CLI Repeat Repeat Repeat

[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[17553]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4843]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[28905]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14920]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20950]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[1662]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20810]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[24033]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[5178]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[30275]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14604]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[30275]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4721]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[18980]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[11250]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[7316]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[7316]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[17553]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4843]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[28905]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14530]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14920]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20950]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[1662]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20810]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[24033]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[5178]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14604]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

This just floods the asterisk CLI what can I do to stop it?

So being that its related to external traffic trying to hammer the freePBX box what is the best way to setup some type of rule that would block access after a few failed attempts at registering an extension? The box needs to be port forward for chan_sip and pj_sip for remote devices that are at a site with dynamic IP addresses and soft phones through iOS

Do you have “anonymous” access turned on? Hopefully not.

Turn on the Integrated Firewall and set up your internal and public zones. If you do not have phones calling in from the Internet, turn off ports 5060 and 5160 in the “public” zone and only allow access to these ports from your internal network and your ITSP.

The firewalls have been properly configured, anonymous access is not turned on. It’s all properly configured we do have a remote extension and a soft phone on cell phones. I’m getting so annoyed all three freepbx boxes have this and it just freaking crams the CLI so I can’t do any work on monitoring. Thousands of entries. What is allowing FreePBX to continuously allow these boxes to get hammered? I enabled all the firewall and responsive firewall settings I could find.

I would expect Fail2ban (if installed and properly configured) to take care of this, unless the attackers are somehow sourcing the attempts from a huge number of different IP addresses (big botnet). Is it running? Are addresses getting banned? Do you see further requests from addresses listed as banned?

Is it feasible to change pjsip bind port from 5060 to a randomly chosen value? (This would require changing each extension to register to the new port number.)

[root@freepbx ~]# service fail2ban status
Systemd shim for fail2ban running ‘/usr/sbin/systemctl status fail2ban’
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2018-06-18 13:23:03 EDT; 3 days ago
Main PID: 1856 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
├─1856 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
└─1860 /usr/libexec/gam_server

Jun 18 13:23:02 freepbx.sangoma.local systemd[1]: Starting Fail2Ban Service…
Jun 18 13:23:03 freepbx.sangoma.local fail2ban-client[1852]: 2018-06-18 13:23:03,028 fail2ban.server [1854]: INFO Starting Fail2ban v0.8.14
Jun 18 13:23:03 freepbx.sangoma.local fail2ban-client[1852]: 2018-06-18 13:23:03,028 fail2ban.server [1854]: INFO Starting in daemon mode
Jun 18 13:23:03 freepbx.sangoma.local systemd[1]: Started Fail2Ban Service.
[root@freepbx ~]#

10%20PM827×264 11.2 KB

52%20PM1312×208 16.9 KB

29%20PM843×371 19.8 KB

14%20PM1063×379 19.5 KB

Fail2ban cannot catch anonymous connections , there wont be any log entry to get the ip address. Make sure you have regexes to catch pjsip as well as chan_sip.

https://issues.freepbx.org/plugins/servlet/mobile#issue/FREEPBX-11575

So what’s allowing these anonymous connections? I don’t have it enabled for SIP. What do I do to stop the machines from being hammered by endless requests like this?

Sorry , I can’t help there the link I posted shows it still unresolved for your system. I don’t have pjsip open on 5060 and

[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

does not have an IP address (<HOST> in fail2ban speak) to ban in it

So this seems to be a big security issue is it not? Something that freepbx engineers should resolve? Who’s to blame here? There’s quite a few users who have 5060 open to the outside world so their systems function properly.

No Blame likely, but I have always been a proponent of never using 5000-5199 for any SIP connections, that’s where they all come from less so when not the "well known ports " 5060,5061, 5160 et al but ‘they’ do scan these mports regularly, and yes I’ve watched it for years., it’s trivial to enforce, but you might need a firewall translation rule or two for those ISP’s who refuse to allow anything but 5060

Its the same reason that no sane admin still uses 22 for ssh.

