[asterisk-users] Asterisk failed to authenticate device - attack attempt.

Steve Edwards asterisk.org at sedwards.com
Mon Sep 8 21:31:41 CDT 2014

On Mon, 8 Sep 2014, motty cruz wrote:

> I continue to see the following msg on my Asterisk log: 
> [Sep  8 15:34:37] NOTICE[7375]: chan_sip.c:23277 handle_request_invite:  
> Failed to authenticate device 9009<sip:9009 at 196.107.xx.xx>;tag=8dd48dd2

First step is to determine the source -- is it coming from your network or 
from the Internet. 'sip set debug on,' tcpdump, ngrep, wireshark can all 
be useful.

If it is coming from your network, make note of the MAC address. The first 
3 octets are the OUI. Google 'OUI Lookup.' This will tell you the 
manufacturer (or at least who made the board inside the device). This may 
give you a clue like 'Cisco Linksys LLC' and you may remember you have an 
old Sipura (which was bought by Linksys, which was bought by Cisco) laying 
around that somebody may have decided to 're-purpose' without telling you.

If it is coming from the Internet, learn a bit about iptables. The best 
case scenario is that you know everybody that should be accessing your pbx 
so you can 'whitelist' the good guys and DROP everything else. Some people 
moan about how they have clients that travel. Unless they travel to China, 
Russia, North Korea, Crapistan, etc, just block entire regions of the 
world. That will knock off 90% of your 'attack surface.' Maybe you can 
limit traffic to just a couple of class C addresses.

Finally, mop up the anklebitters with fail2ban. Oh, and nice long 
'random' passwords on all of your SIP endpoints and if you can get away 
from 4 digit extensions, all the better.

Thanks in advance,
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
Newline                                              Fax: +1-760-731-3000

More information about the asterisk-users mailing list