One of Asterisk's dirty little secrets is that it does not show the source IP when a device or hacker tries sending a call without registering. The rejection message in the logs do not show the IP of the attacker. Yes it sucks, yes it has been that way for many many years.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of Asghar Mohammad Sent: Monday, August 19, 2013 2:05 PM To: Ira; Asterisk Users Mailing List - Non-Commercial Discussion Subject: Re: [asterisk-users] Am I being hacked? he, some bad boys trying to guess configured extensions. in sip config in general set alwaysauthreject = yes . in cli sip set debug on and watch ip and block in firewall, iptables. On Mon, Aug 19, 2013 at 7:50 PM, Ira <[email protected]> wrote: Hello Steve, Sunday, August 18, 2013, 3:35:54 PM, you wrote: > On Sun, 18 Aug 2013, Ira wrote: >> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: >> Failed to authenticate device 390<sip:[email protected]>;tag=2762c06e >> >> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own >> IP. How do I figure out where this attempt is coming from so I can >> block it. > Any chance '390' is a legitimate (but mis-configured or obsolete) device > on your network? > Is xx.xx.xxx.xxx a private or public address? > Can you 'wireshark' some packets and see if the OUI matches one of your > endpoints? 390 is not, nor has it ever been an extension on my box. I've gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I'm sure that no one will ever guess an extension or password on my box that way so I'm not worried, I've blocked most of the IPs that my box doesn't use and it's been a long time since I've seen any outside attempts to register. But in the recent past I've been seeing these where I've no clue what IP to block as the entries, sip:[email protected], always contains an invalid extension and my cable modem's IP address. xx.xx.xxx.xxx is my public I.P. I searched Google and found no mention of my specific error. -- Ira -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
