non-critical invite transaction

[gofer_k]

После перехода с 1.8 на 12.8 постоянно наблюдаю в CLI вот такое

Код: Выделить всё

[2015-02-28 23:48:27] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 645ebe9e0c5aec1c8192a78ed91d6ae2 on non-critical invite transaction.
[2015-02-28 23:48:39] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on e9f6ace581f69a0fd7cea38a8d7198bb on non-critical invite transaction.
[2015-02-28 23:52:28] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 119b6fd3b1365a0b3ae2a98e72592fee on non-critical invite transaction.
[2015-02-28 23:56:02] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 9bde65f7bf969a0aabdee26e1f810777 on non-critical invite transaction.
[2015-02-28 23:57:49] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 1afd37414ed8d662bd679acea6573286 on non-critical invite transaction.
[2015-02-28 23:59:07] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 540586cfd946039b96bcba9f2d31370a on non-critical invite transaction.
[2015-03-01 00:03:34] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 9a306f04b8881fa8909444c70ac45953 on non-critical invite transaction.
[2015-03-01 00:06:17] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 2f9a1b88f33305e81b3184f4d9140b7f on non-critical invite transaction.
[2015-03-01 00:07:00] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 3c0ac9d37e42702cd8f82b12e0f5b8cd on non-critical invite transaction.
[2015-03-01 00:07:10] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on f42b974f5d12f28d38307117489d51e9 on non-critical invite transaction.
[2015-03-01 00:11:07] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 9c51beb8b602587c24a906b8bc863664 on non-critical invite transaction.

Что за хрень думаю я.
Еще поняблюдав немного при появлении опять это говна даю команду sip show channels

Код: Выделить всё

[2015-03-01 00:33:44] WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 08518c5e4e06e1ab4e20b0117623c445 on non-critical invite transaction.
srv01*CLI> sip show channels
Peer             User/ANR         Call ID          Format           Hold     Last Message    Expiry     Peer
188.232.55.239   (None)           528830506@192_1  (nothing)        No       Rx: REGISTER               <guest>
155.94.64.26     1011             08518c5e4e06e1a  (nothing)        No       Rx: INVITE                 <guest>
192.168.8.91     (None)           1961275095@192_  (nothing)        No       Rx: REGISTER               <guest>
217.65.221.191   (None)           75e5913439f7adf  (nothing)        No       Rx: REGISTER               <guest>
85.26.165.217    (None)           F4URgHWEZjfEPqc  (nothing)        No       Rx: REGISTER               <guest>
192.168.8.91     (None)           3831102645@192_  (nothing)        No       Rx: REGISTER               <guest>
178.33.111.207   3300             0c3765905dd33b4  (nothing)        No       Rx: INVITE                 <guest>
192.168.8.95     (None)           1386976747@192_  (nothing)        No       Rx: REGISTER               <guest>

и что я вижу что эта хрень
WARNING[579]: chan_sip.c:4165 retrans_pkt: Timeout on 08518c5e4e06e1ab4e20b0117623c445 on non-critical invite transaction.
возникает вот от куда
155.94.64.26 1011 08518c5e4e06e1a (nothing) No Rx: INVITE <guest>

какой то нехороший человек с ip 155.94.64.26 пуляет мне INVITE от юзера 1011.
Я так понимаю?
Короче как с этим бороться.
Где сказать не принимать INVITE от неавторизованных юзеров?

[zzuz]

Код: Выделить всё

sip.conf
[general]
alwaysauthreject=yes
allowguest=no

[gofer_k]

Дык включено, превым делом при установке включаю данные опции.

[zzuz]

На словах не верю.

[gofer_k]

Код: Выделить всё

srv01*CLI> sip show settings


Global Settings:
----------------
  UDP Bindaddress:        0.0.0.0:5060
  TCP SIP Bindaddress:    0.0.0.0:5060
  TLS SIP Bindaddress:    Disabled
  Videosupport:           Yes
  Textsupport:            No
  Ignore SDP sess. ver.:  No
  AutoCreate Peer:        Off
  Match Auth Username:    No
  Allow unknown access:   No
  Allow subscriptions:    Yes
  Allow overlap dialing:  No
  Allow promisc. redir:   No
  Enable call counters:   No
  SIP domain support:     No
  Path support :          No
  Realm. auth:            No
  Our auth realm          asterisk
  Use domains as realms:  No
  Call to non-local dom.: Yes
  URI user is phone no:   No
  Always auth rejects:    Yes
  Direct RTP setup:       No
  User Agent:             Asterisk PBX 12.8.1
  SDP Session Name:       Asterisk PBX 12.8.1
  SDP Owner Name:         root
  Reg. context:           (not set)
  Regexten on Qualify:    No
  Trust RPID:             No
  Send RPID:              No
  Legacy userfield parse: No
  Send Diversion:         Yes
  Caller ID:              asterisk
  From: Domain:
  Record SIP history:     Off
  Auth. Failure Events:   Off
  T.38 support:           No
  T.38 EC mode:           Unknown
  T.38 MaxDtgrm:          4294967295
  SIP realtime:           Disabled
  Qualify Freq :          60000 ms
  Q.850 Reason header:    No
  Store SIP_CAUSE:        No

Network QoS Settings:
---------------------------
  IP ToS SIP:             CS0
  IP ToS RTP audio:       CS0
  IP ToS RTP video:       CS0
  IP ToS RTP text:        CS0
  802.1p CoS SIP:         4
  802.1p CoS RTP audio:   5
  802.1p CoS RTP video:   6
  802.1p CoS RTP text:    5
  Jitterbuffer enabled:   No

