Have I been compromised?

1

I keep getting registration failures so the provider asked for the logs, heres a piece - this looks bad. Is it?

[2018-03-14 04:02:01] Asterisk 13.18.4 built by mockbuild @ jenkins7 on a x86_64 running Linux on 2017-12-18 02:25:59 UTC
[2018-03-14 04:02:01] VERBOSE[24900] config.c: Parsing '/etc/asterisk/logger.conf': Found
[2018-03-14 04:02:01] VERBOSE[24900] config.c: Parsing '/etc/asterisk/logger_general_additional.conf': Found
[2018-03-14 04:02:01] VERBOSE[24900] config.c: Parsing '/etc/asterisk/logger_general_custom.conf': Found
[2018-03-14 04:02:01] VERBOSE[24900] config.c: Parsing '/etc/asterisk/logger_logfiles_additional.conf': Found
[2018-03-14 04:02:01] VERBOSE[24900] config.c: Parsing '/etc/asterisk/logger_logfiles_custom.conf': Found
[2018-03-14 04:02:01] VERBOSE[24900] logger.c: Asterisk Queue Logger restarted
[2018-03-14 04:02:01] VERBOSE[24900] asterisk.c: Remote UNIX connection disconnected
[2018-03-14 04:02:45] VERBOSE[2265][C-000001bf] netsock2.c: Using SIP RTP TOS bits 184
[2018-03-14 04:02:45] VERBOSE[2265][C-000001bf] netsock2.c: Using SIP RTP CoS mark 5
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [0046920479341@from-sip-external:1] NoOp("SIP/99.118.21.81-000001d9", "Received incoming SIP connection from unknown peer to 0046920479341") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [0046920479341@from-sip-external:2] Set("SIP/99.118.21.81-000001d9", "DID=0046920479341") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [0046920479341@from-sip-external:3] Goto("SIP/99.118.21.81-000001d9", "s,1") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx_builtins.c: Goto (from-sip-external,s,1)
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:1] GotoIf("SIP/99.118.21.81-000001d9", "1?setlanguage:checkanon") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx_builtins.c: Goto (from-sip-external,s,2)
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:2] Set("SIP/99.118.21.81-000001d9", "CHANNEL(language)=en") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:3] GotoIf("SIP/99.118.21.81-000001d9", "1?noanonymous") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx_builtins.c: Goto (from-sip-external,s,5)
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:5] Set("SIP/99.118.21.81-000001d9", "TIMEOUT(absolute)=15") in new stack
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] func_timeout.c: Channel will hangup at 2018-03-14 04:03:00.815 PDT.
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:6] Log("SIP/99.118.21.81-000001d9", "WARNING,"Rejecting unknown SIP connection from 107.155.133.102"") in new stack
[2018-03-14 04:02:45] WARNING[24995][C-000001bf] Ext. s: "Rejecting unknown SIP connection from 107.155.133.102"
[2018-03-14 04:02:45] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:7] Answer("SIP/99.118.21.81-000001d9", "") in new stack
[2018-03-14 04:02:46] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:8] Wait("SIP/99.118.21.81-000001d9", "2") in new stack
[2018-03-14 04:02:48] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:9] Playback("SIP/99.118.21.81-000001d9", "ss-noservice") in new stack
[2018-03-14 04:02:48] VERBOSE[24995][C-000001bf] file.c: <SIP/99.118.21.81-000001d9> Playing 'ss-noservice.ulaw' (language 'en')
[2018-03-14 04:02:53] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:10] PlayTones("SIP/99.118.21.81-000001d9", "congestion") in new stack
[2018-03-14 04:02:53] VERBOSE[24995][C-000001bf] pbx.c: Executing [s@from-sip-external:11] Congestion("SIP/99.118.21.81-000001d9", "5") in new stack
[2018-03-14 04:02:58] VERBOSE[24995][C-000001bf] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/99.118.21.81-000001d9'
[2018-03-14 04:02:58] VERBOSE[24995][C-000001bf] pbx.c: Executing [h@from-sip-external:1] Hangup("SIP/99.118.21.81-000001d9", "") in new stack
[2018-03-14 04:02:58] VERBOSE[24995][C-000001bf] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/99.118.21.81-000001d9'
[2018-03-14 04:03:17] WARNING[2265] chan_sip.c: Retransmission timeout reached on transmission 14802561fc4a2a1490e7124a66cb04b8 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