At least with ssh and other protocols you can enable something that locks out brute force attempts. Where as there’s nothing here to stop someone from hammering the PJSIP as fail2ban is failing to ban

You can do that, but then you are just another rabbit , and the foxes is really quite clever, they ‘profile’ briefly in a “drive by” , if a pattern is discerned, they will hand off your ip to ‘secondary inspection’ so 22, 5060, 80, 443, 2002, 5038 3306, even if they are not open is a fingerprint that can send your ip to the clever palestinian who specializes in Asterisk systems. , just because I am paranoid, it doesn’t mean they are not “out to get me”

JM2CWAE

So I’m still a bit confused, is FreePBX Functioning properly and just allowing PJSIP to get hammered with these requests? Is the official “solution” to just change the port again now that PJSIP is operating on from the default and have to custom configure every box this way? What’s the official deal am I worrying about nothing with the box being hammered like this? It seems to me “just change the port” isn’t actually securing it any as it’s just moving it off to another port now. Isn’t fail2ban suppose to prevent repeated attempts at connecting?

Before we start, I realized that you are using the Adaptive Firewall on Chan-SIP, PJ-SIP, and IAX2. Unless you have a really good reason for opening this up to anything but PJ-SIP, I’d recommend disabling the Adaptive Firewall on the other two channel drivers and returning port control on those ports back to the Integrated Firewall (and put them in one of the protected zones).

You have a remote extension (with a static, we assume, address) and you have an external cell phone (with a dynamic address) accessing your system. because of these two decisions, the port you use has to remain open to the public. Note that this is your requirement (the cell phone is the one that is specifically screwing you up).

There’s no “official” deal for this, since everyone’s configuration is going to be reliant on their skill level, specific network topology and configuration of their other network settings.

There are several ways for you to avoid this, many of which were discussed in the thread. Let’s go over some of the highlights:

• Do not allow access to the ports. This involves closing the ports down except to specific IP addresses or removing them entirely from the public zone in the Integrated firewall. You can also NAT the system and hide it from the world behind a firewall - you’ll still need to allow access to some classes of addresses in this configuration, but you can limit your exposure in this way.
• Obfuscate your SIP port. If you move your SIP port to another port, you’ve effectively hidden the port from the bots and the script kiddies, which is 90% of the access attacks you are seeing. Once an open SIP port is found, though, you will find it getting hammered from the outside if you do not otherwise limit access. Using a public port 5060 is inviting access attempts - it’s like leaving a salt lick in the forest and being mad because deer show up.
• Implement VPN access for all external clients. This is one of the places where “skill level” comes in to play. If (like me) you are mentally unable to figure out how the various forms of VPN access work together with the PBX, you are boned. On the other hand, if you aren’t at stupid about it as I am, you can set up VPN clients that allow your cell phone and remote phone clients access to the system without exposing the SIP port to the world.
• Start looking at using Dynamic DNS support for host authentication. The Integrated Firewall allows for the use of Dynamic DNS names. This isn’t a panacea, but it can be used as a measure to preclude some accesses to the system. It allows you to “lock down” the system to specific addresses that change. The resolution on this isn’t terrific (there’s a 15-minute “refresh” window that you’ll have to just accept) but it’s easier than trying to set up a VPN.

None of these is going to prevent 100% of the access attempts you are likely to experience. For example, the mere fact that your cell phone client needs access to port 5060 from (theoretically) any address on the planet, there’s little you can do to mitigate the attempts to access your network. The only way to solve this, then, is to look at “the standard technologies” for allowing external network clients access to high-value ports on your system. There are dozens of ways to lock down your networks, and there’s no way for us to know which one is going to work best for you.

As to “fail2ban”, remember that this doesn’t keep people from hammering your 5060 port. It just keeps them from getting access to services, and most of the bots out there are learning to avoid detection from fail2ban. The distinction is subtle, but it’s important in your understanding of some of the issues.

Finally, and I don’t mean this to sound harsh (but it might), it isn’t our job as other users of the system to secure your network. Remember, it’s all just us chickens. We can make suggestions and we can steer you in ways that you can research to learn what you need to learn to make the network as secure as you want it to be, but it’s not something we can direct you to do. The tools supplied with the system are adequate to prevent most unauthorized accesses, but they will never lock your system down to the point that no one can get in, yet still allow access by people that can’t be identified before hand. The system, in it’s basic configuration, is about openness, it’s about being flexible, and it’s about being a tool lots of people can use to get things done. As a User Community, we are all about getting things done.

I hope that helps - probably not, but I can hope.

