ā end of packet.
[2020-07-09 10:58:44] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request āINVITEā from āsip:[email protected]ā failed for ā156.96.128.154:52360ā (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:44] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request āINVITEā from āsip:[email protected]ā failed for ā156.96.128.154:52360ā (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request āINVITEā from āsip:[email protected]ā failed for ā156.96.128.154:52360ā (callid: 908764754-2098712799-869297688) - Failed to authenticate
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request āINVITEā from āsip:[email protected]ā failed for ā156.96.128.154:52360ā (callid: 908764754-2098712799-869297688) - No matching endpoint found after 5 tries in 1.229 ms
[2020-07-09 10:58:45] NOTICE[10622] res_pjsip/pjsip_distributor.c: Request āINVITEā from āsip:[email protected]ā failed for ā156.96.128.154:52360ā (callid: 908764754-2098712799-869297688) - Failed to authenticate
How is your system connected to the Internet? Is it direct, or NAT, or behind a firewall, or not?
Do you have the Integrated Firewall turned on?
Are you using the Adaptive Firewall, and if so, on purpose?
In general, you do not want your SIP port exposed to the Internet without some kind of prophylactic measure in place. This can be an external firewall redirecting specific hosts traffic to your SIP port or the Integrated Firewall blocking traffic from any place that you donāt want traffic to come in from.
If you MUST allow inbound traffic unrestricted access to your SIP port (you have a roaming sales force that uses McDonaldās WiFi for their phones), using the Adaptive Firewall can limit the exposure by blocking access after a given number of failed connection attempts.
If you have āexternalā (not in your phone systemās LAN) phones that connect to the server, consider setting up a VPN for those phones to connect through. Yes, it can be a hassle and if you donāt want to do it, the Adaptive Firewall is an option.
Bottom line - thereās no reason why anyone should ever see your SIP port unless you want them to. There are lots of solutions built into to the system, so Iām sure we can steer you in a direction that will work for you.
How is your system connected to the Internet? Is it direct, or NAT, or behind a firewall, or not? Me: yes, it is NAT
Do you have the Integrated Firewall turned on? Me: Yes, itās ON
Are you using the Adaptive Firewall, and if so, on purpose? Me: Yes. i like this
yes - the phone system is installed in a cloud server and us (users) are connected from home on IP Phone or native Android phone SIP dialer via dynamic IP ISP.
VPN will be a hassle as the cloud provider charge time.
that will make it less economical.
i like the Adaptive Firewall. so with that, can i ignore the sipvicious messages?
what is the implication of changing custom extension SIP port while maintaining 5060 to the trunk side?
What i did to change port:
Settings >> Asterisk SIP Settings >> SIP Settings [chan_pjsip] >> Port to Listen On: 34567
i open port 5060 - 5061 on my cloud portal firewall.
but in FreePBX SIP Settings, i cannot find anything on 5061 to change to 34568.
please let know if i am doing this correctly? in the meantime, i will test to see what can happen.
OK - there are two connections. One going out to your provider and one coming in from them to you. They both use 5060, but thatās just a coincidence.
5060 on your end could be anything. You just configure your phones to use that port and set up your ITSP to send your traffic to x.x.x.x:whatever instead of the standard x.x.x.x. When you send traffic to your ITSP, you will still use port 5060 for your outgoing connections. They donāt have to match.
5061 uses TLS (IIRC) so if you are using that, it should allow you to filter the connecting phones much more easily.
5160 (which is the āstandardā Chan-SIP port address) can likewise be set to anything you want. You simply set anyone with an incoming connection (that you want to connect to Chan-SIP) to that port and away you go.
Important note - all three of these need to be āredirectedā differently. You canāt set PJ-SIP and Chan-SIP (5060 and 5160, typically) to the same port number, and 5061 (being the default TLS port) shouldnāt probably be modified.
Generally, yes. The point of the Adaptive Firewall is that if someone tries to connect too many times in a given period, their IP address is banned. So, you might get a few connection attempts from a host, but after that, theyāre blocked. I expect more improvements in that area in the next few months, since weāre a couple of major versions behind on the fail2ban stuff that it interfaces with.
