[Spce-user] Kamailio spam requests identify problem

Hohl Matthias matthias.hohl at telematica.at
Mon Apr 1 12:18:20 EDT 2019


Hello,

 

i found out, that there are a lot of spam requests on proxy and lb from the
same IP address witch was trying to connect with different users every few
seconds.

 

The problem: also if this was always successfully rejected, it would be fine
if fail2ban would ban the IP from them requests also, but I have no
possibility to block the ip, cause the log-string with the "authentication
failed, no credentials" has no UA IP information inside.

I thought about to add this UA IP information into the log string for
"Authentication failed, no credentials" but this failure string happens also
for valid subsribers like here:

 

Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: New request on proxy -
M=REGISTER R=sip:sip.telematica.at F=sip:xxxxxxxx at sip.telematica.at
T=sip:xxxxxxxx at sip.telematica.at IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060)
ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'
DESTIP=127.0.0.1:5062

Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply S=100
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - R=sip:sip.telematica.at
ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'

Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Authentication failed,
no credentials - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000' Auth=<null>

Apr  1 18:06:06 spce proxy[2106]: NOTICE: <script>: Sending reply S=401
fs='127.0.0.1:5062' du='127.0.0.1:5060' - ID=3533311694 at 10_0_0_1 UA='N510 IP
PRO/42.243.00.000.000'

Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: New request on proxy -
M=REGISTER R=sip:sip.telematica.at F=sip:xxxxxxxx at sip.telematica.at
T=sip:xxxxxxxx at sip.telematica.at IP=144.xxx.xxx.xxx:49152 (127.0.0.1:5060)
ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'
DESTIP=127.0.0.1:5062

Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply S=100
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - R=sip:sip.telematica.at
ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'

Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Contacts successfully
updated, expires in 600s - R=sip:sip.telematica.at ID=3533311694 at 10_0_0_1
UA='N510 IP PRO/42.243.00.000.000'

Apr  1 18:06:06 spce proxy[2109]: NOTICE: <script>: Sending reply S=200 OK
fs='127.0.0.1:5062' du='127.0.0.1:5060' - R=sip:sip.telematica.at
ID=3533311694 at 10_0_0_1 UA='N510 IP PRO/42.243.00.000.000'

 

 

So how to deal with this kind of requests to block the IP address correctly
with fail2ban?

At the moment, I can't distinguish if this is a "vald" authentication failed
or if this is from a spam request.

 

Does anybody has an idea?

 

Thanks.

 

 

 

Kamailio-lb

 

Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560' -
ID=1672410852-1750384450-124595706 UA='<null>'

Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:60560' -
ID=1672410852-1750384450-124595706 UA='<null>'

Apr  1 09:16:03 spce lb[1245]: NOTICE: <script>: New request on lb -
M=INVITE R=sip:00180048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00180048893076001 at 176.123.yyy.yyy
IP=udp:102.165.51.10:60684 ID=1796109365-625332604-148124457
UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060

Apr  1 09:16:03 spce lb[1267]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684' -
ID=1796109365-625332604-148124457 UA='<null>'

Apr  1 09:16:03 spce lb[1265]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:60684' -
ID=1796109365-625332604-148124457 UA='<null>'

Apr  1 09:16:46 spce lb[1236]: NOTICE: <script>: New request on lb -
M=INVITE R=sip:00190048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00190048893076001 at 176.123.xxx.xxx
IP=udp:102.165.51.10:63019 ID=1288822511-772044424-1097930615
UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060

Apr  1 09:16:46 spce lb[1262]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019' -
ID=1288822511-772044424-1097930615 UA='<null>'

Apr  1 09:16:46 spce lb[1268]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.xxx.xxx:5060' du='102.165.51.10:63019' -
ID=1288822511-772044424-1097930615 UA='<null>'

Apr  1 09:16:46 spce lb[1241]: NOTICE: <script>: New request on lb -
M=INVITE R=sip:00190048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00190048893076001 at 176.123.yyy.yyy
IP=udp:102.165.51.10:63172 ID=106321133-2131130927-801675635
UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060

Apr  1 09:16:46 spce lb[1267]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172' -
ID=106321133-2131130927-801675635 UA='<null>'

Apr  1 09:16:46 spce lb[1264]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:63172' -
ID=106321133-2131130927-801675635 UA='<null>'

Apr  1 09:17:31 spce lb[1231]: NOTICE: <script>: New request on lb -
M=INVITE R=sip:00210048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00210048893076001 at 176.123.xxx.xxx
IP=udp:102.165.51.10:53471 ID=11643804-699651008-1420889866
UA='Linksys-SPA942' DESTIP=176.123.xxx.xxx:5060

 

 

Kamailio-proxy

 

