Help With Log Data

jtomelevage · December 6, 2019, 6:55pm

Hello,

I get a lot of these blue entries in our FreePBX Asterisk logs. These are nearly non-stop.
My question is, is this normal? I am relatively new at this and it would seem that these log entries are persons attempting to get information about our system and trying to make calls either to us or to others as us. Is my estimate of the situation correct?

Here is a excerpt of a log ( I have replaced our IP with xxx.xxx.xxx.xxx):

[2019-12-06 10:21:44] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:50453' (callid: 576745794-1323869694-1620900956) - No matching endpoint found [2019-12-06 10:21:50] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:9999970111492864107:[email protected]>' failed for '163.172.207.104:64591' (callid: 2135172473-1818988048-1165346090) - No matching endpoint found [2019-12-06 10:21:51] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:51843' (callid: 483906622-1058765897-1772959040) - No matching endpoint found [2019-12-06 10:21:55] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:56559' (callid: 823822796-1285481002-1911507213) - No matching endpoint found [2019-12-06 10:21:56] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:58462' (callid: 1786223746-1987397718-538951188) - No matching endpoint found [2019-12-06 10:21:57] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:62579' (callid: 970098956-106281507-1707800991) - No matching endpoint found [2019-12-06 10:21:59] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:56219' (callid: 1639111243-1381684477-1030676258) - No matching endpoint found [2019-12-06 10:22:14] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:56237' (callid: 271885819-1724601093-1509479772) - No matching endpoint found [2019-12-06 10:22:23] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:49756' (callid: 1153538414-55305820-124527255) - No matching endpoint found [2019-12-06 10:22:28] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:65353' (callid: 194598770-919610826-1760993693) - No matching endpoint found [2019-12-06 10:22:33] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:64118' (callid: 933738013-1766003543-1669568610) - No matching endpoint found [2019-12-06 10:22:52] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:56177' (callid: 9728841-1087624660-2096848089) - No matching endpoint found [2019-12-06 10:22:52] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:59902' (callid: 756531559-2096104453-418770125) - No matching endpoint found [2019-12-06 10:22:57] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:59121' (callid: 1992958155-1862988221-665534754) - No matching endpoint found [2019-12-06 10:23:03] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:60188' (callid: 1660409451-2020672438-729557470) - No matching endpoint found [2019-12-06 10:23:05] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:50136' (callid: 1914275135-1906874699-612481131) - No matching endpoint found [2019-12-06 10:23:06] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:50058' (callid: 783036532-576811103-643872043) - No matching endpoint found [2019-12-06 10:23:07] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.56:9542' (callid: InFiQQBAMOhJluWm4JM9uXsQgHh3x6TyRvRxmK4Q) - No matching endpoint found [2019-12-06 10:23:18] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:61075' (callid: 1181728485-1625643437-508751155) - No matching endpoint found [2019-12-06 10:23:22] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:51339' (callid: 1071694728-975629232-644780543) - No matching endpoint found [2019-12-06 10:23:24] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:55207' (callid: 413749761-1604482551-784282286) - No matching endpoint found [2019-12-06 10:23:26] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:51513' (callid: 1343394921-238839241-1296828256) - No matching endpoint found [2019-12-06 10:23:26] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'OPTIONS' from '"sipvicious" <sip:[email protected]>' failed for '45.143.221.21:5087' (callid: 10758834496009201525646) - No matching endpoint found [2019-12-06 10:23:47] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:64262' (callid: 629723379-808282743-494902605) - No matching endpoint found [2019-12-06 10:23:48] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:52964' (callid: 1971120159-390065476-1135538584) - No matching endpoint found [2019-12-06 10:24:12] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:57598' (callid: 1645060773-1692589803-1587178316) - No matching endpoint found [2019-12-06 10:24:15] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:63444' (callid: 1218233208-448433160-2040271066) - No matching endpoint found [2019-12-06 10:24:20] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '37.49.230.29:63498' (callid: 517288248-189364190-1055226034) - No matching endpoint found [2019-12-06 10:24:27] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:49862' (callid: 992502919-1994084429-978538577) - No matching endpoint found [2019-12-06 10:24:29] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:56106' (callid: 974774178-890638421-957235883) - No matching endpoint found [2019-12-06 10:24:29] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:59097' (callid: 548751505-124250799-2048005409) - No matching endpoint found [2019-12-06 10:24:32] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:64592' (callid: 1963724371-134447057-1714811306) - No matching endpoint found [2019-12-06 10:24:38] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:58735' (callid: 