<html>
  <head>
    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <tt>Hi Henk,<br>
      you can either block the call by User Agent or you can print out
      the Contact header in the log, if you want.<br>
      You can use the "$ct" variable in the kamailio.cfg<br>
      <br>
      Cheers,<br>
      <br>
      <br>
    </tt>
    <pre class="moz-signature" cols="72">--
Daniel Grotti

Head of Customer Support                               Sipwise GmbH
e: <a class="moz-txt-link-abbreviated" href="mailto:dgrotti@sipwise.com">dgrotti@sipwise.com</a>                               Europaring F15
t: +43(0)130120332                          A-2345 Brunn Am Gebirge
w: <a class="moz-txt-link-abbreviated" href="http://www.sipwise.com">www.sipwise.com</a>          FN: 305595f      FG: LG Wiener Neustadt
</pre>
    <div class="moz-cite-prefix">On 2/2/19 3:50 PM, Henk wrote:<br>
    </div>
    <blockquote type="cite"
      cite="mid:266d00f2-6fd1-ba01-a51e-a6f782248f3f@voipdigit.nl">
      <meta http-equiv="content-type" content="text/html; charset=UTF-8">
      <p>Hi all,</p>
      <p>I'm using fail2ban and ipset-blocklist to protect my Sipwise
        system. But lately scanners are not detected by fail2ban
        anymore, as they are using local or random addresses like this:</p>
      <p><tt>INVITE <a class="moz-txt-link-freetext"
            href="sip:0001130046423112923@172.31.1.100:5060"
            moz-do-not-send="true">sip:0001130046423112923@172.31.1.100:5060</a>
          SIP/2.0</tt><tt><br>
        </tt><tt>Via: SIP/2.0/TCP
          102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport</tt><tt><br>
        </tt><tt>Max-Forwards: 70</tt><tt><br>
        </tt><tt>Contact:
          <a class="moz-txt-link-rfc2396E"
            href="sip:1234@102.165.36.71:10959;ob;transport=tcp"
            moz-do-not-send="true"><sip:1234@102.165.36.71:10959;ob;transport=tcp></a>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"</tt><tt><br>
        </tt><tt>To: <a class="moz-txt-link-rfc2396E"
            href="sip:0001130046423112923@172.31.1.100:5060"
            moz-do-not-send="true"><sip:0001130046423112923@172.31.1.100:5060></a></tt><tt><br>
        </tt><tt>From: "1234"<a class="moz-txt-link-rfc2396E"
            href="sip:1234@172.31.1.100:5060" moz-do-not-send="true"><sip:1234@172.31.1.100:5060></a>;tag=a9398072</tt><br>
      </p>
      <p>So only the contact header contains the real IP address. The
        proxy logs this (other request):</p>
      <p><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>:
          New request on proxy - M=INVITE R=<a
            class="moz-txt-link-freetext"
            href="sip:988891046423112923@172.31.1.100:5060"
            moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
          F=<a class="moz-txt-link-freetext"
            href="sip:1234@172.31.1.100:5060" moz-do-not-send="true">sip:1234@172.31.1.100:5060</a>
          T=<a class="moz-txt-link-freetext"
            href="sip:988891046423112923@172.31.1.100:5060"
            moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
          IP=102.165.36.71:60384 (127.0.0.1:5060)
          ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
          DESTIP=127.0.0.1:5062</tt><tt><br>
        </tt><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE:
          <script>: Sending reply S=100 Trying fs='127.0.0.1:5062'
          du='127.0.0.1:5060' - R=<a class="moz-txt-link-freetext"
            href="sip:988891046423112923@172.31.1.100:5060"
            moz-do-not-send="true">sip:988891046423112923@172.31.1.100:5060</a>
          ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'</tt><tt><br>
        </tt><tt>Feb  2 00:01:23 spce proxy[15788]: NOTICE:
          <script>: Authentication failed, no credentials - R=<a
            class="moz-txt-link-freetext" href="sip:988891046423112923@"
            moz-do-not-send="true">sip:988891046423112923@</a><b>172.31.1.100</b>:5060
          ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2'
          Auth=<null></tt><br>
      </p>
      <p>So this cannot be used for fail2ban. Is there a way to log the
        real address of the attacker?</p>
      <p>Regards,</p>
      <p>Henk<br>
      </p>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <pre class="moz-quote-pre" wrap="">_______________________________________________
Spce-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</a>
<a class="moz-txt-link-freetext" href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>