[2018-03-14 04:11:04] NOTICE[2265] chan_sip.c: Registration from '"500" <sip:[email protected]>' failed for '185.22.152.68:5619' - Wrong password
[2018-03-14 04:11:04] NOTICE[2265] chan_sip.c: Registration from '"500" <sip:[email protected]>' failed for '185.22.152.68:5619' - Wrong password
[2018-03-14 04:11:04] NOTICE[2265] chan_sip.c: Registration from '"500" <sip:[email protected]>' failed for '185.22.152.68:5619' - Wrong password
[2018-03-14 04:11:04] NOTICE[2265] chan_sip.c: Registration from '"500" <sip:[email protected]>' failed for '185.22.152.68:5619' - Wrong password
[2018-03-14 04:11:04] NOTICE[2265] chan_sip.c: Registration from '"500" <sip:[email protected]>' failed for '185.22.152.68:5619' - Wrong password
[2018-03-14 04:12:46] VERBOSE[2265][C-000001c0] netsock2.c: Using SIP RTP TOS bits 184
[2018-03-14 04:12:46] VERBOSE[2265][C-000001c0] netsock2.c: Using SIP RTP CoS mark 5
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [501146920479341@from-sip-external:1] NoOp("SIP/99.118.21.81-000001da", "Received incoming SIP connection from unknown peer to 501146920479341") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [501146920479341@from-sip-external:2] Set("SIP/99.118.21.81-000001da", "DID=501146920479341") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [501146920479341@from-sip-external:3] Goto("SIP/99.118.21.81-000001da", "s,1") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx_builtins.c: Goto (from-sip-external,s,1)
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:1] GotoIf("SIP/99.118.21.81-000001da", "1?setlanguage:checkanon") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx_builtins.c: Goto (from-sip-external,s,2)
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:2] Set("SIP/99.118.21.81-000001da", "CHANNEL(language)=en") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:3] GotoIf("SIP/99.118.21.81-000001da", "1?noanonymous") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx_builtins.c: Goto (from-sip-external,s,5)
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:5] Set("SIP/99.118.21.81-000001da", "TIMEOUT(absolute)=15") in new stack
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] func_timeout.c: Channel will hangup at 2018-03-14 04:13:01.945 PDT.
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:6] Log("SIP/99.118.21.81-000001da", "WARNING,"Rejecting unknown SIP connection from 107.155.133.102"") in new stack
[2018-03-14 04:12:46] WARNING[25784][C-000001c0] Ext. s: "Rejecting unknown SIP connection from 107.155.133.102"
[2018-03-14 04:12:46] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:7] Answer("SIP/99.118.21.81-000001da", "") in new stack
[2018-03-14 04:12:47] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:8] Wait("SIP/99.118.21.81-000001da", "2") in new stack
[2018-03-14 04:12:49] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:9] Playback("SIP/99.118.21.81-000001da", "ss-noservice") in new stack
[2018-03-14 04:12:49] VERBOSE[25784][C-000001c0] file.c: <SIP/99.118.21.81-000001da> Playing 'ss-noservice.ulaw' (language 'en')
[2018-03-14 04:12:54] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:10] PlayTones("SIP/99.118.21.81-000001da", "congestion") in new stack
[2018-03-14 04:12:54] VERBOSE[25784][C-000001c0] pbx.c: Executing [s@from-sip-external:11] Congestion("SIP/99.118.21.81-000001da", "5") in new stack
[2018-03-14 04:12:59] VERBOSE[25784][C-000001c0] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/99.118.21.81-000001da'
[2018-03-14 04:12:59] VERBOSE[25784][C-000001c0] pbx.c: Executing [h@from-sip-external:1] Hangup("SIP/99.118.21.81-000001da", "") in new stack
[2018-03-14 04:12:59] VERBOSE[25784][C-000001c0] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/99.118.21.81-000001da'
[2018-03-14 04:13:18] WARNING[2265] chan_sip.c: Retransmission timeout reached on transmission 0117f153c229c0471897da408511a6c7 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2018-03-14 04:23:01] NOTICE[2265] chan_sip.c: Registration from '"11"<sip:[email protected]>' failed for '212.83.140.147:54346' - Wrong password
