Hi Ionel,

> Is it possible to create a rule and say only this “extension” can log in and 
> everything else drop?

No, that would require some sort of deep inspection at the firewall level.

A couple of ideas...

1) Using 'sipgrep' from the AstLinux CLI, have your brother call you and see 
what the "User-Agent:" header is:
--
User-Agent: _______
--
Then using the "sip-user-agent" firewall plugin [1] in whitelist mode, define 
SIP_USER_AGENT_PASS_TYPES

For example:
--
SIP_USER_AGENT_PASS_TYPES="_______"
--

That should reduce a lot of of 5060 spam.

Note -> If you have other external SIP endpoints you would need to add (space 
separate) their User-Agent to SIP_USER_AGENT_PASS_TYPES as well.


2)  If your brother's network can perform dynamic DNS, then the "DynDNS Host 
Open plugin" could be used on only allow your brother, and then remove the 
"Pass EXT->Local UDP 0/0 5060" firewall rule.

For example:
--
DYNDNS_HOST_OPEN_UDP="xxxxx.duckdns.org~5060"
--

3) If your brother's IP address does not change much, say it is "1.2.3.4" 
perform a
--
whois 1.2.3.4 | grep '^CIDR:'
--
and use that CIDR instead of 0/0 in the UDP 5060 firewall rule. Something like 
"Pass EXT->Local UDP 1.2.0.0/16 5060"


Lonnie


[1] https://doc.astlinux-project.org/userdoc:tt_firewall_plugins#sip-user-agent



> On Apr 22, 2023, at 12:05 PM, Ionel Chila via Astlinux-users 
> <astlinux-users@lists.sourceforge.net> wrote:
> 
> I had to open port 5060 to the internet for my brother PAP2-NA to get in. 
> Initially I started getting a lot of brute force attacks but the 
> “adaptive-ban” plugins took care of it.  Now I am getting a different type  
> of attacks?  See logs bellow.
> 
> I do have a firewall from UDMP-SE and this PBX is on a DMZ. I forward port 
> 5060 on my WAN to this PBX.
> 
> Is it possible to create a rule and say only this “extension” can log in and 
> everything else drop?  For instance the PAP2-NA extension is 505 for the 
> purpose of this exercise. 
> 
> Thanks in advance
> Ionel
> 
> 
> Apr 22 10:55:29 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 1447810443-1891497107-14325089 for seqno 2 (Critical Response) 
> -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 10:56:26 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-00000027]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:9998@192.168.0.15:5060
>> ;tag=1922473623 for INVITE, code = -1
> Apr 22 10:56:58 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 1920380597-2112014333-1667702904 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 10:57:38 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4210 in retrans_pkt: Timeout on 1138283951-307500403-1980426376 on 
> non-critical invite transaction.
> Apr 22 10:57:55 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-00000029]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:9998@192.168.0.15:5060
>> ;tag=739451700 for INVITE, code = -1
> Apr 22 10:58:27 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 76533194-1510649679-2136561043 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:02:56 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4210 in retrans_pkt: Timeout on 2133735229-376621693-426493952 on 
> non-critical invite transaction.
> Apr 22 11:03:00 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-0000002b]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:8889@192.168.0.15:5060
>> ;tag=595665381 for INVITE, code = -1
> Apr 22 11:03:32 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 1076661996-1742674713-465326551 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:04:30 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-0000002c]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:8889@192.168.0.15:5060
>> ;tag=43636851 for INVITE, code = -1
> Apr 22 11:05:02 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 1728888031-387023100-315880286 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:05:59 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-0000002d]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:8889@192.168.0.15:5060
>> ;tag=1367210315 for INVITE, code = -1
> Apr 22 11:06:31 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 2061695187-795614543-1485048389 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:07:27 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-0000002e]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:8889@192.168.0.15:5060
>> ;tag=277172302 for INVITE, code = -1
> Apr 22 11:07:59 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 1019652159-463033238-1026431883 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:08:57 HOME-PBX local0.notice asterisk[1092]: 
> NOTICE[1285][C-0000002f]: chan_sip.c:19672 in 
> send_check_user_failure_response: Failed to authenticate device <
> sip:8889@192.168.0.15:5060
>> ;tag=1163877947 for INVITE, code = -1
> Apr 22 11:09:29 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on 
> transmission 469319743-1015333260-1652986992 for seqno 2 (Critical Response) 
> -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32000ms with no response
> Apr 22 11:12:44 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: 
> chan_sip.c:4210 in retrans_pkt: Timeout on 160522783-725134999-814499190 on 
> non-critical invite transaction.
> Apr 22 11:13:27 HOME-PBX local0.notice asterisk[1092]: NOTICE[1285]: 
> chan_sip.c:30575 in sip_poke_noanswer: Peer '204' is now UNREACHABLE!  Last 
> qualify: 48
> 
> _______________________________________________
> Astlinux-users mailing list
> Astlinux-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/astlinux-users
> 
> Donations to support AstLinux are graciously accepted via PayPal to 
> pay...@krisk.org.



_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users

Donations to support AstLinux are graciously accepted via PayPal to 
pay...@krisk.org.

Reply via email to