Network Settings:
---------------------------
  SIP address remapping:  Enabled using externaddr
  Externhost:             <none>
  Externaddr:             XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  Externrefresh:          10
  Localnet:               192.168.10.0/255.255.255.0
                          192.168.8.0/255.255.255.0

Global Signalling Settings:
---------------------------
  Codecs:                 (ulaw|alaw)
  Codec Order:            alaw:20,ulaw:20
  Relax DTMF:             No
  RFC2833 Compensation:   No
  Symmetric RTP:          No
  Compact SIP headers:    No
  RTP Keepalive:          0 (Disabled)
  RTP Timeout:            0 (Disabled)
  RTP Hold Timeout:       0 (Disabled)
  MWI NOTIFY mime type:   application/simple-message-summary
  DNS SRV lookup:         Yes
  Pedantic SIP support:   Yes
  Reg. min duration       60 secs
  Reg. max duration:      36000 secs
  Reg. default duration:  36000 secs
  Sub. min duration       60 secs
  Sub. max duration:      36000 secs
  Outbound reg. timeout:  20 secs
  Outbound reg. attempts: 0
  Outbound reg. retry 403:0
  Notify ringing state:   Yes
    Include CID:          No
  Notify hold state:      No
  SIP Transfer mode:      open
  Max Call Bitrate:       384 kbps
  Auto-Framing:           No
  Outb. proxy:            <not set>
  Session Timers:         Accept
  Session Refresher:      uas
  Session Expires:        1800 secs
  Session Min-SE:         90 secs
  Timer T1:               500
  Timer T1 minimum:       100
  Timer B:                32000
  No premature media:     Yes
  Max forwards:           70

Default Settings:
-----------------
  Allowed transports:     UDP,WS,WSS
  Outbound transport:     UDP
  Context:                fuckOFF
  Record on feature:      automon
  Record off feature:     automon
  Force rport:            Auto (No)
  DTMF:                   auto
  Qualify:                0
  Keepalive:              0
  Use ClientCode:         No
  Progress inband:        Never
  Language:               ru
  Tone zone:              <Not set>
  MOH Interpret:          default
  MOH Suggest:
  Voice Mail Extension:   asterisk

[zzuz]

Вот теперь другое дело. Нужно смотреть полную сессию. Думаю нет ничего страшного, так как скорее всего сервер отбивает такие инвайты.

[gofer_k]

Код: Выделить всё

<------------->
--- (8 headers 0 lines) ---
Really destroying SIP dialog '3a3f95a10cf1889521f4259b25ac1771@192.168.8.13:5060' Method: NOTIFY
Retransmitting #9 (no NAT) to 173.208.168.34:5071:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 173.208.168.34:5071;branch=z9hG4bK-012dcf54d4ddd5ea06033eb4ead0eefa;received=173.208.168.34;rport=5071
From: 2005<sip:2005@XX.XX.XX.XX>;tag=77ac64a3
To: 000648587357770<sip:000648587357770@XX.XX.XX.XX>;tag=as232c8eb4
Call-ID: 012dcf54d4ddd5ea06033eb4ead0eefa
CSeq: 1 INVITE
Server: Asterisk PBX 12.8.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="2d8c3327"
Content-Length: 0


---
Retransmitting #10 (no NAT) to 23.94.191.235:5071:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 23.94.191.235:5071;branch=z9hG4bK-072ab58354d423072b4f3153357fa206;received=23.94.191.235;rport=5071
From: 5566<sip:5566@XX.XX.XX.XX>;tag=f74edcde
To: 666770970595078958<sip:666770970595078958@XX.XX.XX.XX>;tag=as61ab79e4
Call-ID: 072ab58354d423072b4f3153357fa206
CSeq: 1 INVITE
Server: Asterisk PBX 12.8.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="1d5ca912"
Content-Length: 0


---

<--- SIP read from UDP:188.232.55.239:5060 --->


<------------->
[2015-03-02 01:46:52] WARNING[17736]: chan_sip.c:4103 retrans_pkt: Retransmission timeout reached on transmission 072ab58354d423072b4f3153357fa206 for seqno 1 (Non-critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2015-03-02 01:46:52] WARNING[17736]: chan_sip.c:4165 retrans_pkt: Timeout on 072ab58354d423072b4f3153357fa206 on non-critical invite transaction.

Ну вот ломится какойто хрен со своим инвайтом.
Как это запретить?

[zzuz]

А где сам INVITE то?

[ded]

У вас в логе 10-я попытка Астериска ответить на INVITE -

Retransmitting #10 (no NAT) to 23.94.191.235:5071:
SIP/2.0 401 Unauthorized

Закройтесь "белым листом" если напрягает.

[DarkNight]

создаем файлик с правами на запуск

Код: Выделить всё

#!/bin/bash
for IP in $(asterisk -rx "sip show channels" | grep "INVITE" | grep "<guest>" | awk '{print $1}' | sort -n | uniq -c | awk '{print $2}')
do
 iptables -A INPUT -s $IP -m string --string 'INVITE' --algo bm -j DROP
echo $IP banned
done

и кидаем его в крон каждую минуту! )

Код: Выделить всё

crontab -e

Код: Выделить всё

*/1 * * * * /bin/bash /root/bansip > /dev/null

и ВУАЛЯ! списочек сам пополняется таких УМНИКОВ ХАЦКЕРОВ! ))