So what’s going on here, it seems now that someone has accessed the system in some way and is continually attempting to dial something?

[2018-09-30 16:44:50] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
== Setting global variable ‘SIPDOMAIN’ to ‘192.168.1.10’
– Executing [011441519470602@from-sip-external:1] NoOp(“PJSIP/anonymous-00000096”, “Received incoming SIP connection from unknown peer to 011441519470602”) in new stack
– Executing [011441519470602@from-sip-external:2] Set(“PJSIP/anonymous-00000096”, “DID=011441519470602”) in new stack
– Executing [011441519470602@from-sip-external:3] Goto(“PJSIP/anonymous-00000096”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“PJSIP/anonymous-00000096”, “1?setlanguage:checkanon”) in new stack
– Goto (from-sip-external,s,2)
– Executing [s@from-sip-external:2] Set(“PJSIP/anonymous-00000096”, “CHANNEL(language)=en”) in new stack
– Executing [s@from-sip-external:3] GotoIf(“PJSIP/anonymous-00000096”, “0?noanonymous”) in new stack
– Executing [s@from-sip-external:4] Goto(“PJSIP/anonymous-00000096”, “from-trunk,011441519470602,1”) in new stack
– Goto (from-trunk,011441519470602,1)
– Executing [011441519470602@from-trunk:1] Set(“PJSIP/anonymous-00000096”, “__FROM_DID=011441519470602”) in new stack
– Executing [011441519470602@from-trunk:2] NoOp(“PJSIP/anonymous-00000096”, “Received an unknown call with DID set to 011441519470602”) in new stack
– Executing [011441519470602@from-trunk:3] Goto(“PJSIP/anonymous-00000096”, “s,a2”) in new stack
– Goto (from-trunk,s,2)
– Executing [s@from-trunk:2] Answer(“PJSIP/anonymous-00000096”, “”) in new stack
> 0x7f074404b970 – Strict RTP learning after remote address set to: 37.59.43.215:5092
[2018-09-30 16:44:59] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-09-30 16:45:00] WARNING[3860][C-00000096]: chan_sip.c:22996 func_header_read: This function can only be used on SIP channels.
– Executing [s@from-trunk:3] Log(“PJSIP/anonymous-00000096”, "WARNING,Friendly Scanner from ") in new stack
[2018-09-30 16:45:00] WARNING[3860][C-00000096]: Ext. s:3 @ from-trunk: Friendly Scanner from
– Executing [s@from-trunk:4] Wait(“PJSIP/anonymous-00000096”, “2”) in new stack
[2018-09-30 16:45:01] WARNING[31966]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
– Executing [s@from-trunk:5] Playback(“PJSIP/anonymous-00000096”, “ss-noservice”) in new stack
– <PJSIP/anonymous-00000096> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2018-09-30 16:45:02] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
– Executing [s@from-trunk:6] SayAlpha(“PJSIP/anonymous-00000096”, “011441519470602”) in new stack
– <PJSIP/anonymous-00000096> Playing ‘digits/0.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/1.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/1.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/4.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/4.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/1.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/5.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/1.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/9.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/4.ulaw’ (language ‘en’)
[2018-09-30 16:45:15] WARNING[31966]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
– <PJSIP/anonymous-00000096> Playing ‘digits/7.ulaw’ (language ‘en’)
[2018-09-30 16:45:16] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
– <PJSIP/anonymous-00000096> Playing ‘digits/0.ulaw’ (language ‘en’)
[2018-09-30 16:45:17] WARNING[31966]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-09-30 16:45:17] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
– <PJSIP/anonymous-00000096> Playing ‘digits/6.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/0.ulaw’ (language ‘en’)
