<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Thanks M, <br>
I have security enable, <br>
; output security messages to the file named "Security"<br>
security => security<br>
<br>
I see the file created in /var/log/asterisk/security but is empty,
and in /var/log/asterisk/messages I see the following:<br>
[2015-12-03 06:52:32] NOTICE[19949] chan_sip.c: Failed to
authenticate device 100<a class="moz-txt-link-rfc2396E" href="mailto:sip:100@X.X.X.X"><sip:100@X.X.X.X></a>;tag=a121ab55<br>
<br>
X.X.X.X is the IP of my Server, I don't know who is the attacker IP
unless I monitor for the server using the following command: <br>
tcpdump -lni eth0 -f "udp port 5060"<br>
<br>
Please advise. <br>
Thanks, <br>
Motty<br>
<br>
<div class="moz-cite-prefix">On 12/02/2015 01:53 PM, Telium
Technical Support wrote:<br>
</div>
<blockquote class=" cite"
id="mid_001801d12d4b_db2f6ad0_918e4070__telium_ca"
cite="mid:001801d12d4b$db2f6ad0$918e4070$@telium.ca" type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style>#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca p.MsoNormal,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca li.MsoNormal,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca div.MsoNormal { margin: 0in 0in 0.0001pt; font-size: 12pt; font-family: "Times New Roman","serif"; color: black; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca a:link,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca span.MsoHyperlink { color: blue; text-decoration: underline; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca a:visited,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca span.MsoHyperlinkFollowed { color: purple; text-decoration: underline; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca p.MsoAcetate,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca li.MsoAcetate,
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca div.MsoAcetate { margin: 0in 0in 0.0001pt; font-size: 8pt; font-family: "Tahoma","sans-serif"; color: black; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca span.spelle { }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca span.EmailStyle18 { font-family: "Calibri","sans-serif"; color: rgb(31, 73, 125); }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca span.BalloonTextChar { font-family: "Tahoma","sans-serif"; color: black; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca .MsoChpDefault { font-size: 10pt; }
#mid_001801d12d4b_db2f6ad0_918e4070__telium_ca div.WordSection1 { page: WordSection1; }
</style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal">The details of the source IP are available
in the asterisk security log (if you have that enabled) – but
that particular attack hides its address from the messages
file.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It’s essential that you secure your PBX;
there are options ranging from free to commercial. Have a
look at:<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.voip-info.org/wiki/view/Asterisk+security">http://www.voip-info.org/wiki/view/Asterisk+security</a><o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">It’s easy to get a $20,000 phone bill, so
take securing your PBX seriously.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">-M-<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext">
<a class="moz-txt-link-abbreviated" href="mailto:asterisk-users-bounces@lists.digium.com">asterisk-users-bounces@lists.digium.com</a>
[<a class="moz-txt-link-freetext" href="mailto:asterisk-users-bounces@lists.digium.com">mailto:asterisk-users-bounces@lists.digium.com</a>] <b>On
Behalf Of </b>Motty<br>
<b>Sent:</b> Wednesday, December 02, 2015 1:12 PM<br>
<b>To:</b> Asterisk Users Mailing List - Non-Commercial
Discussion; <a class="moz-txt-link-abbreviated" href="mailto:motty.cruz@gmail.com">motty.cruz@gmail.com</a><br>
<b>Subject:</b> [asterisk-users] Failed to authenticate
device 100<o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Hello, I continued to see this errors in
the logs: <br>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif"">[2015-12-02
10:05:57] NOTICE[19949]: chan_sip.c:23277 <span
class="spelle">handle_request_invite</span>: Failed to
authenticate device 100<a moz-do-not-send="true"
href="mailto:sip:100@xx.xx.xx.xx"><sip:100@xx.xx.xx.xx></a>;tag=10cdeaf7<br>
<br>
how do I guard against this kinds of attacks? Also, to get
the IP address from where this attack come from I use the
following command "tcpdump -lni eth0 -f "udp port 5060" is
there an easy way to get the attacker's IP? <br>
<br>
Thanks, <br>
Motty</span><o:p></o:p></p>
</div>
</blockquote>
<br>
<br>
</body>
</html>