Hello Asterisk-users, [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=2762c06e [2013-08-18 05:56:34] NOTICE[17089][C-000000a9] chan_sip.c: Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=7b909220 I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own IP. How do I figure out where this attempt is coming from so I can block it. -- Ira -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130818/d7ca6ba4/attachment.htm>
Hi, for example http://www.fail2ban.org/wiki/index.php/Asterisk On 18 August 2013 23:41, Ira <ira at extrasensory.com> wrote:> Hello Asterisk-users, > > [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: > Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx > >;tag=2762c06e > [2013-08-18 05:56:34] NOTICE[17089][C-000000a9] chan_sip.c: > Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx > >;tag=7b909220 > > I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own > IP. How do I figure out where this attempt is coming from so I can block > it. > > -- Ira > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130819/b39ca80d/attachment.htm>
Hi You should install something like fail2ban Regards On Sun, Aug 18, 2013 at 5:41 PM, Ira <ira at extrasensory.com> wrote:> Hello Asterisk-users, > > [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: > Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx > >;tag=2762c06e > [2013-08-18 05:56:34] NOTICE[17089][C-000000a9] chan_sip.c: > Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx > >;tag=7b909220 > > I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own > IP. How do I figure out where this attempt is coming from so I can block > it. > > -- Ira > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130818/458212df/attachment.htm>
On Sun, 18 Aug 2013, Ira wrote:> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c:? > ? ? ? ?Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=2762c06e > > I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own > IP. ?How do I figure out where this attempt is coming from so I can > block it.Any chance '390' is a legitimate (but mis-configured or obsolete) device on your network? Is xx.xx.xxx.xxx a private or public address? Can you 'wireshark' some packets and see if the OUI matches one of your endpoints? -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
Hello Steve, Sunday, August 18, 2013, 3:35:54 PM, you wrote:> On Sun, 18 Aug 2013, Ira wrote:>> [2013-08-18 05:56:29] NOTICE[17089][C-000000a8] chan_sip.c: >> Failed to authenticate device 390<sip:390 at xx.xx.xxx.xxx>;tag=2762c06e >> >> I keep getting messages like this where the IP, xx.xx.xxx.xxx, is my own >> IP. How do I figure out where this attempt is coming from so I can >> block it.> Any chance '390' is a legitimate (but mis-configured or obsolete) device > on your network?> Is xx.xx.xxx.xxx a private or public address?> Can you 'wireshark' some packets and see if the OUI matches one of your > endpoints?390 is not, nor has it ever been an extension on my box. I've gotten the same message for numerous extensions, sometimes 100-200 inclusive, usually multiple times as if they are trying multiple passwords. I'm sure that no one will ever guess an extension or password on my box that way so I'm not worried, I've blocked most of the IPs that my box doesn't use and it's been a long time since I've seen any outside attempts to register. But in the recent past I've been seeing these where I've no clue what IP to block as the entries, sip:390 at xx.xx.xxx.xxx, always contains an invalid extension and my cable modem's IP address. xx.xx.xxx.xxx is my public I.P. I searched Google and found no mention of my specific error. -- Ira -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20130819/66c0ce2a/attachment.htm>