Hi, What if some fail2ban magic could keep OpenSIPs response from hitting Asterisk after N attempts ?
Le mer. 28 oct. 2020 à 18:32, Kingsley Tart - Barritel Ltd < [email protected]> a écrit : > Hi, > > We're using Asterisk 13.17.0 with PJSIP 2.8 bundled. > > I've found an issue when Asterisk tries to make a SIP call out using > auth, but has the wrong credentials and keeps getting returned a SIP > 407, in this example to an OpenSIPs server requiring user auth. > > Basically this happens: > > 1. Asterisk sends plain INVITE to OpenSIPs > 2. OpenSIPs responds with SIP 407 auth required with a Proxy- > Authenticate header > 3. Asterisk re-sends INVITE to OpenSIPs with Proxy-Authorization > header, but has the wrong password > 4. goto step 2 and repeat forever > > So what we're seeing is Asterisk re-sending an INVITE with incorrect > auth (which is clearly never going to work), about every 2ms. > > The Call-ID remains the same all of the time. > > Shouldn't PJSIP realise that this isn't going to work after a few tries > and give up? > > The only way I've found of stopping the seemingly infinite loop is to > either restart Asterisk or temporarily block network traffic between > the two machines in order to break the cycle. > > Any idea whether this has been fixed in a later version? > > This is basically the response coming back from OpenSIPs (anonymised), > whether Asterisk didn't provide > > SIP/2.0 407 Proxy Authentication Required > Via: SIP/2.0/UDP 100.101.102.103:5060 > ;received=100.101.102.103;rport=5060;branch=z9hG4bKPja942e87d-c501-4834-9184-f002c3fd53d2 > From: <sip:[email protected] > >;tag=075f669f-9115-42a8-8c98-6170a2910e4b > To: <sip:[email protected] > >;tag=c97b4d1cb1f3d0da549e06a8d482ef63.fefa > Call-ID: f79caf90-5b95-4db7-966b-a42e2d372c90 > CSeq: 34157 INVITE > Proxy-Authenticate: Digest realm="sip.example.com", > nonce="5f96c21800011caac9f7e901848de60a1e186b402bd9b710", qop="auth" > Server: OpenSIPS (1.11.6-tls (x86_64/linux)) > Content-Length: 0 > > The caveat is that whether what OpenSIPs is doing is correct or broken, > our customers can edit the auth on their own SIP gateways, so our > system needs to be able to handle it properly. > > Cheers, > Kingsley. > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