– <PJSIP/anonymous-00000096> Playing ‘digits/2.ulaw’ (language ‘en’)
– Executing [s@from-trunk:7] Hangup(“PJSIP/anonymous-00000096”, “”) in new stack
== Spawn extension (from-trunk, s, 7) exited non-zero on ‘PJSIP/anonymous-00000096’
– Executing [h@from-trunk:1] Macro(“PJSIP/anonymous-00000096”, “hangupcall,”) in new stack
– Executing [s@macro-hangupcall:1] GotoIf(“PJSIP/anonymous-00000096”, “1?theend”) in new stack
– Goto (macro-hangupcall,s,3)
– Executing [s@macro-hangupcall:3] ExecIf(“PJSIP/anonymous-00000096”, “0?Set(CDR(recordingfile)=)”) in new stack
– Executing [s@macro-hangupcall:4] NoOp(“PJSIP/anonymous-00000096”, " monior file= ") in new stack
– Executing [s@macro-hangupcall:5] AGI(“PJSIP/anonymous-00000096”, “attendedtransfer-rec-restart.php,”) in new stack
– Launched AGI Script /var/lib/asterisk/agi-bin/attendedtransfer-rec-restart.php
– <PJSIP/anonymous-00000096>AGI Script attendedtransfer-rec-restart.php completed, returning 0
– Executing [s@macro-hangupcall:6] Hangup(“PJSIP/anonymous-00000096”, “”) in new stack
== Spawn extension (macro-hangupcall, s, 6) exited non-zero on ‘PJSIP/anonymous-00000096’ in macro ‘hangupcall’
== Spawn extension (from-trunk, h, 1) exited non-zero on ‘PJSIP/anonymous-00000096’
[2018-09-30 16:45:24] WARNING[31966]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-09-30 16:45:30] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-09-30 16:45:33] WARNING[31966]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-09-30 16:45:36] WARNING[16335]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
== Setting global variable ‘SIPDOMAIN’ to ‘192.168.1.10’
– Executing [9011441519470602@from-sip-external:1] NoOp(“PJSIP/anonymous-00000097”, “Received incoming SIP connection from unknown peer to 9011441519470602”) in new stack
– Executing [9011441519470602@from-sip-external:2] Set(“PJSIP/anonymous-00000097”, “DID=9011441519470602”) in new stack
– Executing [9011441519470602@from-sip-external:3] Goto(“PJSIP/anonymous-00000097”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“PJSIP/anonymous-00000097”, “1?setlanguage:checkanon”) in new stack
– Goto (from-sip-external,s,2)
– Executing [s@from-sip-external:2] Set(“PJSIP/anonymous-00000097”, “CHANNEL(language)=en”) in new stack
– Executing [s@from-sip-external:3] GotoIf(“PJSIP/anonymous-00000097”, “0?noanonymous”) in new stack
– Executing [s@from-sip-external:4] Goto(“PJSIP/anonymous-00000097”, “from-trunk,9011441519470602,1”) in new stack
– Goto (from-trunk,9011441519470602,1)
– Executing [9011441519470602@from-trunk:1] Set(“PJSIP/anonymous-00000097”, “__FROM_DID=9011441519470602”) in new stack
– Executing [9011441519470602@from-trunk:2] NoOp(“PJSIP/anonymous-00000097”, “Received an unknown call with DID set to 9011441519470602”) in new stack
– Executing [9011441519470602@from-trunk:3] Goto(“PJSIP/anonymous-00000097”, “s,a2”) in new stack
– Goto (from-trunk,s,2)
– Executing [s@from-trunk:2] Answer(“PJSIP/anonymous-00000097”, “”) in new stack
> 0x25f6ea0 – Strict RTP learning after remote address set to: 37.59.43.215:5092
[2018-09-30 16:45:40] WARNING[4046][C-00000097]: chan_sip.c:22996 func_header_read: This function can only be used on SIP channels.
– Executing [s@from-trunk:3] Log(“PJSIP/anonymous-00000097”, "WARNING,Friendly Scanner from ") in new stack
[2018-09-30 16:45:40] WARNING[4046][C-00000097]: Ext. s:3 @ from-trunk: Friendly Scanner from
– Executing [s@from-trunk:4] Wait(“PJSIP/anonymous-00000097”, “2”) in new stack
– Executing [s@from-trunk:5] Playback(“PJSIP/anonymous-00000097”, “ss-noservice”) in new stack
– <PJSIP/anonymous-00000097> Playing ‘ss-noservice.ulaw’ (language ‘en’)
freepbx*CLI> c

