My question is reciprocal to How to find the actual address of spoofed IPs?
On a coturn server I have a repeat offender who is able to initiate requests, and is invariably closed. That address is within a range designated denied-peer-ip, but it continues to appear.
My understanding is that it is the function and purpose of STUN/TURN servers to determine exactly the source IP of a request.
The IP at issue is arguably a bad actor.
I tried grepping all of /var/log/* for the IP and it only shows up in coturn.log
I paged journalctl for the same timestamp ranges – nothing
Where else can I look on my server for activity withing the same times as coturn logged the intrusion?
Just curious – I doubt they’d spoof it the same way twice, but to answer how to find the address of spoofed IPs, apparently a STUN/TURN server does.