Strange situation…so in my logs I’ve got this appearing every once in a while
[2019-08-15 21:16:59] NOTICE[8885][C-000002fb] chan_sip.c: Failed to authenticate device <sip:[email protected]>;tag=805943695
(IP obfuscated)
Where the obfuscated IP, 180.25.231.211, is my WAN IP.
So it looks like a login attempt? Strangely I can’t work out how the attacker or would be attacker is even able to get the communication across to my FreePBX server - the server is hidden behind a NAT/firewalled router and I’ve got allow anonymous inbound SIP and allow SIP guests turned off. Fail2Ban is working and installed (I can see it continually banning and unbanning a Dutch IP 77.247.110.33 and a French IP 195.154.250.77 and my own WAN IP 180.25.231.211. The bans only seem to last about half an hour. I thought Fail2Ban had logic to increase the ban length but it would seem not? Or maybe that’s a setting I have to configure!
It’s true that my firewall/NAT router exposes ANOTHER server on my LAN, a hikvision NVR, to the public internet, but when I’ve done a port scan from 5060-5162 on myself using an online SIP security tool (not SIPVicious) it shows “host up, all ports closed”.
The French IP and the Dutch IP are both found on AbuseIPDB as VoIP brute forcers. I’ll have to look into how I can leverage this DB to protect my server. I saw auto reports on there presumably from software sitting on servers working in the background, so it must be doable.
Just confused how these actors are even aware my server is there when it isn’t, how they’re able to probe it, and why Fail2Ban isn’t being a tad more proactive about defending it?
Thanks all.
(P.S. Will be taking down the Hikvision public access, and have a feeling that will stop these attempts. Just confused why it’s necessary to do this)
You mean like in the “DMZ” or via port forwarding? No, this is the thing - the only port forwarding I have going on is for the Hikvision server on another LAN IP.
There is a connection from that IP trying to connect to your FreePBX. Are you sure the router doesn’t have any kind of SIP helper or ALG that might be doing that?
Then there is nothing wrong with that message. ALL requests are going to be shown as user@domain (in this case the IP of the PBX) for the the requests (INVITE, REGISTER, etc).
It’s showing the the Request/To user details. This is common.
Hi Tom - I think we’re talking at cross purposes - I’m trying to find out HOW these messages are arriving at the PBX? The PBX isn’t supposed to be exposed to the internet. I don’t have a user or extension 101. Something seems wrong to me?
It’s call a SIP scan. Those are very common. While your PBX isn’t directly on the WAN, it has NAT rules that let requests in that go to the PBX.
The fact the PBX has SIP Guests and Allow Anonymous set to No (which is should be) the PBX is still going to see the requests but it’s going to ignore them.
If you use udp/5060 for anything sip, you will get these, even on machines (DO, Vultr etc.) that have an ip that have never done anything voip like, sngrep will expose the underlying ip in the Via: header , but asterisk as yet does not parse the sip packets sufficiently.
