Registration Failures

Hi All - I just set up a new system using Asterisk 11 - and I am seeing many entries in the CLI output looking like this…
Registration from ‘“1371” <sip:[email protected]“My IP Address”:5060>’ failed for ‘212.83.xxx.xxx:5078’ - No matching peer found.

Line after line of this but with a different sip:“number”@my address, but always from the same IP address…

I am suspecting that these are Hack Attempts but I’m not sure. I have the Allow Anon set to “No” and the Guest also set to “No” in my SIP settings.

Are these hack attempts and if so - is there something else or in addition to my settings I can do ?

A “Who Is” on the address tells me it originates in France. I “X’d” out my address and the suspect address.

Thank you.

You need to set up a reasonable firewall/IDS system.

My personal preferences, CSF will do the first, Fail2ban will do the second, I would also install rkhunter before anything else, but that might be too late already :slight_smile:

(why would you want to obfuscate the attackers IP address? It’s almost certainly one of the “Gaza Gang” currently using OVH )

dicko - thank you for reply…

I hid the IP Address because I was not sure if it is a Hack Attempt or not. If it’s helpful to show, the line reads… "Registration from '“1371” ’ failed for ‘212.83.187.229:5078’ - No matching peer found."
The “from” number is different on many of the lines. Not being expert at this - I wasn’t sure what was happening.

I want to follow your suggestions, at the very least install a FW - CSF. I like what I am reading about CSF but I am not sure how to go about installing and configuration on my Distro of FreePBX. I see you talked about it it older posts but I am not comfy with the CLI. Are there any detailed instructional posts or links available?

Start with

http://configserver.com/cp/csf.html

It covers most things in great detail, add the csf module to webmin and it is all a self documenting GUI.

The log line you show is covered by the version of fail2ban installed with SysAdminif you can accept the commercial module license, but there is a newer version, in their words “ver. 0.9.1 (2014/10/29) - better, faster, stronger” for the bold of heart or the non RedHat based users.

dicko thank you! I have Webmin/CSF/ and the CSF Webmin Module installed and running - in test mode for now. Will do some reading and get this operational – hopefully!

Just for “belt and braces”, you should probably change the ports that webmin runs on, for example

sed -i ‘s/10000/34567/g’ /etc/webmin/miniserv.conf&&service webmin restart

some say that using the internal webmin access control list is more secure than using a current user/password on your system.

Good advice dicko - I will do that. Right now - I rebuilt this server from ground up and it’s not on-line yet. It will be when I have completed all the security configurations and testing - soon I hope.

Thank you again.

Don’t forget to add your asterisk and apache2/httpd dir etc. to

csf.dirwatch

to catch all them old mgknight type exploits, you will get an email/text within seconds of any changed files within the “watched over”, yep, even when someone presses the red button, It was someone you knew who pressed it right?.

Then I would suggest that the very next thing you do is install a root kit checker, try:-

http://rkhunter.sourceforge.net/

and iterate between

rkhunter -c -sk &&grep -i -A3 -E “warning|error” /var/log/rkhunter.log (or wherever it is)

and

nano /etc/rkhunter.conf

until all the warnings and errors are taken care of, It will then be quiet until you or someone else messes with your basic system, then it will email you . . . You should then take action, immediately :slight_smile:

Thank you dicko !! got much to do yet - do you make house calls? Oh well !