I’m running Freepbx 6.12.65-27 w/ asterisk 13.3.2 on a vps that’s exposed. Haven’t changed any iptables or fail2ban settings from the ones that shipped with the Freepbx Distro. I’ve noticed hundreds of entries like this in the logs. Here’s just a snippet… [2015-05-26 14:39:03] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5088' (callid: 444f16085473bd7ca24a1852aab2fdba) - No matching endpoint found
[2015-05-26 14:39:25] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5073' (callid: f7122a466c047d6a17e6f34f7a17f425) - No matching endpoint found
[2015-05-26 14:48:23] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: ca26458a3198450f8c14823c0e450e4c) - No matching endpoint found
[2015-05-26 14:52:32] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5096' (callid: efdbe08ec28f57ed5ab72775feb5e6ff) - No matching endpoint found
[2015-05-26 14:55:36] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"888" <sip:[email protected]>' failed for '195.154.133.168:5071' (callid: 85daf15fe6020b960f8e66c0e8d107fd) - No matching endpoint found
[2015-05-26 14:57:42] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: c369002b1311573528ba025fd93d0485) - No matching endpoint found
[2015-05-26 15:05:36] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5074' (callid: 3b47e1d73c8dfdb5dfce0c09be45e7e6) - No matching endpoint found
[2015-05-26 15:06:58] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: 9ab8c05bc090f4d65cb24ffdbb764a8b) - No matching endpoint found
[2015-05-26 15:16:13] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: cba0e898700a55edbc31756a37241cf6) - No matching endpoint found
[2015-05-26 15:18:45] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5071' (callid: 1b301d8b189c056a938a635c26f43b22) - No matching endpoint found
[2015-05-26 15:24:02] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"sipvicious" <sip:[email protected]>' failed for '62.210.209.158:5093' (callid: 436601293901662377524677) - No matching endpoint found
[2015-05-26 15:25:31] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5070' (callid: 2596799fdc3646d3757734fd5e403fac) - No matching endpoint found
[2015-05-26 15:31:44] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5079' (callid: 538fded5d0f37777eab4e4306223fd60) - No matching endpoint found
[2015-05-26 15:34:50] NOTICE[8354] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5080' (callid: 9f8d9604d2d6e7eb473ba46e7ae9e941) - No matching endpoint found
[2015-05-26 15:44:13] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5070' (callid: 7dc59225d1d128d47beaa92da8865c97) - No matching endpoint found
[2015-05-26 15:44:36] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5071' (callid: 34c74157dc6f2d27235191c8f77ae94c) - No matching endpoint found
[2015-05-26 15:53:34] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: 5144d19624ed98629e07f6118671bf00) - No matching endpoint found
[2015-05-26 15:57:45] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5077' (callid: 2bbf5e39181418679f7fbf362924d6e4) - No matching endpoint found
[2015-05-26 16:02:52] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5076' (callid: aaf0810f8c9f1202cdd0aa1304249b47) - No matching endpoint found
[2015-05-26 16:10:42] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5073' (callid: bcf826577d1e728ee69f8f352f77632e) - No matching endpoint found
[2015-05-26 16:12:16] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5079' (callid: dd28c310064917ac352938ac7e624a13) - No matching endpoint found
[2015-05-26 16:21:39] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"as100" <sip:[email protected]>' failed for '23.92.80.29:5071' (callid: f5eeb95e8bd12dd738c92da4a865c1b7) - No matching endpoint found
[2015-05-26 16:23:44] NOTICE[15129] res_pjsip/pjsip_distributor.c: Request from '"2020" <sip:[email protected]>' failed for '23.239.65.10:5070' (callid: fab3f4aa2d91aeeed92b9f1a35e297ab) - No matching endpoint found
Just curious what those entries meant and if I should be concerned? Thanks for your help.
Your fail2ban setup for the asterisk jail needs to have a regex that covers those log lines. You are under attack from servers in
23.92.80.0/20 # ARIN US NODESDIRECT Nodes Direct
195.154.128.0/17 # RIPE FR FR-ILIAD-ENTREPRISES-CUSTOMERS Iliad Entreprises Customers
to name just two, add a restrictive firewall to your system,
http://community.freepbx.org/t/so-many-hackers/?source_topic_id=29401Thanks Dicko for the prompt reply. The asterisk.conf filter that shipped with the distro has… NOTICE.* .*: Registration from '.*' failed for '<HOST>:.*' - No matching peer found
Would it be as easy as copying that regex line and replacing “Registration from” with “Request from”. Side question is there a difference between such language as Registration and Request?
You posted in General Help, you should perhaps post in Commercial Modules as disturbing anything within that closed system (sysadmin) will likely cause bad “signature things” to happen to your system, if it doesn’t, then by my understanding it should
But to experiment fail2ban has
fail2ban-regex
to parse and prove your regexes are working.
NOTICE.* .*: Re[gq].* from '.*' failed for '<HOST>:.*' - No * found
might be a better one to catch both SIP and PJSIP type log lines, remember PJSIP is still in very formative stages yet.