[SR-Users] Retrieve remote IP and port

Iskren Hadzhinedev iskren.hadzhinedev at ikiji.com
Fri Sep 29 16:50:16 CEST 2017 

Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the |From:| and 
|To:| IPs set to the Kamailio box’s public IP.
I have |fail2ban| that tracks a log file and bans the IP when pike 
blocks a request 3 times.
However, the IP that pops up in the log file is the server’s own IP 
address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:

|ALERT: <script>: Pike block INVITE from sip:7774 at 1.2.3.4 (IP 1.2.3.4:5080) |

Which comes from this snippet from my kamailio.cfg:

|if (!pike_check_req()) { xlog("L_ALERT","Pike block $rm from $fu (IP 
$si:$sp)\n"); exit; } |

This rogue INVITE is certainly not coming from my own server. Running 
tcpdump with header shows the IP of the culprit - |195.154.172.167|.
That can also be seen in the Via: header below. I know I can block the 
sipcli UA, but I’m not comfortable with being unable to log the IP 
address of the sender in case they spoof the UA.

|INVITE sip:+443331010095 at 1.2.3.4:5080 SIP/2.0 To: 
+443331010095<sip:+443331010095 at 1.2.3.4> From: 
7008<sip:7008 at 1.2.3.4>;tag=7650baf5 Via: SIP/2.0/UDP 
195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport 
Call-ID: 79da852e8e37dc3f58a5f098a089d5b5 CSeq: 1 INVITE Contact: 
<sip:7008 at 195.154.172.167:5074> Max-Forwards: 70 Allow: INVITE, ACK, 
CANCEL, BYE User-Agent: sipcli/v1.8 Content-Type: application/sdp 
Content-Length: 286 |

So I cannot understand why does $si show 1.2.3.4 instead of the 
culprit’s IP address?
Hope this makes more sense!

Kind regards,
Iskren Hadzhinedev

On 29/09/17 13:38, Arsen wrote:

> Hi Iskren,
>
> What do you mean by 'true IP address'? The real IP address of a device 
> which sends a request?
>
> $si and $sp reference to the source IP address and port of the 
> message, "Via" header contains IP address and port of UA and it could 
> be different from $si, for example if UA is behind NAT device.
>
>
>
> Arsen Semionov
>
> On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev 
> <iskren.hadzhinedev at ikiji.com <mailto:iskren.hadzhinedev at ikiji.com>> 
> wrote:
>
>     Hi list,
>
>     How can I reliably get the sender’s IP address?
>     |$si| and |$sp| are returning the server IP and Port.
>     I also tried using |$Ri| and |$Rp| but it yields the same results.
>     Inspecting the packet shows the sender’s true IP:Port pair in the
>     |Via:| header,
>     but the |From:| and |To:| contain the kamailio server’s public IP
>     address.
>
>     Kind regards,
>
>>     -- 
>     /Iskren Hadzhinedev/
>
>     _______________________________________________
>     Kamailio (SER) - Users Mailing List
>     sr-users at lists.kamailio.org <mailto:sr-users at lists.kamailio.org>
>     https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users
>     <https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users>
>
>
>
>
> _______________________________________________
> Kamailio (SER) - Users Mailing List
> sr-users at lists.kamailio.org
> https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users

​
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.kamailio.org/pipermail/sr-users/attachments/20170929/30cd42c3/attachment.html>

More information about the sr-users mailing list