hello,
the past 24 hours, we have gotten well over a thousand “failed to authenticate” logs in astrisk log files. many of them are for extensions that are not even part of our system. the logs are like this:
24[2023-08-15 03:33:22] NOTICE[131759] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '<sip:[email protected]>' failed for '50.232.16.163:5060' (callid: e5f4a123916800e4f7a507) - Failed to authenticate
25[2023-08-15 03:33:22] NOTICE[18358] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '<sip:[email protected]>' failed for '50.232.16.163:5060' (callid: e5f4a123916800e4f7a507) - Failed to authenticate
26[2023-08-15 03:33:26] NOTICE[207663] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '<sip:[email protected]>' failed for '4.36.220.222:5060' (callid: e5f4a790292788e4f7a605) - Failed to authenticate
27[2023-08-15 03:33:26] NOTICE[159354] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '<sip:[email protected]>' failed for '4.36.220.222:5060' (callid: e5f4a790292788e4f7a605) - Failed to authenticate
28[2023-08-15 03:34:01] NOTICE[159354] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '72.167.32.33:58844' (callid: 1291888205-1328659623-119526346) - Failed to authenticate
29[2023-08-15 03:34:01] NOTICE[172072] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '72.167.32.33:58844' (callid: 1291888205-1328659623-119526346) - Failed to authenticate
30[2023-08-15 03:34:01] NOTICE[172569] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '72.167.32.33:58844' (callid: 1291888205-1328659623-119526346) - Failed to authenticate
31[2023-08-15 03:34:01] NOTICE[119374] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '72.167.32.33:58844' (callid: 1291888205-1328659623-119526346) - Failed to authenticate
32[2023-08-15 03:34:01] NOTICE[111397] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '<sip:[email protected]>' failed for '72.167.32.33:58844' (callid: 1291888205-1328659623-119526346) - Failed to authenticate
i can only assume someone is trying to hack an extension? but the IP addresses listed are incredibly random. anybody got ideas of what’s up?
Yea, you’ve got port 5060 UDP open to the world. Bots are are setup to brute force anything on that port looking for missconfigured SIP services to exploit…
firstly, i must say, i like how your profile picture reminds me how enthusiastically you’re here to solve all our problems
ok. i guess it’s to be expected. no, we are not allowing guest or anonymous calls. one day i’ll get around to changing the port number. i’m not very worried about anyone guessing our passwords, and it’s just the media ports that are open.
we listen on commonly used voip ports such as 5060, 5061, 5080, etc. We listen on some non-commonly used as well. We also are able to parse non-sip sent to ports such as dns, which can be sent to SIP ports as an attack.
We listen on UDP, TLS, TCP and change IPs frequently.
We auto purge and reactivate IPs on recurrence activity.
This said, I’m not on expert on the other blocklists. This one was started to make it quick, simple, and effective for people to run easily. There’s no cost, thanks to the sponsors including clearly IP, netsapiens, etc.
I am interested in any stats you might have on the spread of ports and protocol against the ASN’s of the individual host attackers,
Most recent penetrations have not been directly SIP but to to other vunerable common services running on the attacked PBX, do you track such port scanning ?
No, we concentrate on SIP servers and gear these honeypots for such protections. There are other lists for web attacks, ssh attacks, etc. We may look into honeypots on attacks specifically targeting freepbx’s gui as well as attacks against phone provisioning servers, but that depends on future sponsorship for such development (or a lotto win).
APIBAN specifically looks to block unwanted traffic targeting SIP servers.
