[asterisk-users] Am I being hacked?

Asghar Mohammad asghar144 at gmail.com
Mon Aug 19 13:05:14 CDT 2013 

he,
some bad boys trying to guess configured extensions.
in sip config in general set alwaysauthreject = yes .
in cli sip set debug on and watch ip and block in firewall, iptables.


On Mon, Aug 19, 2013 at 7:50 PM, Ira <ira at extrasensory.com> wrote:

>  Hello Steve,
>
> Sunday, August 18, 2013, 3:35:54 PM, you wrote:
>
> > On Sun, 18 Aug 2013, Ira wrote:
>
> >> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c:
> >>        Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx
> >;tag=2762c06e
> >>
> >> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my
> own
> >> IP.  How do I figure out where this attempt is coming from so I can
> >> block it.
>
> > Any chance '390' is a legitimate (but mis-configured or obsolete) device
> > on your network?
>
> > Is xx.xx.xxx.xxx a private or public address?
>
> > Can you 'wireshark' some packets and see if the OUI matches one of your
> > endpoints?
>
> 390 is not, nor has it ever been an extension on my box. I've gotten the
> same message for numerous extensions, sometimes 100-200 inclusive, usually
> multiple times as if they are trying multiple passwords.  I'm sure that no
> one will ever guess an extension or password on my box that way so I'm not
> worried, I've blocked most of the IPs that my box doesn't use and it's been
> a long time since I've seen any outside attempts to register. But in the
> recent past I've been seeing these where I've no clue what IP to block as
> the entries, sip:390 at xx.xx.xxx.xxx, always contains an invalid extension
> and my cable modem's IP address.
>
> xx.xx.xxx.xxx is my public I.P.
>
> I searched Google and found no mention of my specific error.
>
> -- Ira
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130819/e572d8ff/attachment.htm>

More information about the asterisk-users mailing list