Hi, I felt that fail2ban in this instance was a bit too much of a blunt tool, so I have for now built a workaround by creating a Perl daemon that watches the output of
ngrep -TT -d $net_if -q -W single Proxy-Authorization port 5060 where $net_if is the network interface. If it sees more than 5 Proxy-Authorization invites with the same Call- ID then it blocks the network route for a second. I've also added a line in the dialplan to put the Asterisk channel name into a custom SIP header, and if this is found in the INVITE then it first connects to the AMI to do a Hangup(38) on that channel, which gives the user a more accurate error. Every 20 seconds it purges any stateful data it holds that's older than 20 seconds, in order to stop it eating RAM. It seems to work quite well. Cheers, Kingsley. On Thu, 2020-10-29 at 08:39 +0100, Olivier wrote: > Hi, > What if some fail2ban magic could keep OpenSIPs response from hitting > Asterisk after N attempts ? > > Le mer. 28 oct. 2020 à 18:32, Kingsley Tart - Barritel Ltd < > kingsley.t...@barritel.com> a écrit : > > Hi, > > > > We're using Asterisk 13.17.0 with PJSIP 2.8 bundled. > > > > I've found an issue when Asterisk tries to make a SIP call out > > using > > auth, but has the wrong credentials and keeps getting returned a > > SIP > > 407, in this example to an OpenSIPs server requiring user auth. > > > > Basically this happens: > > > > 1. Asterisk sends plain INVITE to OpenSIPs > > 2. OpenSIPs responds with SIP 407 auth required with a Proxy- > > Authenticate header > > 3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization > > header, but has the wrong password > > 4. goto step 2 and repeat forever [snip] -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
