@jmmicmc wrote:
IN my asterisk full log file this type of entries occur:
[2015-12-03 08:43:57] NOTICE[2241] chan_sip.c: Registration from '"10000" ' failed for '195.154.182.231:5070' - Wrong password
[2015-12-03 08:44:37] NOTICE[2241] chan_sip.c: Registration from '"10000" ' failed for '195.154.182.231:5113' - Wrong password
[2015-12-03 08:44:50] NOTICE[2241] chan_sip.c: Registration from '"10000" ' failed for '195.154.182.231:5112' - Wrong password
[2015-12-03 08:45:59] NOTICE[2241] chan_sip.c: Registration from '"10000" ' failed for '195.154.182.231:5081' - Wrong password
[2015-12-03 08:46:02] NOTICE[2241] chan_sip.c: Registration from '"10000" ' failed for '195.154.182.231:5086' - Wrong passwordNow we don't have any extension 10000. Other numbers being tried are 300, 410, 301, etc. I have used these firewall rules (as rule 1-3 in the INPUT chain) to allow SIP only from trunk1.freepbx.com and trunk2:
iptables -I INPUT 1 -p tcp -s trunk1.freepbx.com --dport 5060 -j fail2ban-SIP
iptables -I INPUT 2 -p tcp -s trunk2.freepbx.com --dport 5060 -j fail2ban-SIP
iptables -I INPUT 3 -p tcp --dport 5060 -j DROPEven with these rules we are getting these registration attempts. Is seems that the attackers spoof the freepbx IPs. So far I have not found any unwanted registrations - just attempts. Any suggestions?
James
Posts: 2
Participants: 2