This has been discussed before. This is an attempt to use your system illegally.
Simply put, the outsider is sending an invite to port 5060 (because that's sip, essentially). They can use "unknown" or whatever CNAM they want, but they are not getting the call completed because sipx challenges them for credentials. They are likely supplying a list of usernames/passwords that are well known on asterisk or other systems (default account from difference distributions), in an attempt to find an open system and provide access to it to make International calls. This is what is known as "toll fraud". You have options: Rate limit the cps (connections per second) to port 5060 at your firewall. Block access to port 5060 from countries other than your providers/users in your firewall. Go to your firewall logs and determine where those connections are coming from and specifically block that network/ip. This is a security issue. At this time sipx does protect itself because it sets up secure sip passwords by default and requires the caller to provide adequate credentials in a method that does not compromise this from the outside. You might find it more helpful to alleviate this in the future by seeing what can be done at your firewall to reduce these types of incidents. Sometimes they can overwhelm a system and actually bring services down if the requests are concetrated enough (ddos). On Wed, Dec 28, 2011 at 11:02 PM, Chris Wiegand <[email protected]>wrote: > I have a number of failed calls from “unknown” to a number that appears to > be in the uk. 442032987203 is the only common part, they keep trying > different prefixes/access codes. All failed, thankfully, but I’m not even > sure where I can find this in the logs – the only evidence I have that this > even occurred is in the call detail records in the web interface. **** > > ** ** > > We’re using the random passwords the system generates, so I feel it’s > probably unlikely that someone magically brute-forced one of the passwords > to one of our extensions. I tried grep’ing the /var/log/sipxecs folder but > didn’t find any instances of this number – is there a log file that these > calls should be in? If someone did register I want to find that record, > re-do that extension’s password and install fail2ban to prevent future > (non)incidents, but I can’t seem to find it anywhere outside of the web > interface…**** > > ** ** > > ** ** > > [image: Description: cid:E24B8010-D245-4AE2-AA7A-D9A5F4680677][image: > Description: cid:9C59A6AA-F4CA-411C-BDF5-674EF63B187A] > MobileAccord.com<http://mobileaccord.com> > [image: Description: cid:CDD6CBAF-7863-4FB3-B221-E80CC788C010] For more > information text *MA* to 50555.**** > > __________________________________________________________________**** > > Chris Wiegand | Network Administrator | Mobile Accord**** > > 2150 West 29th Avenue | Second Floor | Denver, Colorado 80211 USA**** > > t +1.303.531.5505 | m +1.720.244.1409 | f +1.303.531.5509**** > > ** ** > > ** ** > > [image: Description: Mobile Accord, Inc. on > LinkedIn]<http://www.linkedin.com/company/mobile-accord-inc.> > [image: Description: Mobile Accord on > Twitter]<http://www.twitter.com/mobileaccordinc> > **** > > ** ** > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- ====================== Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 Email: [email protected] LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services!
<<image003.png>>
<<image001.png>>
<<image004.png>>
<<image002.png>>
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