[2018-03-14 04:23:07] NOTICE[2265] chan_sip.c: Registration from '"16"<sip:[email protected]>' failed for '212.83.140.147:44653' - Wrong password
[2018-03-14 04:23:07] NOTICE[2265] chan_sip.c: Registration from '"13"<sip:[email protected]>' failed for '212.83.140.147:41249' - Wrong password
[2018-03-14 04:23:10] NOTICE[2265] chan_sip.c: Registration from '"14"<sip:[email protected]>' failed for '212.83.140.147:62030' - Wrong password
[2018-03-14 04:23:10] NOTICE[2265] chan_sip.c: Registration from '"17"<sip:[email protected]>' failed for '212.83.140.147:63994' - Wrong password
[2018-03-14 04:23:11] NOTICE[2265] chan_sip.c: Registration from '"19"<sip:[email protected]>' failed for '212.83.140.147:24505' - Wrong password
[2018-03-14 04:23:52] VERBOSE[2265][C-000001c1] netsock2.c: Using SIP RTP TOS bits 184
[2018-03-14 04:23:52] VERBOSE[2265][C-000001c1] netsock2.c: Using SIP RTP CoS mark 5
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [701146920479341@from-sip-external:1] NoOp("SIP/99.118.21.81-000001db", "Received incoming SIP connection from unknown peer to 701146920479341") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [701146920479341@from-sip-external:2] Set("SIP/99.118.21.81-000001db", "DID=701146920479341") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [701146920479341@from-sip-external:3] Goto("SIP/99.118.21.81-000001db", "s,1") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx_builtins.c: Goto (from-sip-external,s,1)
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:1] GotoIf("SIP/99.118.21.81-000001db", "1?setlanguage:checkanon") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx_builtins.c: Goto (from-sip-external,s,2)
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:2] Set("SIP/99.118.21.81-000001db", "CHANNEL(language)=en") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:3] GotoIf("SIP/99.118.21.81-000001db", "1?noanonymous") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx_builtins.c: Goto (from-sip-external,s,5)
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:5] Set("SIP/99.118.21.81-000001db", "TIMEOUT(absolute)=15") in new stack
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] func_timeout.c: Channel will hangup at 2018-03-14 04:24:07.745 PDT.
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:6] Log("SIP/99.118.21.81-000001db", "WARNING,"Rejecting unknown SIP connection from 107.155.133.102"") in new stack
[2018-03-14 04:23:52] WARNING[26643][C-000001c1] Ext. s: "Rejecting unknown SIP connection from 107.155.133.102"
[2018-03-14 04:23:52] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:7] Answer("SIP/99.118.21.81-000001db", "") in new stack
[2018-03-14 04:23:53] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:8] Wait("SIP/99.118.21.81-000001db", "2") in new stack
[2018-03-14 04:23:55] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:9] Playback("SIP/99.118.21.81-000001db", "ss-noservice") in new stack
[2018-03-14 04:23:55] VERBOSE[26643][C-000001c1] file.c: <SIP/99.118.21.81-000001db> Playing 'ss-noservice.ulaw' (language 'en')
[2018-03-14 04:24:00] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:10] PlayTones("SIP/99.118.21.81-000001db", "congestion") in new stack
[2018-03-14 04:24:00] VERBOSE[26643][C-000001c1] pbx.c: Executing [s@from-sip-external:11] Congestion("SIP/99.118.21.81-000001db", "5") in new stack
[2018-03-14 04:24:05] VERBOSE[26643][C-000001c1] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/99.118.21.81-000001db'
[2018-03-14 04:24:05] VERBOSE[26643][C-000001c1] pbx.c: Executing [h@from-sip-external:1] Hangup("SIP/99.118.21.81-000001db", "") in new stack
[2018-03-14 04:24:05] VERBOSE[26643][C-000001c1] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/99.118.21.81-000001db'
[2018-03-14 04:24:24] WARNING[2265] chan_sip.c: Retransmission timeout reached on transmission 83eefc8d6c46a45a58375a271d2bb950 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
2

