<html>
<head>
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p>Hello,</p>
<p>see my comment inline ...<br>
</p>
<div class="moz-cite-prefix">On 01.04.19 18:18, Hohl Matthias wrote:<br>
</div>
<blockquote type="cite"
cite="mid:1520018117.2656487.1554135500556.JavaMail.zimbra@mx.telematica.at">
<meta http-equiv="Content-Type" content="text/html;
charset=windows-1252">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:#0563C1;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:#954F72;
text-decoration:underline;}
span.E-MailFormatvorlage17
{mso-style-type:personal-compose;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;
mso-fareast-language:EN-US;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">Hello,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span lang="EN-US">i found out, that there
are a lot of spam requests on proxy and lb from the same IP
address witch was trying to connect with different users
every few seconds.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">The problem: also if
this was always successfully rejected, it would be fine if
fail2ban would ban the IP from them requests also, but I
have no possibility to block the ip, cause the log-string
with the “authentication failed, no credentials” has no UA
IP information inside.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">I thought about to add
this UA IP information into the log string for
“Authentication failed, no credentials” but this failure
string happens also for valid subsribers like here:<o:p></o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2106]: NOTICE: <script>: New request on proxy
- M=REGISTER R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a>
F=<a class="moz-txt-link-freetext" href="sip:xxxxxxxx@sip.telematica.at">sip:xxxxxxxx@sip.telematica.at</a>
T=<a class="moz-txt-link-freetext" href="sip:xxxxxxxx@sip.telematica.at">sip:xxxxxxxx@sip.telematica.at</a> IP=144.xxx.xxx.xxx:49152
(127.0.0.1:5060) ID=3533311694@10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2106]: NOTICE: <script>: Sending reply S=100
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a> ID=3533311694@10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000'<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2106]: NOTICE: <script>: Authentication
failed, no credentials - R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a>
ID=3533311694@10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'
Auth=<null><o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2106]: NOTICE: <script>: Sending reply S=401
fs='127.0.0.1:5062' du='127.0.0.1:5060' -
ID=3533311694@10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2109]: NOTICE: <script>: New request on proxy
- M=REGISTER R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a>
F=<a class="moz-txt-link-freetext" href="sip:xxxxxxxx@sip.telematica.at">sip:xxxxxxxx@sip.telematica.at</a>
T=<a class="moz-txt-link-freetext" href="sip:xxxxxxxx@sip.telematica.at">sip:xxxxxxxx@sip.telematica.at</a> IP=144.xxx.xxx.xxx:49152
(127.0.0.1:5060) ID=3533311694@10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000' DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2109]: NOTICE: <script>: Sending reply S=100
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a> ID=3533311694@10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000'<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2109]: NOTICE: <script>: Contacts successfully
updated, expires in 600s - R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a>
ID=3533311694@10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'<o:p></o:p></span></i></p>
<p class="MsoNormal" style="margin-left:35.4pt"><i><span
style="font-size:8.0pt" lang="EN-US">Apr 1 18:06:06 spce
proxy[2109]: NOTICE: <script>: Sending reply S=200
OK fs='127.0.0.1:5062' du='127.0.0.1:5060' -
R=<a class="moz-txt-link-freetext" href="sip:sip.telematica.at">sip:sip.telematica.at</a> ID=3533311694@10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000'<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">So how to deal with this
kind of requests to block the IP address correctly with
fail2ban?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">At the moment, I can’t
distinguish if this is a “vald” authentication failed or if
this is from a spam request.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Does anybody has an
idea?<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US">Thanks.<o:p></o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:9.0pt"
lang="EN-US">Kamailio-lb<o:p></o:p></span></i></p>
<p class="MsoNormal"><span lang="EN-US"><o:p> </o:p></span></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:03 spce lb[1267]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.xxx.xxx:5060">udp:176.123.xxx.xxx:5060</a>' du='102.165.51.10:60560' -
ID=1672410852-1750384450-124595706 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:03 spce lb[1265]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.xxx.xxx:5060">udp:176.123.xxx.xxx:5060</a>' du='102.165.51.10:60560' -
ID=1672410852-1750384450-124595706 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:03 spce lb[1245]: NOTICE:
<script>: New request on lb - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00180048893076001@176.123.yyy.yyy">sip:00180048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00180048893076001@176.123.yyy.yyy">sip:00180048893076001@176.123.yyy.yyy</a>
