[asterisk-users] Can't block intrusion

D'Arcy Cain darcy at VybeNetworks.com
Wed Apr 1 12:48:31 CDT 2020

I am running Asterisk 16.9 on FreeBSD 12.1-RELEASE-p1.  I keep seeing
lines like this in my logs.

[Apr  1 13:30:33] NOTICE[101155][C-00004526] chan_sip.c: Call from ''
( to extension '2037' rejected because extension not
found in context 'unauthenticated'.

I have a script that checks for things like this and adds them to my
packet filter (pf).  Everything seems to work up to a point.  The IP
address gets added to my AUTOBLOCK table.  The second rule, right after
the friends whitelist, blocks any IP in that table.  If I try to ping or
traceroute to it I can't get through.  I ran netstat -a and sockstat -c
and the IP address does not show up in the connections.  Every test
suggests that the system is doing exactly what I want it to do.

The weird thing is that the attempts don't stop.  That IP continues to
try different numbers.  There are two ways that I have found so far to
actually stop the attack.  One is to completely stop Asterisk and then
restart it.  Obviously not a good option on a production switch.

The other way is to null route the IP.  That stops it cold.  That's
better but it needs me to manually intervene.  However, it does make it
clear that the IP address is not being faked somehow.

I also tried doing "pfctl -k" but that says that no
connections were dropped.  It looks like pf is convinced that the
connection is gone.

So, can anyone suggest why the attack keeps happening?

D'Arcy J.M. Cain
Vybe Networks Inc.
A unit of Excelsior Solutions Corporation - Propelling Business Forward
IM:darcy at VybeNetworks.com VoIP: sip:darcy at VybeNetworks.com

More information about the asterisk-users mailing list