Asterisk Log "Rejecting unknown SIP connection "

richelle_vpg · January 13, 2015, 11:42pm

Can someone help me understand the asterisk log below specifically for the lines “Rejecting unknown SIP connection from 212.129.63.217” and “Remote UNIX connection”. Our Asterisk server crashed but were able to get in after it crashed. The first we looked at is the asterisk logs. The last logs before it crashed are below. I am not sure if someone from IP address 212.129.63.217 is trying to remote access our Asterisk server.

[2015-01-10 03:31:25] VERBOSE[18045][C-00018c33] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/50.xxx.xxx.xx-000de34a”, "WARNING,“Rejecting unknown SIP connection from 212.129.63.217"”) in new stack
[2015-01-10 03:31:25] WARNING[18045][C-00018c33] Ext. s: “Rejecting unknown SIP connection from 212.129.63.217”
[2015-01-10 03:31:25] VERBOSE[18045][C-00018c33] pbx.c: – Executing [s@from-sip-external:7] Answer(“SIP/50.xxx.xxx.xx-000de34a”, “”) in new stack
[2015-01-10 03:31:25] VERBOSE[18045][C-00018c33] pbx.c: == Spawn extension (from-sip-external, s, 7) exited non-zero on ‘SIP/50.xxx.xxx.xx-000de34a’
[2015-01-10 03:31:25] VERBOSE[18045][C-00018c33] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/'SIP/50.xxx.xxx.xx-000de34a”, “”) in new stack
[2015-01-10 03:31:25] VERBOSE[18045][C-00018c33] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/50.xxx.xxx.xx-000de34a’
[2015-01-10 03:35:01] VERBOSE[2050] asterisk.c: – Remote UNIX connection

deanot26508 · January 14, 2015, 12:37am

The rejected SIP connection is asterisk doing its job, someone was attempting a connection to your Asterisk server, they got denied probably due to incorrect credentials. I should imagine it was maybe someone sniffing around and may be a good indication you are open to the net.

I think, I could be wrong, the Remote UNIX Connection you are seeing is probably your Trunk provider. Maybe someone could clarify that. This is a normal operation of the FreePBX log, mine does it quite often.

Make sure your system is tightened down, I have a feeling someone was sniffing around to see if your server is there or not. The IP address you posted, if from France, it does not have an IP owner or is assigned to anyone in particular. So the chances are it may be a cloned IP!!! or spoofed… or whatever they call it now.

Check you sip settings, make sure SIP ALLOW GUESTS is NO, if you have no external devices, block ports 5060 & 5061 at the router. Restrict access from the outside world, if you have no reason to be public.

If you need access into your server, think about a VPN into the box or at least into the network and use RDC to connect to the box.

alan · January 14, 2015, 1:05pm

You are being scanned. I suggest you tighten up your firewall rules.