FreePBX | Register | Issues | Wiki | Portal | Support

Many SecurityEvent="ChallengeSent" Informational in log file seem to be intrusion not detected


(Laurent B ) #1

Hi all.

I use Freepbx 14.0.5.25 on raspbian.
Fail2ban is version 0.9.6

My server is open to internet because I need to connect via my GSM phone device remotely using Zoiper.

I found many security events from external IP that seem to try to enter my system…

[2019-01-11 10:11:10] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:11:10.783+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33202@xx.xx.xx.xx",SessionID="0x74518d48",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/54522",Challenge="53c578c4"
[2019-01-11 10:11:34] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:11:34.596+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33202@xx.xx.xx.xx",SessionID="0x745e36d8",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/51940",Challenge="2759eab0"
[2019-01-11 10:12:02] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:12:02.513+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x745335d0",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/56806",Challenge="5febcd0f"
[2019-01-11 10:12:26] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:12:26.989+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x74523238",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/64816",Challenge="2b5057bf"
[2019-01-11 10:12:54] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:12:54.409+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x7451cf50",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/50834",Challenge="6cf3f9ab"
[2019-01-11 10:13:18] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:13:18.323+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x745e36d8",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/64541",Challenge="25ed0ee1"
[2019-01-11 10:13:42] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:13:42.898+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x74523238",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/53664",Challenge="78deaedb"
[2019-01-11 10:14:08] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:14:08.406+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x7451cf50",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/49259",Challenge="02500fc4"
[2019-01-11 10:14:34] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:14:34.907+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33203@xx.xx.xx.xx",SessionID="0x745e36d8",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/61349",Challenge="3c18b50a"
[2019-01-11 10:15:00] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:15:00.997+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33204@xx.xx.xx.xx",SessionID="0x7451cf50",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/52094",Challenge="1cc484ae"
[2019-01-11 10:15:25] SECURITY[32313] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="2019-01-11T10:15:25.136+0100",Severity="Informational",Service="SIP",EventVersion="1",AccountID="sip:33204@xx.xx.xx.xx",SessionID="0x74518d48",LocalAddress="IPV4/UDP/xx.xx.xx.xx/5060",RemoteAddress="IPV4/UDP/158.69.126.203/52957",Challenge="12f16a17"

The IP 158.69.126.203 seem to try to extablish a connection on port 5060 qwith no luck.
But Fail2ban is unable to ban this IP because there is no error on log.

How can I ban this IP ?

Regards,
Laurent.


(system) #2

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.