No but you have allow guest enabled.

3

One of the “drum beat” issues we talk to all the time is allowing anonymous and guest connections.

The system comes with these turned on because it makes it easier to start the connection process for new users (they can get connected even if there’s something subtle wrong with their connections) but these are features that need to be turned off before going to production.

4

I turned off “guest” this morning before I left for work, I didn’t look at “anonymous”. I’ll check that and the logs tonight and see if that changes.

So the list in the log I sent is just random bot scans looking for open SIP devices to make calls from? Whats the end game in that ?

What else is on that “drum beat” list of issues that I need to look at ?

I know I really should have someone look at this that knows what they are doing and willing to explain it to me. but I did this for a church (as a volunteer of course) and they have no money - so buying $500 support credits that expire is an insurmountable problem. I may wind up paying something myself just so I can sleep better.

5

Say, for example, I set up a “$2.99 per minute” phone line (976 sex line, for example, but there are plenty of others). I connect to your server four times a month and call my number for 5 minutes. You pay $60 for calls that look, for all intents and purposes, like you called a sex line once a week. You complain, but you can’t prove it wasn’t you.

I do that on 20,000 servers that are misconfigured. I just made $1.200,000.00

Good enough reason?

6

I like Dave’s way of spicing up the story plot :joy:

2 Likes
7

I recall hearing about such things many years ago when AA’s could access an outside line, from an incoming call, with a keypress. I get it now.

Is there a best practices checklist?

8

I’m a screenwriter (in addition to a Configuration Manager and System Engineer).

1 Like
9

Story time:
This happened very recently to my friend who always told me that there’s no need for 2FA etc.
“What will i loose if someone hacks my gmail?”
One morning he woke up to emails from Google Voice that his account was refilled several times.

He logs into his Google account by recovering the password and sure enough he sees calls were placed from his Google Voice to some wired numbers in third world countries.

He logged into his bank account to which his GV was linked and there was a charge of $250 from Google Voice.
The bank told him that they cannot refund him the money, he will have to contact Google Support.

Fortunately, Google was able to confirm that his account was hacked and refunded the money.

Throughout that day he had people calling him, they spoke languages that he couldn’t recognize, he was halfway scared to death.

Needless to say, my friend is now using a password manager with random passwords and 2FA wherever it’s available…

10

Is that the same site you have Comcast service with that you mentioned in your other thread?

If so, what does Comcast mean when they tell you they are not blocking any ports, are they forwarding port 5060 to your PBX and maybe other ports as well?

Port 5060 is open otherwise you wouldn’t be getting intrusion attempts from unkown IP addresses.
If you need port forwarding for your SIP trunk to work, then best practice is to only allow the known IP addresses from your SIP providers and block all others. Then what you are seeing goes away.
To leave it open on the firewall to the internet at large is only required if you have roaming mobile clients connecting.

I once set up a FreePBX behind a Comcast Xfinity business router/modem, ran into problems with disconnection, audio issues, etc, and then decided to install my own firewall.
At first I set the Comcast router into bridge mode with my own firewall behind it, which wouldn’t work, SIP trunks would break, because those Comcast devices don’t do full bridge mode (they still do NAT) and then decided to buy a third party modem and ditch the Comcast modem.

Now it’s working.

11

This PBX is now connected to an ATT uverse modem and I have 5 static IP’s available to me that are supposed to be completely open relying on my own firewall. Since I have no outside clients I was told not to bother using the static IP’s, its just more holes to watch out for. As I’m sure you know, ISP’s block ports that seem to not fit whatever pattern they think you need in an attempt to protect you. But the rep said she enabled that port as an exception to their protection so it would be left alone.

I do have Comcast in the same room, but I’m off of that connection now.

I’d be happier if I could at least know when it fails - then I could maybe see a pattern.

12

Sip Registration down again… this is in the log file. There is no 4444 extension

[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:11:27] NOTICE[2192] chan_sip.c: Registration from ‘“4444” sip:[email protected]’ failed for ‘151.106.13.171:5418’ - Wrong password
[2018-03-19 18:16:11] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:11] VERBOSE[5651] asterisk.c: Remote UNIX connection disconnected
[2018-03-19 18:16:11] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:11] VERBOSE[5653] asterisk.c: Remote UNIX connection disconnected
[2018-03-19 18:16:11] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:11] VERBOSE[5655] asterisk.c: Remote UNIX connection disconnected
[2018-03-19 18:16:15] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:15] VERBOSE[5685] asterisk.c: Remote UNIX connection disconnected
[2018-03-19 18:16:15] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:15] VERBOSE[5687] asterisk.c: Remote UNIX connection disconnected
[2018-03-19 18:16:15] VERBOSE[2155] asterisk.c: Remote UNIX connection
[2018-03-19 18:16:15] VERBOSE[5689] asterisk.c: Remote UNIX connection disconnected

13

Do you have any knowledge of 99.118.21.81? it is an AT&T address, possibly yours?

