I am trying to get the external IP address of the connected devices. I did: grep 'Added contact' /var/log/asterisk/full* | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}' but it gives me both the internal and external IPs. Also this does not seems to get all the connected devices.
VERBOSE[13539] res_pjsip_registrar.c: Added contact 'sip:[email protected]:48721;transport=TLS;rinstance=70df52f927ca6728;x-ast-orig-host=192.168.1.213:35279' to AOR '203' with expiration of 60 seconds
What are you trying to do? If you have one week of logs (the default), then any devices that have remained registered for more than a week won’t show up.
Possibly, you want asterisk -rx 'pjsip show contacts' | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
or asterisk -rx 'pjsip show aors' | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
In the past I had issues securing my server so with the help of people here I build a script that alert me when there is unauthorized access/attempt to me FreePBX. I would like to take it one step further by included any unauthorized (attempt) registration to an extension not part of my trusted IP list.
If you have a list of trusted IPs or FQDNs, why not whitelist them in your network, or Sangoma firewall?
If you need to keep your PBX exposed for some reason, I’d suggest using a random port for SIP and restrict access based on GEOIP, you can also install apiban to prevent bad actors from even attempting to register.
However, I do agree with the idea of getting failed registration alerts, that way if there’s something bad happening, or a user has trouble, you’ll know it right away.
I agree with you. I blocked everything except the trusted IPs in both FreePBX and my cloud provider firewalls. I am also using fail2ban, VPN, HTTPS, HTTP to HTTPS redirect, and long strong passwords. Fortunately, the script did not fire since then. But we are humans and mistakes happens, this is another layer of defense / alerting in case something fails or someone find an unpatched security hole.