ip spoofing – How to find a presumably spoofed IP

My question is reciprocal to How to find the actual address of spoofed IPs?

On a coturn server I have a repeat offender who is able to initiate requests, and is invariably closed. That address is within a range designated denied-peer-ip, but it continues to appear.

My understanding is that it is the function and purpose of STUN/TURN servers to determine exactly the source IP of a request.

The IP at issue is arguably a bad actor.

I tried grepping all of /var/log/* for the IP and it only shows up in coturn.log
I paged journalctl for the same timestamp ranges – nothing

Where else can I look on my server for activity withing the same times as coturn logged the intrusion?

Just curious – I doubt they’d spoof it the same way twice, but to answer how to find the address of spoofed IPs, apparently a STUN/TURN server does.