[asterisk-users] Am I being hacked?
Eric Wieling
EWieling at nyigc.com
Mon Aug 19 13:10:10 CDT 2013
One of Asterisk's dirty little secrets is that it does not show the source IP when a device or hacker tries sending a call without registering. The rejection message in the logs do not show the IP of the attacker. Yes it sucks, yes it has been that way for many many years.
-----Original Message-----
From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Asghar Mohammad
Sent: Monday, August 19, 2013 2:05 PM
To: Ira; Asterisk Users Mailing List - Non-Commercial Discussion
Subject: Re: [asterisk-users] Am I being hacked?
he,
some bad boys trying to guess configured extensions.
in sip config in general set alwaysauthreject = yes .
in cli sip set debug on and watch ip and block in firewall, iptables.
On Mon, Aug 19, 2013 at 7:50 PM, Ira <ira at extrasensory.com> wrote:
Hello Steve,
Sunday, August 18, 2013, 3:35:54 PM, you wrote:
> On Sun, 18 Aug 2013, Ira wrote:
>> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c:
>> Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=2762c06e
>>
>> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own
>> IP. How do I figure out where this attempt is coming from so I can
>> block it.
> Any chance '390' is a legitimate (but mis-configured or obsolete) device
> on your network?
> Is xx.xx.xxx.xxx a private or public address?
> Can you 'wireshark' some packets and see if the OUI matches one of your
> endpoints?
390 is not, nor has it ever been an extension on my box. I've gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I'm sure that no one will ever guess an extension or password on my box that way so I'm not worried, I've blocked most of the IPs that my box doesn't use and it's been a long time since I've seen any outside attempts to register. But in the recent past I've been seeing these where I've no clue what IP to block as the entries, sip:390 at xx.xx.xxx.xxx, always contains an invalid extension and my cable modem's IP address.
xx.xx.xxx.xxx is my public I.P.
I searched Google and found no mention of my specific error.
-- Ira
--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
http://www.asterisk.org/hello
asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
http://lists.digium.com/mailman/listinfo/asterisk-users
More information about the asterisk-users
mailing list