IP=<a class="moz-txt-link-freetext" href="udp:102.165.51.10:60684">udp:102.165.51.10:60684</a>
ID=1796109365-625332604-148124457 UA='Linksys-SPA942'
DESTIP=176.123.yyy.yyy:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:03 spce lb[1267]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:60684' -
ID=1796109365-625332604-148124457 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:03 spce lb[1265]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:60684' -
ID=1796109365-625332604-148124457 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1236]: NOTICE:
<script>: New request on lb - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00190048893076001@176.123.xxx.xxx">sip:00190048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00190048893076001@176.123.xxx.xxx">sip:00190048893076001@176.123.xxx.xxx</a>
IP=<a class="moz-txt-link-freetext" href="udp:102.165.51.10:63019">udp:102.165.51.10:63019</a>
ID=1288822511-772044424-1097930615 UA='Linksys-SPA942'
DESTIP=176.123.xxx.xxx:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1262]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.xxx.xxx:5060">udp:176.123.xxx.xxx:5060</a>' du='102.165.51.10:63019' -
ID=1288822511-772044424-1097930615 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1268]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.xxx.xxx:5060">udp:176.123.xxx.xxx:5060</a>' du='102.165.51.10:63019' -
ID=1288822511-772044424-1097930615 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1241]: NOTICE:
<script>: New request on lb - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00190048893076001@176.123.yyy.yyy">sip:00190048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00190048893076001@176.123.yyy.yyy">sip:00190048893076001@176.123.yyy.yyy</a>
IP=<a class="moz-txt-link-freetext" href="udp:102.165.51.10:63172">udp:102.165.51.10:63172</a>
ID=106321133-2131130927-801675635 UA='Linksys-SPA942'
DESTIP=176.123.yyy.yyy:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1267]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:63172' -
ID=106321133-2131130927-801675635 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:16:46 spce lb[1264]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:63172' -
ID=106321133-2131130927-801675635 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:17:31 spce lb[1231]: NOTICE:
<script>: New request on lb - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00210048893076001@176.123.xxx.xxx">sip:00210048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00210048893076001@176.123.xxx.xxx">sip:00210048893076001@176.123.xxx.xxx</a>
IP=<a class="moz-txt-link-freetext" href="udp:102.165.51.10:53471">udp:102.165.51.10:53471</a>
ID=11643804-699651008-1420889866 UA='Linksys-SPA942'
DESTIP=176.123.xxx.xxx:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Kamailio-proxy<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:25:32 spce proxy[2114]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00350048893076001@176.123.yyy.yyy">sip:00350048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00350048893076001@176.123.yyy.yyy">sip:00350048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:58694 (127.0.0.1:5060)
ID=758118326-653611733-771601277 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:26:14 spce proxy[2113]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00360048893076001@176.123.xxx.xxx">sip:00360048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00360048893076001@176.123.xxx.xxx">sip:00360048893076001@176.123.xxx.xxx</a>
IP=102.165.51.10:57072 (127.0.0.1:5060)
ID=1313552761-549894790-1246968706 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:26:14 spce proxy[2120]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00360048893076001@176.123.yyy.yyy">sip:00360048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00360048893076001@176.123.yyy.yyy">sip:00360048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:57257 (127.0.0.1:5060)
ID=543892649-1826253356-1114326864 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:26:56 spce proxy[2113]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00370048893076001@176.123.xxx.xxx">sip:00370048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00370048893076001@176.123.xxx.xxx">sip:00370048893076001@176.123.xxx.xxx</a>
IP=102.165.51.10:53653 (127.0.0.1:5060)
ID=216044731-1767486066-1766299769 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:26:56 spce proxy[2114]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00370048893076001@176.123.yyy.yyy">sip:00370048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00370048893076001@176.123.yyy.yyy">sip:00370048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:57149 (127.0.0.1:5060)
ID=1129853686-565291733-1459199345 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2106]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.xxx.xxx">sip:00380048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.xxx.xxx">sip:00380048893076001@176.123.xxx.xxx</a>
IP=102.165.51.10:49934 (127.0.0.1:5060)
ID=1744315013-324263357-1391421940 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2119]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:50073 (127.0.0.1:5060)
ID=912346842-169557483-295698979 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:28:19 spce proxy[2109]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00390048893076001@176.123.xxx.xxx">sip:00390048893076001@176.123.xxx.xxx</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.xxx.xxx">sip:800003@176.123.xxx.xxx</a>
