Hi Arsen,
Someone keeps sending INVITEs to my kamailio box with the From: and To: IPs set to the Kamailio box’s public IP.
I have fail2ban that tracks a log file and bans the IP when pike blocks a request 3 times.
However, the IP that pops up in the log file is the server’s own IP address and not the sender’s IP address.
So let’s say my kamailio box is at 1.2.3.4. I get the following in the log:

    ALERT: <script>: Pike block INVITE from sip:7774@1.2.3.4 (IP 1.2.3.4:5080)

Which comes from this snippet from my kamailio.cfg:

    if (!pike_check_req()) {
            xlog("L_ALERT","Pike block $rm from $fu (IP $si:$sp)\n");
            exit;
    }

This rogue INVITE is certainly not coming from my own server. Running tcpdump with header shows the IP of the culprit - 195.154.172.167.
That can also be seen in the Via: header below. I know I can block the sipcli UA, but I’m not comfortable with being unable to log the IP address of the sender in case they spoof the UA.

    INVITE sip:+443331010095@1.2.3.4:5080 SIP/2.0
    To: +443331010095<sip:+443331010095@1.2.3.4>
    From: 7008<sip:7008@1.2.3.4>;tag=7650baf5
    Via: SIP/2.0/UDP 195.154.172.167:5074;branch=z9hG4bK-79da852e8e37dc3f58a5f098a089d5b5;rport
    Call-ID: 79da852e8e37dc3f58a5f098a089d5b5
    CSeq: 1 INVITE
    Contact: <sip:7008@195.154.172.167:5074>
    Max-Forwards: 70
    Allow: INVITE, ACK, CANCEL, BYE
    User-Agent: sipcli/v1.8
    Content-Type: application/sdp
    Content-Length: 286

So I cannot understand why does $si show 1.2.3.4 instead of the culprit’s IP address?
Hope this makes more sense!

Kind regards,
Iskren Hadzhinedev

On 29/09/17 13:38, Arsen wrote:

Hi Iskren,

What do you mean by 'true IP address'? The real IP address of a device which sends a request?

$si and $sp reference to the source IP address and port of the message, "Via" header contains IP address and port of UA and it could be different from $si, for example if UA is behind NAT device. 



Arsen Semionov

On Fri, Sep 29, 2017 at 3:05 PM, Iskren Hadzhinedev <iskren.hadzhinedev@ikiji.com> wrote:

Hi list,

How can I reliably get the sender’s IP address?
$si and $sp are returning the server IP and Port.
I also tried using $Ri and $Rp but it yields the same results.
Inspecting the packet shows the sender’s true IP:Port pair in the Via: header,
but the From: and To: contain the kamailio server’s public IP address.

Kind regards,

--
Iskren Hadzhinedev

_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users




_______________________________________________
Kamailio (SER) - Users Mailing List
sr-users@lists.kamailio.org
https://lists.kamailio.org/cgi-bin/mailman/listinfo/sr-users