Unsual Sip Request Secuirty

General discussions about AsteriskNOW.

Moderators: Moderator, Support

Unsual Sip Request Secuirty

Postby rjonnys » Fri Jan 17, 2014 11:13 pm

Hey Guys,

I opened my pbx to the net recently and I changed all the default passwords and all to ensure security. I did this in order to be able to make calls away from home on the internet since I travel at times.

These Sip request seem to be random and it tries to connect to a bunch of different extensions and ports
ex

I have changed my ip
Code: Select all
[Jan 18 00:01:31] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"604" <sip:604@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5069' - Wrong password
[Jan 18 00:01:42] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"213213" <sip:213213@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5074' - Wrong password
[Jan 18 00:02:48] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"203" <sip:203@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5066' - Wrong password
[Jan 18 00:03:21] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"605" <sip:605@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5071' - Wrong password
[Jan 18 00:04:30] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"7316" <sip:7316@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5127' - Wrong password
[Jan 18 00:04:33] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"7378" <sip:7378@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5084' - Wrong password
[Jan 18 00:04:37] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"9114" <sip:9114@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5089' - Wrong password
[Jan 18 00:05:10] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"300" <sip:300@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5066' - Wrong password
[Jan 18 00:05:24] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"702" <sip:702@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5102' - Wrong password
[Jan 18 00:05:41] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"601" <sip:601@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5084' - Wrong password
[Jan 18 00:05:50] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"400" <sip:400@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5096' - Wrong password
[Jan 18 00:06:15] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"8122" <sip:8122@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5116' - Wrong password
[Jan 18 00:06:21] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"8990" <sip:8990@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5072' - Wrong password
[Jan 18 00:06:43] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"8370" <sip:8370@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5105' - Wrong password
[Jan 18 00:06:58] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"104" <sip:104@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5092' - Wrong password
[Jan 18 00:07:02] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"202" <sip:202@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5063' - Wrong password
[Jan 18 00:07:05] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"7874" <sip:7874@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5092' - Wrong password
[Jan 18 00:08:46] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"7001" <sip:7001@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5064' - Wrong password
[Jan 18 00:09:08] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"402" <sip:402@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5085' - Wrong password
[Jan 18 00:09:08] NOTICE[13010]: chan_sip.c:28003 handle_request_register: Registration from '"8184" <sip:8184@162.xxx.x.xxx:5060>' failed for '46.19.139.174:5066' - Wrong password


When I trace the IP Address it says the connection is coming from switerland
"Source http://www.ip-adress.com/ip_tracer/46.19.139.174 "

And I'm in the states. I'm going to assume this isn't normal and potentially a security issue and seeing if you can suggest ways to have asterisk or mybe centos block that ip?
rjonnys
Newsterisk
 
Posts: 1
Joined: Fri Jan 17, 2014 11:07 pm

Re: Unsual Sip Request Secuirty

Postby david55 » Sat Jan 18, 2014 3:44 am

Re-read and implement the seriously best practices document: http://svn.digium.com/svn/asterisk/trun ... ctices.txt (NB, if you are using FreePBX, this is the wrong board, and FreePBX violates at least one of the rules).

Many people use fail2ban to dynamically maintain blocking filters.

Switzerland is a strange country for attacks. Palestine is often quoted, but there are many countries with VoIP phone fraudsters. You will get attacked from many addresses.

iptables is the CentOS feature for implementing IP blocks.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am


Return to AsteriskNOW General

Who is online

Users browsing this forum: No registered users and 1 guest