2139954722-1735938527-1008779230) - No matching endpoint found [2019-12-06 10:24:40] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:62056' (callid: 1550501182-1593546941-851557) - No matching endpoint found [2019-12-06 10:24:50] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:49718' (callid: 14764003-1632058280-590043118) - No matching endpoint found [2019-12-06 10:24:50] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:49793' (callid: 1056098226-1936148911-1041118987) - No matching endpoint found [2019-12-06 10:25:04] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:52374' (callid: 552211096-7428908-105965447) - No matching endpoint found [2019-12-06 10:25:27] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:59081' (callid: 2058227438-200342498-32264207) - No matching endpoint found [2019-12-06 10:25:35] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:62663' (callid: 51676599-1364943790-24291296) - No matching endpoint found [2019-12-06 10:25:41] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:57587' (callid: 1063694655-35829533-1704053269) - No matching endpoint found [2019-12-06 10:25:48] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:61163' (callid: 1503408232-1324585267-2071492393) - No matching endpoint found [2019-12-06 10:25:48] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:63543' (callid: 300268623-2059052975-49601994) - No matching endpoint found [2019-12-06 10:25:50] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:51577' (callid: 774398754-1395679610-1537444128) - No matching endpoint found [2019-12-06 10:26:04] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:53698' (callid: 1150459936-1768008178-1454607769) - No matching endpoint found [2019-12-06 10:26:08] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:64123' (callid: 67604266-879057496-2089356451) - No matching endpoint found [2019-12-06 10:26:12] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:62662' (callid: 1258644801-1596308152-478392657) - No matching endpoint found [2019-12-06 10:26:24] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:9999950111492864107:[email protected]>' failed for '163.172.207.104:62077' (callid: 1343992413-1394408444-977522727) - No matching endpoint found [2019-12-06 10:26:45] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:64843' (callid: 1499792988-1496516787-1094918388) - No matching endpoint found [2019-12-06 10:26:50] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:55666' (callid: 171759592-307084859-1183353483) - No matching endpoint found [2019-12-06 10:26:55] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.163:49842' (callid: 1537826455-1716473831-449508939) - No matching endpoint found [2019-12-06 10:27:01] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:52123' (callid: 910921909-1970983670-948594511) - No matching endpoint found [2019-12-06 10:27:03] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:58928' (callid: 1226117052-517021125-613225327) - No matching endpoint found [2019-12-06 10:27:10] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:60987' (callid: 1515885253-224121921-923892202) - No matching endpoint found [2019-12-06 10:27:12] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:63396' (callid: 2125898837-1411887748-1472576321) - No matching endpoint found [2019-12-06 10:27:30] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:59972' (callid: 1400265233-1028296420-759366877) - No matching endpoint found [2019-12-06 10:27:42] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:59719' (callid: 697789533-3300818-546869942) - No matching endpoint found [2019-12-06 10:28:11] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:59727' (callid: 899874016-1820260471-745947330) - No matching endpoint found [2019-12-06 10:28:13] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:57061' (callid: 1036579319-1740301385-1510230898) - No matching endpoint found [2019-12-06 10:28:13] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:49949' (callid: 1442604668-914209596-1703720671) - No matching endpoint found [2019-12-06 10:28:14] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.150:55073' (callid: 1152556729-607513368-1724466806) - No matching endpoint found [2019-12-06 10:28:15] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:54740' (callid: 1126259497-554394885-1963139792) - No matching endpoint found [2019-12-06 10:28:26] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:52863' (callid: 1680158652-489892267-1687746842) - No matching endpoint found [2019-12-06 10:28:38] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.148.210:61127' (callid: 1240463988-119534012-2019662853) - No matching endpoint found [2019-12-06 10:28:39] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:52318' (callid: 1848389197-41478520-638655432) - No matching endpoint found [2019-12-06 10:28:44] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:58414' (callid: 2080760647-1558969709-301599902) - No matching endpoint found [2019-12-06 10:28:58] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.187.161:56350' (callid: 314680031-305944630-1373782292) - No matching endpoint found [2019-12-06 10:29:07] NOTICE[10611] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '46.166.139.146:63271' (callid: 1409662702-1836748663-869766177) - No matching endpoint found

Any insights about this is appreciated.
John

lgaetz · December 6, 2019, 7:05pm

You have your SIP signalling port(s) open to the internet. Configure your firewall to block untrusted access to SIP and any other service you can.

