Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the |From:| and
|To:| IPs set to the Kamailio box’s public IP.
I have |fail2ban| that tracks a log file and bans the IP when pike
blocks a request 3 times.
However, the IP that pops up in the log file is the server’s own IP
address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:
|ALERT: <script>: Pike block INVITE from sip:[email protected] (IP 1.2.3.4:5080) |
Which comes from this snippet from my kamailio.cfg:
|if (!pike_check_req()) { xlog("L_ALERT","Pike block $rm from $fu (IP
$si:$sp)\n"); exit; } |
This rogue INVITE is certainly not coming from my own server. Running
tcpdump with header shows the IP of the culprit - |195.154.172.167|.
That can also be seen in the Via: header below. I know I can block the
sipcli UA, but I’m not comfortable with being unable to log the IP
address of the sender in case they spoof the UA.
|INVITE sip:[email protected]:5080 SIP/2.0 To:
+443331010095<sip:[email protected]> From:
7008<sip:[email protected]>;tag=7650baf5 Via: SIP/2.0/UDP
195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
Call-ID: 79da852e8e37dc3f58a5f098a089d5b5 CSeq: 1 INVITE Contact:
<sip:[email protected]:5074> Max-Forwards: 70 Allow: INVITE, ACK,
CANCEL, BYE User-Agent: sipcli/v1.8 Content-Type: application/sdp
Content-Length: 286 |
So I cannot understand why does $si show 1.2.3.4 instead of the
culprit’s IP address?
Hope this makes more sense!
Kind regards,
Iskren Hadzhinedev
On 29/09/17 13:38, Arsen wrote:
Hi Iskren,
What do you mean by 'true IP address'? The real IP address of a device
which sends a request?
$si and $sp reference to the source IP address and port of the
message, "Via" header contains IP address and port of UA and it could
be different from $si, for example if UA is behind NAT device.
Arsen Semionov
On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev
<[email protected] <mailto:[email protected]>>
wrote:
Hi list,
How can I reliably get the sender’s IP address?
|$si| and |$sp| are returning the server IP and Port.
I also tried using |$Ri| and |$Rp| but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the
|Via:| header,
but the |From:| and |To:| contain the kamailio server’s public IP
address.
Kind regards,
--
/Iskren Hadzhinedev/
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected] <mailto:[email protected]>
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
<https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
_______________________________________________
Kamailio (SER) - Users Mailing List
[email protected]
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