Also from the FreePBX call log there is a number of attempted call records that aren’t us.

30%20PM2772×1336 654 KB

So I found that somehow Allow Anonymous SIP Calls was on and Allow SIP Guests.

I’ve turned those to No, should that be acceptable for both of them to be to No?

Now instead in the cli I get:

717-123492072-1170406239) - No matching endpoint found [2018-09-30 16:59:32] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - Failed to authenticate [2018-09-30 16:59:32] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - No matching endpoint found [2018-09-30 16:59:32] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - Failed to authenticate [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - No matching endpoint found [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - Failed to authenticate [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - No matching endpoint found [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - Failed to authenticate [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - No matching endpoint found [2018-09-30 16:59:33] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘<sip:[email protected]>’ failed for ‘185.40.4.165:61734’ (callid: 520463717-123492072-1170406239) - Failed to authenticate [2018-09-30 16:59:37] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“309” <sip:[email protected]>’ failed for ‘212.83.142.99:9926’ (callid: ategtlgjslbqifnafjujiycfvnxhixuxyiuvundawrjwpvejgk) - No matching endpoint found [2018-09-30 16:59:37] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“309” <sip:[email protected]>’ failed for ‘212.83.142.99:9926’ (callid: ategtlgjslbqifnafjujiycfvnxhixuxyiuvundawrjwpvejgk) - No matching endpoint found [2018-09-30 16:59:37] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“309” <sip:[email protected]>’ failed for ‘212.83.142.99:9926’ (callid: ategtlgjslbqifnafjujiycfvnxhixuxyiuvundawrjwpvejgk) - Failed to authenticate [2018-09-30 16:59:37] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“309” <sip:[email protected]>’ failed for ‘212.83.142.99:9926’ (callid: ategtlgjslbqifnafjujiycfvnxhixuxyiuvundawrjwpvejgk) - No matching endpoint found [2018-09-30 16:59:37] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“309” <sip:[email protected]>’ failed for ‘212.83.142.99:9926’ (callid: ategtlgjslbqifnafjujiycfvnxhixuxyiuvundawrjwpvejgk) - Failed to authenticate [2018-09-30 16:59:39] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“5100” <sip:[email protected]>’ failed for ‘212.83.142.99:9501’ (callid: lxljhpkxuuplpupjrxcxqwshqupaexhwrhpbwvbmbjwmlbcoep) - No matching endpoint found [2018-09-30 16:59:39] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“5100” <sip:[email protected]>’ failed for ‘212.83.142.99:9501’ (callid: lxljhpkxuuplpupjrxcxqwshqupaexhwrhpbwvbmbjwmlbcoep) - No matching endpoint found [2018-09-30 16:59:39] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“5100” <sip:[email protected]>’ failed for ‘212.83.142.99:9501’ (callid: lxljhpkxuuplpupjrxcxqwshqupaexhwrhpbwvbmbjwmlbcoep) - Failed to authenticate [2018-09-30 16:59:39] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“5100” <sip:[email protected]>’ failed for ‘212.83.142.99:9501’ (callid: lxljhpkxuuplpupjrxcxqwshqupaexhwrhpbwvbmbjwmlbcoep) - No matching endpoint found [2018-09-30 16:59:39] NOTICE[2092]: res_pjsip/pjsip_distributor.c:649 log_failed_request: Request ‘REGISTER’ from ‘“5100” <sip:[email protected]>’ failed for ‘212.83.142.99:9501’ (callid: lxljhpkxuuplpupjrxcxqwshqupaexhwrhpbwvbmbjwmlbcoep) - Failed to authenticate freepbx*CLI>

So it seems that something / someone is constantly hammering the box trying to register extensions. Is there no way to have the box automatically ban them after x amount of failed attempts?

I need to figure out what security wise I need to do as we have mobile phones that register so using a VPN that you have to establish all the time on the iPhone or setting firewall rules to allow only static IP addresses through won’t work. So is my only option to change the port and hope that someone doesn’t scan / find that port?

Using an obscure port number will certainly help, though you’ll have to configure all your extensions to register to the new port.

For better protection, see https://wiki.freepbx.org/display/FPG/Responsive+Firewall . If you’re system can’t run that, see https://www.fail2ban.org/wiki/index.php/Main_Page .

OpenVPN (among others) can be set up to route only specific IP addresses through the VPN; access to other sites on the internet will not be affected. However, keeping the VPN connection continuously up will reduce battery life.

The automated scanning tools mostly use UDP, so setting up your mobile extensions to use TCP or TLS (on a nonstandard port) should reduce attacks to nearly zero (of course, don’t leave the UDP port open to the internet).

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.