Apr  1 09:25:32 spce proxy[2114]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00350048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00350048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:58694 (127.0.0.1:5060) ID=758118326-653611733-771601277
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:26:14 spce proxy[2113]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00360048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00360048893076001 at 176.123.xxx.xxx
IP=102.165.51.10:57072 (127.0.0.1:5060) ID=1313552761-549894790-1246968706
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:26:14 spce proxy[2120]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00360048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00360048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:57257 (127.0.0.1:5060) ID=543892649-1826253356-1114326864
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:26:56 spce proxy[2113]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00370048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00370048893076001 at 176.123.xxx.xxx
IP=102.165.51.10:53653 (127.0.0.1:5060) ID=216044731-1767486066-1766299769
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:26:56 spce proxy[2114]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00370048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00370048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:57149 (127.0.0.1:5060) ID=1129853686-565291733-1459199345
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:27:38 spce proxy[2106]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00380048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00380048893076001 at 176.123.xxx.xxx
IP=102.165.51.10:49934 (127.0.0.1:5060) ID=1744315013-324263357-1391421940
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:50073 (127.0.0.1:5060) ID=912346842-169557483-295698979
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:28:19 spce proxy[2109]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00390048893076001 at 176.123.xxx.xxx
F=sip:800003 at 176.123.xxx.xxx T=sip:00390048893076001 at 176.123.xxx.xxx
IP=102.165.51.10:62577 (127.0.0.1:5060) ID=218036742-1902467074-1213502867
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:28:19 spce proxy[2119]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00390048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00390048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:65059 (127.0.0.1:5060) ID=1844126573-2124940025-382233674
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

 

 

 

root at spce:~# cat /var/log/ngcp/kamailio-lb.log | grep -i
'912346842-169557483-295698979'

Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: New request on lb -
M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
IP=udp:102.165.51.10:50073 ID=912346842-169557483-295698979
UA='Linksys-SPA942' DESTIP=176.123.yyy.yyy:5060

Apr  1 09:27:38 spce lb[1241]: NOTICE: <script>: Relaying request,
fs='udp:127.0.0.1:5060' du='sip:127.0.0.1:5062' -
R=sip:00380048893076001 at 176.123.yyy.yyy ID=912346842-169557483-295698979
UA='Linksys-SPA942'

Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Reply from Inbound - S=100
- Trying M=INVITE IP=udp:127.0.0.1:5062 ID=912346842-169557483-295698979
UA='<null>' DESTIP=127.0.0.1:5060

Apr  1 09:27:38 spce lb[1268]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073' -
ID=912346842-169557483-295698979 UA='<null>'

Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Reply from Inbound - S=407
- Proxy Authentication Required M=INVITE IP=udp:127.0.0.1:5062
ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5060

Apr  1 09:27:38 spce lb[1263]: NOTICE: <script>: Sending reply from inbound,
fs='udp:176.123.yyy.yyy:5060' du='102.165.51.10:50073' -
ID=912346842-169557483-295698979 UA='<null>'

root at spce:~#

 

root at spce:~# cat /var/log/ngcp/kamailio-proxy.log | grep -i
'912346842-169557483-295698979'

Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: New request on proxy -
M=INVITE R=sip:00380048893076001 at 176.123.yyy.yyy
F=sip:800003 at 176.123.yyy.yyy T=sip:00380048893076001 at 176.123.yyy.yyy
IP=102.165.51.10:50073 (127.0.0.1:5060) ID=912346842-169557483-295698979
UA='Linksys-SPA942' DESTIP=127.0.0.1:5062

Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply S=100
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' -
R=sip:00380048893076001 at 176.123.yyy.yyy ID=912346842-169557483-295698979
UA='Linksys-SPA942'

Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Authentication failed,
no credentials - R=sip:00380048893076001 at 176.123.yyy.yyy
ID=912346842-169557483-295698979 UA='Linksys-SPA942' Auth=<null>

Apr  1 09:27:38 spce proxy[2119]: NOTICE: <script>: Sending reply S=407
fs='127.0.0.1:5062' du='127.0.0.1:5060' - ID=912346842-169557483-295698979
UA='Linksys-SPA942'

Apr  1 09:27:38 spce proxy[2113]: NOTICE: <script>: New request on proxy -
M=ACK R=sip:00380048893076001 at 176.123.yyy.yyy F=sip:800003 at 176.123.yyy.yyy
T=sip:00380048893076001 at 176.123.yyy.yyy IP=<null>:<null> (127.0.0.1:5060)
ID=912346842-169557483-295698979 UA='<null>' DESTIP=127.0.0.1:5062

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20190401/8f2c6d25/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 6564 bytes
Desc: not available
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20190401/8f2c6d25/attachment.p7s>


More information about the Spce-user mailing list