mjutras
January 16, 2014, 2:28am
#1
On Asterisk Ver. 11.6.0 / FreePBX 2.11.0.11
I am looking at the log and and seing all these lines trying to register to an IP I don’t know with Wrong password… here is a sample of it:
[2014-01-15 21:25:37] NOTICE[3022] chan_sip.c: Registration from ‘“3832” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5082’ - Wrong password
[2014-01-15 21:25:46] NOTICE[3022] chan_sip.c: Registration from ‘“4248” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5087’ - Wrong password
[2014-01-15 21:25:48] NOTICE[3022] chan_sip.c: Registration from ‘“7368” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5061’ - Wrong password
[2014-01-15 21:25:50] NOTICE[3022] chan_sip.c: Registration from ‘“4561” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5089’ - Wrong password
[2014-01-15 21:25:52] NOTICE[3022] chan_sip.c: Registration from ‘“5809” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5069’ - Wrong password
[2014-01-15 21:26:00] NOTICE[3022] chan_sip.c: Registration from ‘“7576” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5082’ - Wrong password
How can I troubleshoot what is causing this?
corxchange is a decent size colo/carrier neutral access facility in Dallas.
dicko
(dicko)
January 16, 2014, 2:40am
#3
If you don’t recognize
whois 108.60.207.106#
ARIN WHOIS data and services are subject to the Terms of Use
The following results may also be obtained via:
NetRange: 108.60.192.0 - 108.60.223.255
CIDR: 108.60.192.0/19
OriginAS: AS13354
NetName: COREXCHANGE-05
NetHandle: NET-108-60-192-0-1
Parent: NET-108-0-0-0-0
NetType: Direct Allocation
Comment: http://www.corexchange.com
RegDate: 2010-12-21
Updated: 2013-01-04
Ref: http://whois.arin.net/rest/net/NET-108-60-192-0-1
OrgName: EBL Global Networks, Inc.
OrgId: EGN-1
Address: 1950 Stemmons Freeway - Suite 4006
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
RegDate: 2007-03-02
Updated: 2011-11-28
Ref: http://whois.arin.net/rest/org/EGN-1
ReferralServer: rwhois://rwhois.corexchange.com:4321
OrgAbuseHandle: AOC9-ARIN
OrgAbuseName: Abuse Operations Center
OrgAbusePhone: +1-214-442-1111
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
OrgTechHandle: IPENG7-ARIN
OrgTechName: IP Engineering
OrgTechPhone: +1-214-442-1111
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
RTechHandle: IPENG7-ARIN
RTechName: IP Engineering
RTechPhone: +1-214-442-1111
RTechEmail: [email protected]
RTechRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
RAbuseHandle: AOC9-ARIN
RAbuseName: Abuse Operations Center
RAbusePhone: +1-214-442-1111
RAbuseEmail: [email protected]
RAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
RNOCHandle: IPENG7-ARIN
RNOCName: IP Engineering
RNOCPhone: +1-214-442-1111
RNOCEmail: [email protected]
RNOCRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
ARIN WHOIS data and services are subject to the Terms of Use
Found a referral to rwhois.corexchange.com:4321 .
%rwhois V-1.5:003eff:00 rwhois.corexchange.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-COREXCHANGE.108.60.192.0/19
network:Auth-Area:108.60.192.0/19
network:Network-Name:BLK-WEBHOSTINGBUZZUSALLC-108.60.207.104/29
network:IP-Network:108.60.207.104/29
network:IP-Network-Block:108.60.207.104 - 108.60.207.111
network:Organization-Name;I:WebHostingBuzz USA LLC
network:Organization-City:Auburn
network:Organization-State:MA
network:Organization-Country:US
network:Description-Usage:Customer
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:IPENG7-ARIN
network:Created:20120201
network:Updated:20130913
network:Updated-By:[email protected]
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
Then someone at that IP address is probing you.
Deny anyone you don’t know at your firewall, if you don’t have a firewall that can do that, get one
dicko
(dicko)
January 16, 2014, 2:43am
#4
Note this bit
.
.
.OrgAbuseHandle: AOC9-ARIN
OrgAbuseName: Abuse Operations Center
OrgAbusePhone: +1-214-442-1111
OrgAbuseEmail:
[email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
.
.
If you care to, call that number, don’t email it is almost guaranteed to be ignored, ny guess is your phone call won’t be answered either
mjutras
January 16, 2014, 2:48am
#5
For some reason the log info didn’t show properly in my previous post, I removed the quotes and double quotes. my PBX is at 172.16.0.247.
[2014-01-15 21:38:18] NOTICE[3022] chan_sip.c: Registration from leo sip:[email protected] :5060 failed for 108.60.207.106:5084 - Wrong password
[2014-01-15 21:38:20] NOTICE[3022] chan_sip.c: Registration from 1130 sip:[email protected] :5060 failed for 108.60.207.106:5080 - Wrong password
[2014-01-15 21:38:21] NOTICE[3022] chan_sip.c: Registration from 4354 sip:[email protected] :5060 failed for 108.60.207.106:5061 - Wrong password
[2014-01-15 21:38:22] NOTICE[3022] chan_sip.c: Registration from 9762 sip:[email protected] :5060 failed for 108.60.207.106:5083 - Wrong password
[2014-01-15 21:38:28] NOTICE[3022] chan_sip.c: Registration from 6018 sip:[email protected] :5060 failed for 108.60.207.106:5061 - Wrong password
[2014-01-15 21:39:10] NOTICE[3022] chan_sip.c: Registration from 1442 sip:[email protected] :5060 failed for 108.60.207.106:5086 - Wrong password
[2014-01-15 21:39:17] NOTICE[3022] chan_sip.c: Registration from 2378 sip:[email protected] :5060 failed for 108.60.207.106:5084 - Wrong password
dicko
(dicko)
January 16, 2014, 2:52am
#6
Same insecurity. you allow connections from anyone on any UDP port? I don’t think that’s a good idea.
mjutras
January 16, 2014, 1:47pm
#7
I am able to trace that IP to corxchange but I have nothing with them.
This being said the response “someone at that IP address is probing you” is my issue.
I was just not sure if it was my PBX trying to access that IP or the other way around.
I do have a connection allowing anyone to UDP 10000-20000 snat to my PBX because I have 2 trunks from 2 providers and I haven’t figured out yet how to set snat from 2 IPs.
But thanks for the information.