motty cruz
2014-Sep-08 22:39 UTC
[asterisk-users] Asterisk failed to authenticate device - attack attempt.
Hi all, I continue to see the following msg on my Asterisk log: [Sep 8 15:34:37] NOTICE[7375]: chan_sip.c:23277 handle_request_invite: Failed to authenticate device 9009<sip:9009 at 196.107.xx.xx>;tag=8dd48dd2 IP: 196.107.xx.xx is my asterisk server IP address. I don't know what it means and how to cover any holes that attacker is trying to exploit. Thanks, Motty -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20140908/a7712719/attachment.html>
Steve Edwards
2014-Sep-09 02:31 UTC
[asterisk-users] Asterisk failed to authenticate device - attack attempt.
On Mon, 8 Sep 2014, motty cruz wrote:> I continue to see the following msg on my Asterisk log:? > > [Sep ?8 15:34:37] NOTICE[7375]: chan_sip.c:23277 handle_request_invite:? > Failed to authenticate device 9009<sip:9009 at 196.107.xx.xx>;tag=8dd48dd2First step is to determine the source -- is it coming from your network or from the Internet. 'sip set debug on,' tcpdump, ngrep, wireshark can all be useful. If it is coming from your network, make note of the MAC address. The first 3 octets are the OUI. Google 'OUI Lookup.' This will tell you the manufacturer (or at least who made the board inside the device). This may give you a clue like 'Cisco Linksys LLC' and you may remember you have an old Sipura (which was bought by Linksys, which was bought by Cisco) laying around that somebody may have decided to 're-purpose' without telling you. If it is coming from the Internet, learn a bit about iptables. The best case scenario is that you know everybody that should be accessing your pbx so you can 'whitelist' the good guys and DROP everything else. Some people moan about how they have clients that travel. Unless they travel to China, Russia, North Korea, Crapistan, etc, just block entire regions of the world. That will knock off 90% of your 'attack surface.' Maybe you can limit traffic to just a couple of class C addresses. Finally, mop up the anklebitters with fail2ban. Oh, and nice long 'random' passwords on all of your SIP endpoints and if you can get away from 4 digit extensions, all the better. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000