IN my asterisk full log file this type of entries occur:
[2015-12-03 08:43:57] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5070’ - Wrong password
[2015-12-03 08:44:37] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5113’ - Wrong password
[2015-12-03 08:44:50] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5112’ - Wrong password
[2015-12-03 08:45:59] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5081’ - Wrong password
[2015-12-03 08:46:02] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5086’ - Wrong password
Now we don’t have any extension 10000. Other numbers being tried are 300, 410, 301, etc. I have used these firewall rules (as rule 1-3 in the INPUT chain) to allow SIP only from trunk1.freepbx.com and trunk2:
Even with these rules we are getting these registration attempts. Is seems that the attackers spoof the freepbx IPs. So far I have not found any unwanted registrations - just attempts. Any suggestions?
I don’t know, I don’t use them, but if they can’t/won’t change the signalling port, create a PNAT rule to allow the host address and translate the port to redirect such traffic to your “safer” listening port