14

yes - that is my ATT public IP.

15

WHy all these Guests? I have guest turned off

Peer User/ANR Call ID Format Hold Last Message Expiry Peer
192.168.200.208 (None) a61d39f28aa312b (nothing) No Rx: REGISTER
192.168.200.205 (None) 3d1f801823e2ad4 (nothing) No Rx: REGISTER
50.18.88.40 (None) dead0604-269dd8 (nothing) No Rx: OPTIONS
50.18.88.40 (None) 747a7c8716e237b (nothing) No Init: OPTIONS 5411622073
192.168.200.210 (None) 3cc432555b07f72 (nothing) No Rx: REGISTER
192.168.200.211 (None) 1ab7b7a6c668b11 (nothing) No Rx: REGISTER
192.168.200.201 (None) 4ae12b9933e85ff (nothing) No Rx: REGISTER
192.168.200.204 (None) a4212efe4ead54c (nothing) No Rx: REGISTER
50.18.88.40 (None) dead0604-8844e8 (nothing) No Rx: OPTIONS

16

Do you allow anonymous or guest SIP access ? try

nmap -vv 192.168.200.0/24

50.18.88.40 is an amazon aws address, do you know anything about that ?

17

I think e4sip uses amazon aws - the DNS name they use sbc.e4sip.com resolves to AWS I think.
MAchine I’m on didnt have putty - be back with the nmap results in a moment

18

They almost all look like this and are all my phones

Nmap scan report for 192.168.200.201
Host is up (0.0011s latency).
Scanned at 2018-03-19 19:13:17 PDT for 8s
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
23/tcp filtered telnet
80/tcp open http
443/tcp open https

My server:
Nmap scan report for 192.168.200.200
Host is up (0.0000050s latency).
Scanned at 2018-03-19 19:13:25 PDT for 0s
Not shown: 985 closed ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
81/tcp open hosts2-ns
82/tcp open xfer
83/tcp open mit-ml-dev
84/tcp open ctf
111/tcp open rpcbind
443/tcp open https
3306/tcp open mysql
5000/tcp open upnp
5222/tcp open xmpp-client
8001/tcp open vcom-tunnel
8088/tcp open radan-http
8089/tcp open unknown

19

and now its all working again… This is maddening. I dont think its FreePBX’s fault, its likely mine, but this crap happens without my even touching the darn thing.

20

As I write this, your AT&T public IP port 5060 is still ‘open’ to the world. Even if that is not directly a security issue (you have disallowed anonymous and guest connections and your extensions all have strong passwords), it’s a bad idea because the log will fill with numerous attempts from malicious scanners, which makes it harder to find entries that may be relevant to your issue. Also, properly protecting your SIP port provides an additional layer of protection, in case e.g. you accidentally set up a vulnerable inbound route or an extension password gets compromised.

Since you have no outside clients, an easy way to restrict SIP access is to set up your hardware firewall to allow inbound connections to UDP port 5060 from only your LAN and your SIP provider’s IP addresses. You can also do that with iptables in your PBX, using FreePBX Firewall or whatever other software firewall is set up on your server. Other means of protection include setting Bind Port to other than 5060 (you would have to change your extensions and port forwarding to match what you choose), or running fail2ban.

IMO it’s unlikely that your loss of registration issue is caused by these attacks. You may find log entries related to register requests with no response or with an error status. Other options include using Asterisk sip debug (or tcpdump) to log all register requests and responses, checking for low level networking issues by running a continuous ping to sbc.e4sip.com, or seeing whether registration to another provider is lost at the same time. For example, get a free trial account from Flowroute; with no charge for calls to toll-free numbers, your $0.25 test credit will last indefinitely if you route only such calls to them (and for just testing registration, you don’t have to send them any calls).