19 1:01 PM, Henk wrote:<br>
          </div>
          <blockquote type="cite"
            cite="mid:2d8133e1-4022-5f98-01af-747dca0f79e0@voipdigit.nl">
            <meta http-equiv="Content-Type" content="text/html;
              charset=utf-8">
            <p>Hi Daniel,</p>
            <p>It looks I have to overwrite logreq from tag_header.tt2,
              but if I add the following line in kamailio.cfg.tt2 and
              build the configuration it does not have any effect:<br>
            </p>
            <p>logreq="R=$ru ID=$ci IP=$ct UA=\'$ua\'";<br>
            </p>
            Any advise on what to change exactly?<br>
            <br>
            Regards,<br>
            <br>
            Henk<br>
            <br>
            <div class="moz-cite-prefix">On 4-2-2019 11:43, Daniel
              Grotti wrote:<br>
            </div>
            <blockquote type="cite"
              cite="mid:4e7755ec-9fa9-6f09-45f0-6d2bad360780@sipwise.com">
              <meta http-equiv="Content-Type" content="text/html;
                charset=utf-8">
              <tt>Hi Henk,<br>
                you can either block the call by User Agent or you can
                print out the Contact header in the log, if you want.<br>
                You can use the "$ct" variable in the kamailio.cfg<br>
                <br>
                Cheers,<br>
                <br>
                <br>
              </tt>
              <pre class="moz-signature" cols="72">--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: <a class="moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com" moz-do-not-send="true">dgrotti@sipwise.com</a>                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: <a class="moz-txt-link-abbreviated" href="http://www.sipwise.com" moz-do-not-send="true">www.sipwise.com</a>          FN: 305595f      FG: LG Wiener Neustadt
</pre>
              <div class="moz-cite-prefix">On 2/2/19 3:50 PM, Henk
                wrote:<br>
              </div>
              <blockquote type="cite"
                cite="mid:266d00f2-6fd1-ba01-a51e-a6f782248f3f@voipdigit.nl">
                <meta http-equiv="content-type" content="text/html;
                  charset=utf-8">
                <p>Hi all,</p>
                <p>I'm using fail2ban and ipset-blocklist to protect my
                  Sipwise system. But lately scanners are not detected
                  by fail2ban anymore, as they are using local or random
                  addresses like this:</p>
                <p><tt>INVITE <a class="moz-txt-link-freetext"
                      href="sip:0001130046423112923@172.31.1.100:5060"
                      moz-do-not-send="true">sip:0001130046423112923@172.31.1.100:5060</a>
                    SIP/2.0</tt><tt><br>
                  </tt><tt>Via: SIP/2.0/TCP
                    102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport</tt><tt><br>
                  </tt><tt>Max-Forwards: 70</tt><tt><br>
                  </tt><tt>Contact: <a class="moz-txt-link-rfc2396E"
                      href="sip:1234@102.165.36.71:10959;ob;transport=tcp"
                      moz-do-not-send="true"><sip:1234@102.165.36.71:10959;ob;transport=tcp></a>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"</tt><tt><br>
                  </tt><tt>To: <a class="moz-txt-link-rfc2396E"
                      href="sip:0001130046423112923@172.31.1.100:5060"
                      moz-do-not-send="true"><sip:0001130046423112923@172.31.1.100:5060></a></tt><tt><br>
                  </tt><tt>From: "1234"<a class="moz-txt-link-rfc2396E"
                      href="sip:1234@172.31.1.100:5060"
                      moz-do-not-send="true"><sip:1234@172.31.1.100:5060></a>;tag=a9398072</tt><br>
                </p>
                <p>So only the contact header contains the real IP
                  address. The proxy logs this (other request):</p>
                <p><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE:
                    <script>: New request on proxy - M=INVITE R=<a
                      class="moz-txt-link-freetext"
                      href="sip:988891046423112923@172.31.1.100:5060"
                      moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
                    F=<a class="moz-txt-link-freetext"
                      href="sip:1234@172.31.1.100:5060"
                      moz-do-not-send="true">sip:1234@172.31.1.100:5060</a>
                    T=<a class="moz-txt-link-freetext"
                      href="sip:988891046423112923@172.31.1.100:5060"
                      moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
                    IP=102.165.36.71:60384 (127.0.0.1:5060)
                    ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK
                    11.2' DESTIP=127.0.0.1:5062</tt><tt><br>
                  </tt><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE:
                    <script>: Sending reply S=100 Trying
                    fs='127.0.0.1:5062' du='127.0.0.1:5060' - R=<a
                      class="moz-txt-link-freetext"
                      href="sip:988891046423112923@172.31.1.100:5060"
                      moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
                    ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK
                    11.2'</tt><tt><br>
                  </tt><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE:
                    <script>: Authentication failed, no
                    credentials - R=<a class="moz-txt-link-freetext"
                      href="sip:988891046423112923@"
                      moz-do-not-send="true">sip:988891046423112923@</a><b>172.31.1.100</b>:5060
                    ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK
                    11.2' Auth=<null></tt><br>
                </p>
                <p>So this cannot be used for fail2ban. Is there a way
                  to log the real address of the attacker?</p>
                <p>Regards,</p>
                <p>Henk<br>
                </p>
                <br>
                <fieldset class="mimeAttachmentHeader"></fieldset>
                <pre class="moz-quote-pre" wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
              </blockquote>
              <br>
              <br>
              <fieldset class="mimeAttachmentHeader"></fieldset>
              <br>
              <pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
            </blockquote>
            <br>
            <br>
            <fieldset class="mimeAttachmentHeader"></fieldset>
            <pre class="moz-quote-pre" wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
          </blockquote>
          <br>
          <br>
          <fieldset class="mimeAttachmentHeader"></fieldset>
          <br>
          <pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
        </blockquote>
        <br>
        <br>
        <fieldset class="mimeAttachmentHeader"></fieldset>
        <pre class="moz-quote-pre" wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com" moz-do-not-send="true">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user" moz-do-not-send="true">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
      </blockquote>
      <br>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>