jtomelevage · December 6, 2019, 7:07pm

Thanks for your quick reply.
Can you tell me how/where I can do this, or send me to a tutorial somewhere?

lgaetz · December 6, 2019, 7:09pm

https://wiki.freepbx.org/display/FPG/Firewall+Getting+Started+Guide

jtomelevage · December 6, 2019, 7:11pm

Thanks for that. I will read it shortly, but I may have left off some information that might have been useful - this FreePBX instance is cloud hosted on a VPS so our phones need to access it from anywhere.

jtomelevage · December 6, 2019, 7:13pm

It looks like our Firewall is setup correctly and we are trusted at one location already.

dicko · December 6, 2019, 8:00pm

That’s our Icalandic/Dutch friend, ban 46.166.144.0/21 in your firewall

jtomelevage · December 6, 2019, 8:05pm

Should I use CLI
sudo iptables -A INPUT -s 46.166.144.0/21 -j DROP

Or is there a way to do this via the GUI?

dicko · December 6, 2019, 8:06pm

That will work , sorry I don’t use the GUI front-end for my firewall.

jtomelevage · December 6, 2019, 8:09pm

What about all these other entries? Is it normal to get non-stop attempts on a system like this?

arielgrin · December 6, 2019, 8:23pm

It is normal given your SIP port is open to the whole world. It is quite not normal to have the SIP port open to the internet without any kind of protection, like the firewall module for example. By having the SIP port open to the internet unprotected you are just asking for trouble.

cynjut · December 6, 2019, 8:36pm

If the first sentence was true, the second could not be. Your firewall is not set up correctly and you are allowing access to your firewall to the entire Internet. You need to lock the firewall down.

jtomelevage · December 6, 2019, 9:45pm

Thank you for the replies.

Where can I go to get directions on locking down our firewall?

arielgrin · December 6, 2019, 10:15pm

The easiest way would be to install the firewall module on FreePBX and run the wizard to configure it.

jtomelevage · December 6, 2019, 10:27pm

We ran the firewall wizard when we installed FreePBX - see above image.

dicko · December 6, 2019, 10:51pm

Just being pragmatic but if your phones are using UDP/5060 there will always be higher risk whereif you use TCP/TLS on any usable port outside 5000-5999. And only to your domain name and not it’s IP add.

Some call that security through obfuscation, but if the threat is now close to zero , any further attempts logged or unlogged are of critical importance (the catch 22 is knowing about the unlogged ones )

moussa854 · December 6, 2019, 10:57pm

Do you get firewall options at your cloud provider? If so, you can only trust your sites (including remote sites) and you SIP provider(s) through the firewall

jtomelevage · December 7, 2019, 4:34pm

I don’t know. Shouldn’t the built in firewall+fail2ban setup suffice?

What about these “Sipvicious” entries? How can I block these via iptables?

[2019-12-07 08:09:15] NOTICE[21854] res_pjsip/pjsip_distributor.c: Request ‘OPTIONS’ from ‘“sipvicious” sip:[email protected]’ failed for ‘88.99.203.32:5295’ (callid: 387657867941058068429053) - No matching endpoint found

moussa854 · December 7, 2019, 6:22pm

I use my cloud provider’s firewall to prevent any information leaking about my server (I only allow my sites and SIP providers)
I use the build in firewall for second layer of defence. Did you follow the steps here:
Sangoma Documentation
I use fail2ban as well.

I am not sure about “Sipvicious” entry (? GitHub - EnableSecurity/sipvicious: SIPVicious OSS is a VoIP security testing toolset. It helps security teams, QA and developers test SIP-based VoIP systems and applications. This toolset is useful in simulating VoIP hacking attacks against PBX systems especially through identification, scanning, extension enumeration and password cracking.), but the many failed and non-stop attempts from many different IP addresses is concerning and may indicate issue in setting the firewall.

@dicko said that sudo iptables -A INPUT -s 46.166.144.0/21 -j DROP should do it.

Do you need your system to be open to the world (like users with softphone on their cell phones)?

dicko · December 7, 2019, 6:32pm

They are all open for soft/hard/cell phones but only to the relevant domain.name an only on TCP/NNNNN (where NNNNN > 20000) Clients get their ‘control panel’ from FOP2 and/or UCP on http/https (http rewritten) , admins have selective extended privileges