<div dir="ltr">he,<div>some bad boys trying to guess configured extensions.</div><div>in sip config in general set alwaysauthreject = yes .</div><div>in cli sip set debug on and watch ip and block in firewall, iptables.</div>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Mon, Aug 19, 2013 at 7:50 PM, Ira <span dir="ltr"><<a href="mailto:ira@extrasensory.com" target="_blank">ira@extrasensory.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<span style="font-family:'courier new';font-size:9pt">Hello Steve,<br>
<br>
Sunday, August 18, 2013, 3:35:54 PM, you wrote:<br>
<br>
> On Sun, 18 Aug 2013, Ira wrote:<br>
<br>
>> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: <br>
>> Failed to authenticate device 390<sip:390@xx.xx.xxx.xxx>;tag=2762c06e<br>
>> <br>
>> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own <br>
>> IP. How do I figure out where this attempt is coming from so I can <br>
>> block it.<br>
<br>
> Any chance '390' is a legitimate (but mis-configured or obsolete) device<br>
> on your network?<br>
<br>
> Is xx.xx.xxx.xxx a private or public address?<br>
<br>
> Can you 'wireshark' some packets and see if the OUI matches one of your<br>
> endpoints?<br>
<br>
<span style="font-family:'Arial';font-size:10pt">390 is not, nor has it ever been an extension on my box. I've gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I'm sure that no one will ever guess an extension or password on my box that way so I'm not worried, I've blocked most of the IPs that my box doesn't use and it's been a long time since I've seen any outside attempts to register. But in the recent past I've been seeing these where I've no clue what IP to block as the entries, </span></span><a style="font-family:'courier new';font-size:9pt" href="mailto:sip:390@xx.xx.xxx.xxx" target="_blank">sip:390@xx.xx.xxx.xxx</a><span style="font-family:'courier new';font-size:9pt">, always contains an invalid extension and my cable modem's IP address.<br>
<br>
xx.xx.xxx.xxx is my public I.P.<br>
<br>
<span style="font-family:'Arial';font-size:10pt">I searched Google and found no mention of my specific error.<span class="HOEnZb"><font color="#888888"><br>
<br>
<span style="font-family:'courier new';font-size:9pt">-- Ira<span style="font-family:'Arial';font-size:10pt"> </span></span></font></span></span></span></div><br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br></div>