I have a very strange kind of hacking attempt
Fail2Ban and iptables shows IP 62.138.3.130 as blocked, however, looks like is trying (impersonating?) different extensions using different local LAN valid addresses. Looks like the PBX is hacked but… where and how?
My pbx IP is 192.168.1.163
This is partially screenshot from ‘snrep’ (awesome tool)
sngrep uses libpcap, which monitors incoming traffic ahead of iptables (and outgoing traffic after iptables). The INVITES you posted were blocked and are completely harmless, unless you are getting so many that they exhaust your bandwidth or CPU resources.
That won’t help unless the OP also blocks UDP 5060 with his hardware firewall. sngrep will see the request whether or not Asterisk is listening to the port or is even running.
True, but even the most troglodyte bot will eventually let it’s handler know there is ‘no one home’ at this address and move on. (that’s just how they do this shit) The guys from Iceland/Holland/Eastern Europe will still ping 5060 every n units of time though, but never from the same host
We don’t have column headings, but in the Msgs column (5th column), we can see they are all 1’s, meaning the SIP dialog is nothing more than a single inbound packet, Asterisk did not respond. Compare that to a legit INVITE from an extension, and you will see the Msgs count increment for each packet back and forth.