Query on SIP attacks I appear to be recieving


(Leo Hopkins) #1

Hello all,

Please forgive my ignorance here but are these logs anything to be concerned about? It appears that my system is getting ‘hit’ by registration attempts. Fail2ban is up and running and I would have expected the firewall to catch these events before they hit the asterisk server, but that’s not the case and I’m getting bombarded. Can anyone give me a little advice on how to configure / secure the system?

I would share the logs, but as they contain ‘links’ e.g from-external and I’m a new user I can’t post at the moment, but a show core channels gives me this…

Channel Location State Application(Data)
0 active channels
0 active calls
1260 calls processed

And I definitely have not made or rec’d 1260 calls.

many thanks.


(Lorne Gaetz) #2

A failed registration attempt would not increment the call counter. These are just stray anonymous calls and are not intrusion attempts per se, any more than someone ringing your doorbell is a break and enter attempt.

Disable SIP Guests and Anonymous calls in Settings, Asterisk SIP Settings.


(Dave Burgess) #3

… and disable Internet access to port 5060 (and any other SIP control port you are using). The only people (or organizations) that need access to 5060 are your ITSP and any ‘external’ phones you may have. If you have external phones that change addresses (“coffee shop” or SOHO sales people, for example) you can use dyndns addresses or establish VPN connections from the phones (or their locations) and the server.

Basically, don’t advertise port 5060 and limit access to it to solve a lot of these.


(system) closed #4

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.