Thanks much Lonnie. These are some awesome ideas. I will try some and report back.
Cheers Ionel > On Apr 22, 2023, at 1:38 PM, Lonnie Abelbeck <li...@lonnie.abelbeck.com> > wrote: > > Hi Ionel, > >> Is it possible to create a rule and say only this “extension” can log in and >> everything else drop? > > No, that would require some sort of deep inspection at the firewall level. > > A couple of ideas... > > 1) Using 'sipgrep' from the AstLinux CLI, have your brother call you and see > what the "User-Agent:" header is: > -- > User-Agent: _______ > -- > Then using the "sip-user-agent" firewall plugin [1] in whitelist mode, define > SIP_USER_AGENT_PASS_TYPES > > For example: > -- > SIP_USER_AGENT_PASS_TYPES="_______" > -- > > That should reduce a lot of of 5060 spam. > > Note -> If you have other external SIP endpoints you would need to add (space > separate) their User-Agent to SIP_USER_AGENT_PASS_TYPES as well. > > > 2) If your brother's network can perform dynamic DNS, then the "DynDNS Host > Open plugin" could be used on only allow your brother, and then remove the > "Pass EXT->Local UDP 0/0 5060" firewall rule. > > For example: > -- > DYNDNS_HOST_OPEN_UDP="xxxxx.duckdns.org~5060" > -- > > 3) If your brother's IP address does not change much, say it is "1.2.3.4" > perform a > -- > whois 1.2.3.4 | grep '^CIDR:' > -- > and use that CIDR instead of 0/0 in the UDP 5060 firewall rule. Something > like "Pass EXT->Local UDP 1.2.0.0/16 5060" > > > Lonnie > > > [1] > https://doc.astlinux-project.org/userdoc:tt_firewall_plugins#sip-user-agent > > > >> On Apr 22, 2023, at 12:05 PM, Ionel Chila via Astlinux-users >> <astlinux-users@lists.sourceforge.net> wrote: >> >> I had to open port 5060 to the internet for my brother PAP2-NA to get in. >> Initially I started getting a lot of brute force attacks but the >> “adaptive-ban” plugins took care of it. Now I am getting a different type >> of attacks? See logs bellow. >> >> I do have a firewall from UDMP-SE and this PBX is on a DMZ. I forward port >> 5060 on my WAN to this PBX. >> >> Is it possible to create a rule and say only this “extension” can log in and >> everything else drop? For instance the PAP2-NA extension is 505 for the >> purpose of this exercise. >> >> Thanks in advance >> Ionel >> >> >> Apr 22 10:55:29 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 1447810443-1891497107-14325089 for seqno 2 (Critical Response) >> -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 10:56:26 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-00000027]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:9998@192.168.0.15:5060 >>> ;tag=1922473623 for INVITE, code = -1 >> Apr 22 10:56:58 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 1920380597-2112014333-1667702904 for seqno 2 (Critical >> Response) -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 10:57:38 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4210 in retrans_pkt: Timeout on 1138283951-307500403-1980426376 >> on non-critical invite transaction. >> Apr 22 10:57:55 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-00000029]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:9998@192.168.0.15:5060 >>> ;tag=739451700 for INVITE, code = -1 >> Apr 22 10:58:27 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 76533194-1510649679-2136561043 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:02:56 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4210 in retrans_pkt: Timeout on 2133735229-376621693-426493952 on >> non-critical invite transaction. >> Apr 22 11:03:00 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-0000002b]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:8889@192.168.0.15:5060 >>> ;tag=595665381 for INVITE, code = -1 >> Apr 22 11:03:32 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 1076661996-1742674713-465326551 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:04:30 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-0000002c]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:8889@192.168.0.15:5060 >>> ;tag=43636851 for INVITE, code = -1 >> Apr 22 11:05:02 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 1728888031-387023100-315880286 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:05:59 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-0000002d]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:8889@192.168.0.15:5060 >>> ;tag=1367210315 for INVITE, code = -1 >> Apr 22 11:06:31 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 2061695187-795614543-1485048389 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:07:27 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-0000002e]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:8889@192.168.0.15:5060 >>> ;tag=277172302 for INVITE, code = -1 >> Apr 22 11:07:59 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 1019652159-463033238-1026431883 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:08:57 HOME-PBX local0.notice asterisk[1092]: >> NOTICE[1285][C-0000002f]: chan_sip.c:19672 in >> send_check_user_failure_response: Failed to authenticate device < >> sip:8889@192.168.0.15:5060 >>> ;tag=1163877947 for INVITE, code = -1 >> Apr 22 11:09:29 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4151 in retrans_pkt: Retransmission timeout reached on >> transmission 469319743-1015333260-1652986992 for seqno 2 (Critical Response) >> -- See >> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions >> Packet timed out after 32000ms with no response >> Apr 22 11:12:44 HOME-PBX local0.warn asterisk[1092]: WARNING[1285]: >> chan_sip.c:4210 in retrans_pkt: Timeout on 160522783-725134999-814499190 on >> non-critical invite transaction. >> Apr 22 11:13:27 HOME-PBX local0.notice asterisk[1092]: NOTICE[1285]: >> chan_sip.c:30575 in sip_poke_noanswer: Peer '204' is now UNREACHABLE! Last >> qualify: 48 >> >> _______________________________________________ >> Astlinux-users mailing list >> Astlinux-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/astlinux-users >> >> Donations to support AstLinux are graciously accepted via PayPal to >> pay...@krisk.org. > > > > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
