[asterisk-users] Asterisk failed to authenticate device - attack attempt.
Steve Edwards
asterisk.org at sedwards.com
Mon Sep 8 21:31:41 CDT 2014
On Mon, 8 Sep 2014, motty cruz wrote:
> I continue to see the following msg on my Asterisk log:
>
> [Sep 8 15:34:37] NOTICE[7375]: chan_sip.c:23277 handle_request_invite:
> Failed to authenticate device 9009<sip:9009 at 196.107.xx.xx>;tag=8dd48dd2
First step is to determine the source -- is it coming from your network or
from the Internet. 'sip set debug on,' tcpdump, ngrep, wireshark can all
be useful.
If it is coming from your network, make note of the MAC address. The first
3 octets are the OUI. Google 'OUI Lookup.' This will tell you the
manufacturer (or at least who made the board inside the device). This may
give you a clue like 'Cisco Linksys LLC' and you may remember you have an
old Sipura (which was bought by Linksys, which was bought by Cisco) laying
around that somebody may have decided to 're-purpose' without telling you.
If it is coming from the Internet, learn a bit about iptables. The best
case scenario is that you know everybody that should be accessing your pbx
so you can 'whitelist' the good guys and DROP everything else. Some people
moan about how they have clients that travel. Unless they travel to China,
Russia, North Korea, Crapistan, etc, just block entire regions of the
world. That will knock off 90% of your 'attack surface.' Maybe you can
limit traffic to just a couple of class C addresses.
Finally, mop up the anklebitters with fail2ban. Oh, and nice long
'random' passwords on all of your SIP endpoints and if you can get away
from 4 digit extensions, all the better.
--
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST
Newline Fax: +1-760-731-3000
More information about the asterisk-users
mailing list