[asterisk-users] getting invites to rtp ports ??
seandarcy2 at gmail.com
Wed Aug 29 17:33:14 CDT 2018
On 08/29/2018 11:59 AM, Telium Support Group wrote:
> Block a single IP is the wrong approach (whack-a-mole). You should consider a more comprehensive approach to securing your VoIP environment. Have a look at this wiki:
> -----Original Message-----
> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 10:46 AM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>> Probably somebody is trying to hack your system, you should block that
>> ip on your firewall.
>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
>> <mailto:seandarcy2 at gmail.com>> wrote:
>> I'm getting invites to very high ports every 30 seconds from a
>> particular ip address:
>> Retransmitting #10 (NAT) to 22.214.171.124:52734
>> SIP/2.0 401 Unauthorized
>> Via: SIP/2.0/UDP
>> From: <sip:37120116780191250 at 126.96.36.199
>> <mailto:sip%3A37120116780191250 at 188.8.131.52>>;tag=1872048972
>> To: <sip:3712011972592181418 at 184.108.40.206
>> <mailto:sip%3A3712011972592181418 at 220.127.116.11>>;tag=as3a52e748
>> Call-ID: 1504207870-295758084-609228182
>> CSeq: 1 INVITE
>> WARNING: chan_sip.c:4127 retrans_pkt: Timeout on
>> I thought invites had to go to port 5060 or so. I don't understand
>> why somebody (let's assume a bad guy) is trying ports above 50000.
> Ok, so the high port is not the destination port but the source port.
> So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip:
> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n",
> With that in the log, I'm now blocking the ip addresses.
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> Astricon is coming up October 9-11! Signup is available at: https://www.asterisk.org/community/astricon-user-conference
> Check out the new Asterisk community forum at: https://community.asterisk.org/
I agree. That's why I hacked chan_sip.c to get the addresses in the log.
I'm surprised they're not in the log by default. I must be the only
person who gets these "non-critical invites".
More information about the asterisk-users