[Spce-user] Block sip attacks

[Henk]

Hi all,

I'm using fail2ban and ipset-blocklist to protect my Sipwise system. But 
lately scanners are not detected by fail2ban anymore, as they are using 
local or random addresses like this:

INVITE sip:0001130046423112923 at 172.31.1.100:5060 SIP/2.0
Via: SIP/2.0/TCP 
102.165.36.71:10959;branch=z9hG4bK-524287-1---5918c9179145ae4f;rport
Max-Forwards: 70
Contact: 
<sip:1234 at 102.165.36.71:10959;ob;transport=tcp>;+sip.instance="<urn:uuid:502A48A2-928D-7B59-1365-6A5BD8F30393>"
To: <sip:0001130046423112923 at 172.31.1.100:5060>
From: "1234"<sip:1234 at 172.31.1.100:5060>;tag=a9398072

So only the contact header contains the real IP address. The proxy logs 
this (other request):

Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: New request on 
proxy - M=INVITE R=sip:988891046423112923 at 172.31.1.100:5060 
F=sip:1234 at 172.31.1.100:5060 T=sip:988891046423112923 at 172.31.1.100:5060 
IP=102.165.36.71:60384 (127.0.0.1:5060) ID=qeClERktVcCMa3Srchan0g.. 
UA='PortSIP VoIP SDK 11.2' DESTIP=127.0.0.1:5062
Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Sending reply S=100 
Trying fs='127.0.0.1:5062' du='127.0.0.1:5060' - 
R=sip:988891046423112923 at 172.31.1.100:5060 ID=qeClERktVcCMa3Srchan0g.. 
UA='PortSIP VoIP SDK 11.2'
Feb  2 00:01:23 spce proxy[15788]: NOTICE: <script>: Authentication 
failed, no credentials - R=sip:988891046423112923@*172.31.1.100*:5060 
ID=qeClERktVcCMa3Srchan0g.. UA='PortSIP VoIP SDK 11.2' Auth=<null>

So this cannot be used for fail2ban. Is there a way to log the real 
address of the attacker?

Regards,

Henk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.sipwise.com/mailman/private/spce-user_lists.sipwise.com/attachments/20190202/81de73e6/attachment.html>