I'm getting invites to very high ports every 30 seconds from a particular ip address: Retransmitting #10 (NAT) to 5.199.133.128:52734: SIP/2.0 401 Unauthorized Via: SIP/2.0/UDP 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 From: <sip:37120116780191250 at 67.80.191.250>;tag=1872048972 To: <sip:3712011972592181418 at 67.80.191.250>;tag=as3a52e748 Call-ID: 1504207870-295758084-609228182 CSeq: 1 INVITE ....... WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on 1504207870-295758084-609228182... I thought invites had to go to port 5060 or so. I don't understand why somebody (let's assume a bad guy) is trying ports above 50000. sean
On Wed, Aug 29, 2018, at 10:34 AM, sean darcy wrote:> I'm getting invites to very high ports every 30 seconds from a > particular ip address: > > Retransmitting #10 (NAT) to 5.199.133.128:52734: > SIP/2.0 401 Unauthorized > Via: SIP/2.0/UDP > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > From: <sip:37120116780191250 at 67.80.191.250>;tag=1872048972 > To: <sip:3712011972592181418 at 67.80.191.250>;tag=as3a52e748 > Call-ID: 1504207870-295758084-609228182 > CSeq: 1 INVITE > ....... > WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > 1504207870-295758084-609228182... > > I thought invites had to go to port 5060 or so. I don't understand why > somebody (let's assume a bad guy) is trying ports above 50000.There is nothing that explicitly states that it has to be 5060, and in the case of the above it's just a random source port. -- Joshua Colp Digium, Inc. | Senior Software Developer 445 Jan Davis Drive NW - Huntsville, AL 35806 - US Check us out at: www.digium.com & www.asterisk.org
Hi Probably somebody is trying to hack your system, you should block that ip on your firewall. Regards On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com> wrote:> I'm getting invites to very high ports every 30 seconds from a particular > ip address: > > Retransmitting #10 (NAT) to 5.199.133.128:52734: > SIP/2.0 401 Unauthorized > Via: SIP/2.0/UDP 0.0.0.0:52734;branch=z9hG4bK12 > 07255353;received=5.199.133.128;rport=52734 > From: <sip:37120116780191250 at 67.80.191.250>;tag=1872048972 > To: <sip:3712011972592181418 at 67.80.191.250>;tag=as3a52e748 > Call-ID: 1504207870-295758084-609228182 > CSeq: 1 INVITE > ....... > WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > 1504207870-295758084-609228182... > > I thought invites had to go to port 5060 or so. I don't understand why > somebody (let's assume a bad guy) is trying ports above 50000. > > sean > > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Astricon is coming up October 9-11! Signup is available at: > https://www.asterisk.org/community/astricon-user-conference > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20180829/cb985295/attachment.html>
On 08/29/2018 09:42 AM, Carlos Rojas wrote:> Hi > > Probably somebody is trying to hack your system, you should block that > ip on your firewall. > > Regards > > On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com > <mailto:seandarcy2 at gmail.com>> wrote: > > I'm getting invites to very high ports every 30 seconds from a > particular ip address: > > Retransmitting #10 (NAT) to 5.199.133.128:52734 > <http://5.199.133.128:52734>: > SIP/2.0 401 Unauthorized > Via: SIP/2.0/UDP > 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734 > From: <sip:37120116780191250 at 67.80.191.250 > <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972 > To: <sip:3712011972592181418 at 67.80.191.250 > <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748 > Call-ID: 1504207870-295758084-609228182 > CSeq: 1 INVITE > ....... > WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on > 1504207870-295758084-609228182... > > I thought invites had to go to port 5060 or so. I don't understand > why somebody (let's assume a bad guy) is trying ports above 50000. > > sean > >Ok, so the high port is not the destination port but the source port. So I hacked the log warning in chan_sip.c on non-critical invites to show the source ip: ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from %s.\n", pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner))); With that in the log, I'm now blocking the ip addresses. Thanks, sean