[asterisk-users] Failed to authenticate user 1000<sip:1000 at MY_OWN_IP_ADDRESS>; tag=03f82bb9

gincantalupo gincantalupo at fgasoftware.com
Wed Oct 2 10:14:44 CDT 2013 

Hi Asghar,

surely this can improve security but what I'm looking for is something 
to find the real attacker IP address and ban it. Fail2ban bans my own 
public ip address.

Thank you

Giorgio


On 10/01/2013 05:53 PM, Asghar Mohammad wrote:
> Hi,
> Bad boys trying to guess a valid username.
> in sip.conf uncomment  alwaysauthreject=yes and Asterisk always reject 
> 1st invite.
>
>
> On Tue, Oct 1, 2013 at 5:26 PM, Gareth Blades 
> <mailinglist+asterisk at dns99.co.uk 
> <mailto:mailinglist+asterisk at dns99.co.uk>> wrote:
>
>     On 01/10/13 15:44, gincantalupo wrote:
>>     On Tue, Oct 1, 2013 at 5:07 AM, gincantalupo
>>     <gincantalupo at fgasoftware.com
>>     <mailto:gincantalupo at fgasoftware.com>> wrote:
>>
>>         Hi,
>>
>>         I get a lot of these messages on my Asterisk CLI:
>>
>>         "Failed to authenticate user
>>         1000<sip:1000 at MY_OWN_IP_ADDRESS>;tag=03f82bb9"
>>
>>         as if my PBX machine is trying to authenticate to itself. It
>>         seems someone is attacking my asterisk PBX.
>>
>>         Is there a way to fix this problem?
>>
>
>     in sip.conf I have guest connections permitted and have them going
>     to the default context which contains :-
>
>     [default]
>     ; all unauthenticated connection attempts from the internet come
>     in here.
>     exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt -
>     ${SIP_HEADER(Contact)})
>     exten => _[+*#0-9].,n,Congestion
>
>     Then in fail2ban I have it match the following :-
>
>     failregex = Registration from .* failed for \'<HOST>\' - Wrong
>     password
>                 Unauthenticated call attempt .*\@<HOST>\:
>
>
>     --
>     _____________________________________________________________________
>     -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>     New to Asterisk? Join us for a live introductory webinar every Thurs:
>     http://www.asterisk.org/hello
>
>     asterisk-users mailing list
>     To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20131002/9875634c/attachment.html>

More information about the asterisk-users mailing list