Attacks from own external IP

1

Full logs showing

[2016-05-04 13:06:24] NOTICE[18959][C-0000022e] chan_sip.c: Failed to authenticate device 106<sip:106@MyIP>;tag=a39d439d

But Fail2Ban Logs showing

[2016-05-04 13:06:24] SECURITY[19070] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2016-05-04T13:06:24.824-0500",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:106@MyIP",SessionID="0x7fbb9c0b0f68",LocalAddress="IPV4/UDP/MyIP/5060",RemoteAddress="IPV4/UDP/103.195.101.74/5070",Challenge="09d8c355"

So looks like they are attacking from 103.195.101.74 but how they doing that ? I mean why full log not showing their IP and how can I protect PBX form that type of attacks ?

2

It is. You’re just not looking in the security log, which fail2ban is. What you’re looking at is what they’re trying to authenticate as. Which is 103@your ip.

Install FreePBX Firewall, turn it on, and you never need to worry about it again :sunglasses:

3

Do I need to upgrade to FreePBX 13 to install Firewall? If so then I can’t do that.
Any other way to stop that?
Also if this topic is about fail2ban
How can I block connections like this

VERBOSE[17430][C-000001a4] pbx.c: Executing [s@from-sip-external:6] Log("SIP/MyIP", "WARNING,"Rejecting unknown SIP connection from 85.17.12.170"") in new stack
WARNING[17430][C-000001a4] Ext. s: "Rejecting unknown SIP connection from 85.17.12.170"
4

Why can’t you update?

5

Because that is remote server and if something goes wrong I will not be able to reinstall it.

6

We upgrade servers all the time remotely.

Is it a real server, does it have lights out management? That allows you to access the console remotely of the computer outside the OS and main computer hardware.

You can sent someone to the site? If you are really nervous have them pull the old drive and install a new one.

Hacking up an unsupported system. is a far greater risk than am upgrade.