Hack Attempt?

Hi All,
I’m pretty sure of what I’m looking at, but wanted to run it by you all.
In the Reports menu > Asterisk Log Files - the log named “Full” I have found several huge sections that look like this

[2016-12-09 20:16:12] NOTICE[12561] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“9999” sip:[email protected]’ failed for ‘131.153.5.226:5071’ (callid: 182ae8b6475a57bd4663974b8c18da55) - No matching endpoint found
[2016-12-09 20:16:22] NOTICE[1811] chan_sip.c: Received SIP subscribe for peer without mailbox: 1943
[2016-12-09 20:17:19] NOTICE[12655] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“9999” sip:[email protected]’ failed for ‘131.153.5.226:5070’ (callid: 98d55f274ad6de49d4a9d690b6f7476f) - No matching endpoint found
[2016-12-09 20:17:55] NOTICE[1811] chan_sip.c: Received SIP subscribe for peer without mailbox: 4443
[2016-12-09 20:18:05] NOTICE[12655] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“101” sip:[email protected]’ failed for ‘162.254.207.67:5070’ (callid: 1b5add5706f97a00a179e9a501eb4938) - No matching endpoint found
[2016-12-09 20:18:24] NOTICE[12655] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“9999” sip:[email protected]’ failed for ‘131.153.5.226:5074’ (callid: b28ebd3d3d63052616495dc0d0075fe3) - No matching endpoint found
[2016-12-09 20:19:22] NOTICE[1811] chan_sip.c: Received SIP subscribe for peer without mailbox: 1943
[2016-12-09 20:19:32] NOTICE[12857] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“9999” sip:[email protected]’ failed for ‘131.153.5.226:5078’ (callid: 9af8747762b8edb70b5a9061df691506) - No matching endpoint found
[2016-12-09 20:20:18] NOTICE[12857] res_pjsip/pjsip_distributor.c: Request ‘INVITE’ from ‘“2200” sip:[email protected]’ failed for ‘69.64.57.15:5071’ (callid: 41f550858f0c4ebf4630df7c9380c6cb) - No matching endpoint found

The list that I have prepared wouldn’t really be nice in this post due to it’s size so, I’ve just put up a snippet. I was looking for the like code quote option in the editor but either I cant find it or the dev here didn’t think it was important. So there’s the short snippet in blockquote.

Now, I’ve also seen in the fail2ban log file many of the same unknown IP addresses. So, I’m thinking that the server is being hit by an attacker and as should be the attacker IP is blocked. Correct?

Thanks,
John

Is a guy in Palestine, you need to update your fail2ban jail to include pjsip

Hey Dicko,
Not sure why but I can not seem to find out how to update. I have learned how to configure tho. So that’s a bonus. I see the zip file on the link you provided. Am I supposed to install that on my system?

Thank You, John

is this what I’m looking for?

Probably not, most OS packages supply an out of date Fail2ban, just get it from source, if you are using the “Distro” I would query there first as to what they distribute.

So you’re telling me to download the zip file from the link you provided and then install that zip package on my system? Do I do that in Module Admin > Upload Module?

Sorry for being such a newb. This just isn’t something that I have to deal with often…

Thank You,
John

It’s a little more complicated. Are you using the Distro?

Yes. It’s 32bit-10.13.66

I believe this is where you can do what you want:

Picture1.png1928×936 240 KB

@alexcal has the right idea, configure the Firewall so that services are only exposed to trusted hosts. If SIP must be exposed to un-trusted internet traffic, then enable Responsive.

http://wiki.freepbx.org/display/FPG/Firewall