Identify interferes fail2ban

I have PJSIP endpoints, which are identified by ip address for incoming calls, and appropriate identify-records exists in pjsip.conf

I have further PJSIP endpoints, which have public, volatile IP addresses, which are identified by username/password, and appropriate records exist in database.

When an INVITE comes from an unknown IP address, asterisk / pjsip behaves as follows:

  • INVITE is received, parsed, …
  • Warning “INVITE from … failed … No matching endpoint found” is created and logged
  • Response “SIP/2.0 401 Unauthorized” is sent
  • client sends new INVITE with credentials
  • asterisk / pjsip checks username / password.
  • call is setup as desired.

Unfortunately, asterisk is logging the warning, before it checks username / password.
=> fail2ban will soon block, though the endpoint is well known and using correct username / password.

Any Ideas as solution for my problem? Hope anyone can help.

If you are asking here, you have fully configured fail2ban yourself. Without that configuration, it is difficult to know what to change.

However, if the client doesn’t include the user name in the From header, you are going to get the warning and you are going to need to compensate on the fail2ban side.

Why don’t you identify just by username? Authentication will be requested in any way and you will not have these messages in the log.

I use “username,ip” for endpoint_identifier_order. In pjsip.conf and don’t have any log messages like you have.

I think your From user contains the name, but the OP’s doesn’t, and he has to identify by auth_username, not username.

The OP should probably look at the second note under Asterisk 13 Configuration_res_pjsip - Asterisk Project - Asterisk Project Wiki which seems to discuss their problem.

Ah, thank you. I didn’t think about that. Indeed I am using the username in the from header.

Hi i have use fail2ban Script from asterisk thats directly for fail2ban without changes.
use this: fail2ban/asterisk.conf at master · fail2ban/fail2ban · GitHub

Hi this error is only, if a customer send a outgoing call to external sip provider over asterisk. Well 1st asterisk check ip adress of customer and send error message and than asterisk make auth check with username / password (what i use for customers). For external sip provider i do onyl use ip auth, well provider need it. Can i solve it in asterisk or do i must remove command mathcing point out of line 33 mandatory? For me it was better, if i have a solution without change fail2ban lines. Config directly in Asterisk was better. Hope you have ideas…

Any ideas, to fix over asterisk? regards

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.