I am running Asterisk 16.9 on FreeBSD 12.1-RELEASE-p1. I keep seeing lines like this in my logs.
[Apr 1 13:30:33] NOTICE[101155][C-00004526] chan_sip.c: Call from '' (45.143.220.235:5356) to extension '2037' rejected because extension not found in context 'unauthenticated'. I have a script that checks for things like this and adds them to my packet filter (pf). Everything seems to work up to a point. The IP address gets added to my AUTOBLOCK table. The second rule, right after the friends whitelist, blocks any IP in that table. If I try to ping or traceroute to it I can't get through. I ran netstat -a and sockstat -c and the IP address does not show up in the connections. Every test suggests that the system is doing exactly what I want it to do. The weird thing is that the attempts don't stop. That IP continues to try different numbers. There are two ways that I have found so far to actually stop the attack. One is to completely stop Asterisk and then restart it. Obviously not a good option on a production switch. The other way is to null route the IP. That stops it cold. That's better but it needs me to manually intervene. However, it does make it clear that the IP address is not being faked somehow. I also tried doing "pfctl -k 45.143.220.235" but that says that no connections were dropped. It looks like pf is convinced that the connection is gone. So, can anyone suggest why the attack keeps happening? -- D'Arcy J.M. Cain Vybe Networks Inc. A unit of Excelsior Solutions Corporation - Propelling Business Forward http://www.VybeNetworks.com/ IM:da...@vybenetworks.com VoIP: sip:da...@vybenetworks.com -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