T=<a class="moz-txt-link-freetext" href="sip:00390048893076001@176.123.xxx.xxx">sip:00390048893076001@176.123.xxx.xxx</a>
IP=102.165.51.10:62577 (127.0.0.1:5060)
ID=218036742-1902467074-1213502867 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:28:19 spce proxy[2119]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00390048893076001@176.123.yyy.yyy">sip:00390048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00390048893076001@176.123.yyy.yyy">sip:00390048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:65059 (127.0.0.1:5060)
ID=1844126573-2124940025-382233674 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">root@spce:~# cat
/var/log/ngcp/kamailio-lb.log | grep -i
'912346842-169557483-295698979'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1241]: NOTICE:
<script>: New request on lb - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
IP=<a class="moz-txt-link-freetext" href="udp:102.165.51.10:50073">udp:102.165.51.10:50073</a>
ID=912346842-169557483-295698979 UA='Linksys-SPA942'
DESTIP=176.123.yyy.yyy:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1241]: NOTICE:
<script>: Relaying request, fs='<a class="moz-txt-link-freetext" href="udp:127.0.0.1:5060">udp:127.0.0.1:5060</a>'
du='<a class="moz-txt-link-freetext" href="sip:127.0.0.1:5062">sip:127.0.0.1:5062</a>' -
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
ID=912346842-169557483-295698979 UA='Linksys-SPA942'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1268]: NOTICE:
<script>: Reply from Inbound - S=100 - Trying
M=INVITE IP=<a class="moz-txt-link-freetext" href="udp:127.0.0.1:5062">udp:127.0.0.1:5062</a>
ID=912346842-169557483-295698979 UA='<null>'
DESTIP=127.0.0.1:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1268]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:50073' -
ID=912346842-169557483-295698979 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1263]: NOTICE:
<script>: Reply from Inbound - S=407 - Proxy
Authentication Required M=INVITE IP=<a class="moz-txt-link-freetext" href="udp:127.0.0.1:5062">udp:127.0.0.1:5062</a>
ID=912346842-169557483-295698979 UA='<null>'
DESTIP=127.0.0.1:5060<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce lb[1263]: NOTICE:
<script>: Sending reply from inbound,
fs='<a class="moz-txt-link-freetext" href="udp:176.123.yyy.yyy:5060">udp:176.123.yyy.yyy:5060</a>' du='102.165.51.10:50073' -
ID=912346842-169557483-295698979 UA='<null>'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">root@spce:~#<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US"><o:p> </o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">root@spce:~# cat
/var/log/ngcp/kamailio-proxy.log | grep -i
'912346842-169557483-295698979'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2119]: NOTICE:
<script>: New request on proxy - M=INVITE
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
IP=102.165.51.10:50073 (127.0.0.1:5060)
ID=912346842-169557483-295698979 UA='Linksys-SPA942'
DESTIP=127.0.0.1:5062<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2119]: NOTICE:
<script>: Sending reply S=100 Trying
fs='127.0.0.1:5062' du='127.0.0.1:5060' -
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
ID=912346842-169557483-295698979 UA='Linksys-SPA942'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2119]: NOTICE:
<script>: Authentication failed, no credentials -
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
ID=912346842-169557483-295698979 UA='Linksys-SPA942'
Auth=<null><o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2119]: NOTICE:
<script>: Sending reply S=407 fs='127.0.0.1:5062'
du='127.0.0.1:5060' - ID=912346842-169557483-295698979
UA='Linksys-SPA942'<o:p></o:p></span></i></p>
<p class="MsoNormal"><i><span style="font-size:8.0pt"
lang="EN-US">Apr 1 09:27:38 spce proxy[2113]: NOTICE:
<script>: New request on proxy - M=ACK
R=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
F=<a class="moz-txt-link-freetext" href="sip:800003@176.123.yyy.yyy">sip:800003@176.123.yyy.yyy</a>
T=<a class="moz-txt-link-freetext" href="sip:00380048893076001@176.123.yyy.yyy">sip:00380048893076001@176.123.yyy.yyy</a>
IP=<null>:<null> (127.0.0.1:5060)
ID=912346842-169557483-295698979 UA='<null>'
DESTIP=127.0.0.1:5062</span></i></p>
</div>
</blockquote>
<p>there are some hints on security to use in kamailio.cfg collected
in our wiki at:</p>
<p> * <a
href="https://www.kamailio.org/wiki/tutorials/security/kamailio-security">https://www.kamailio.org/wiki/tutorials/security/kamailio-security</a></p>
<p>Fail2ban is an option as well. I would suggest to count the
failed authentication per user per IP and then block the IP using
htable or fail2ban. The link above has suggestions for failed
authentication per user, I would also add condition on ip there...</p>
<p>Cheers,<br>
Daniel<br>
</p>
<pre class="moz-signature" cols="72">--
Daniel-Constantin Mierla -- <a class="moz-txt-link-abbreviated" href="http://www.asipto.com">www.asipto.com</a>
<a class="moz-txt-link-abbreviated" href="http://www.twitter.com/miconda">www.twitter.com/miconda</a> -- <a class="moz-txt-link-abbreviated" href="http://www.linkedin.com/in/miconda">www.linkedin.com/in/miconda</a>
Kamailio World Conference - May 6-8, 2019 -- <a class="moz-txt-link-abbreviated" href="http://www.kamailioworld.com">www.kamailioworld.com</a></pre>
</body>
</html>