On Asterisk Ver. 11.6.0 / FreePBX 2.11.0.11
I am looking at the log and and seing all these lines trying to register to an IP I don’t know with Wrong password… here is a sample of it:
[2014-01-15 21:25:37] NOTICE[3022] chan_sip.c: Registration from ‘“3832” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5082’ - Wrong password
[2014-01-15 21:25:46] NOTICE[3022] chan_sip.c: Registration from ‘“4248” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5087’ - Wrong password
[2014-01-15 21:25:48] NOTICE[3022] chan_sip.c: Registration from ‘“7368” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5061’ - Wrong password
[2014-01-15 21:25:50] NOTICE[3022] chan_sip.c: Registration from ‘“4561” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5089’ - Wrong password
[2014-01-15 21:25:52] NOTICE[3022] chan_sip.c: Registration from ‘“5809” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5069’ - Wrong password
[2014-01-15 21:26:00] NOTICE[3022] chan_sip.c: Registration from ‘“7576” sip:[email protected] :5060 ’ failed for ‘108.60.207.106:5082’ - Wrong password
How can I troubleshoot what is causing this?
corxchange is a decent size colo/carrier neutral access facility in Dallas.
dicko
(dicko)
January 16, 2014, 2:40am
3
If you don’t recognize
whois 108.60.207.106#
ARIN WHOIS data and services are subject to the Terms of Use
The following results may also be obtained via:
NetRange: 108.60.192.0 - 108.60.223.255
CIDR: 108.60.192.0/19
OriginAS: AS13354
NetName: COREXCHANGE-05
NetHandle: NET-108-60-192-0-1
Parent: NET-108-0-0-0-0
NetType: Direct Allocation
Comment: http://www.corexchange.com
RegDate: 2010-12-21
Updated: 2013-01-04
Ref: http://whois.arin.net/rest/net/NET-108-60-192-0-1
OrgName: EBL Global Networks, Inc.
OrgId: EGN-1
Address: 1950 Stemmons Freeway - Suite 4006
City: Dallas
StateProv: TX
PostalCode: 75207
Country: US
RegDate: 2007-03-02
Updated: 2011-11-28
Ref: http://whois.arin.net/rest/org/EGN-1
ReferralServer: rwhois://rwhois.corexchange.com:4321
OrgAbuseHandle: AOC9-ARIN
OrgAbuseName: Abuse Operations Center
OrgAbusePhone: +1-214-442-1111
OrgAbuseEmail: [email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
OrgTechHandle: IPENG7-ARIN
OrgTechName: IP Engineering
OrgTechPhone: +1-214-442-1111
OrgTechEmail: [email protected]
OrgTechRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
RTechHandle: IPENG7-ARIN
RTechName: IP Engineering
RTechPhone: +1-214-442-1111
RTechEmail: [email protected]
RTechRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
RAbuseHandle: AOC9-ARIN
RAbuseName: Abuse Operations Center
RAbusePhone: +1-214-442-1111
RAbuseEmail: [email protected]
RAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
RNOCHandle: IPENG7-ARIN
RNOCName: IP Engineering
RNOCPhone: +1-214-442-1111
RNOCEmail: [email protected]
RNOCRef: http://whois.arin.net/rest/poc/IPENG7-ARIN
ARIN WHOIS data and services are subject to the Terms of Use
Found a referral to rwhois.corexchange.com:4321 .
%rwhois V-1.5:003eff:00 rwhois.corexchange.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-COREXCHANGE.108.60.192.0/19
network:Auth-Area:108.60.192.0/19
network:Network-Name:BLK-WEBHOSTINGBUZZUSALLC-108.60.207.104/29
network:IP-Network:108.60.207.104/29
network:IP-Network-Block:108.60.207.104 - 108.60.207.111
network:Organization-Name;I:WebHostingBuzz USA LLC
network:Organization-City:Auburn
network:Organization-State:MA
network:Organization-Country:US
network:Description-Usage:Customer
network:Tech-Contact;I:[email protected]
network:Admin-Contact;I:IPENG7-ARIN
network:Created:20120201
network:Updated:20130913
network:Updated-By:[email protected]
%referral rwhois://root.rwhois.net:4321/auth-area=.
%ok
Then someone at that IP address is probing you.
Deny anyone you don’t know at your firewall, if you don’t have a firewall that can do that, get one
dicko
(dicko)
January 16, 2014, 2:43am
4
Note this bit
.
.
.OrgAbuseHandle: AOC9-ARIN
OrgAbuseName: Abuse Operations Center
OrgAbusePhone: +1-214-442-1111
OrgAbuseEmail:
[email protected]
OrgAbuseRef: http://whois.arin.net/rest/poc/AOC9-ARIN
.
.
If you care to, call that number, don’t email it is almost guaranteed to be ignored, ny guess is your phone call won’t be answered either
For some reason the log info didn’t show properly in my previous post, I removed the quotes and double quotes. my PBX is at 172.16.0.247.
[2014-01-15 21:38:18] NOTICE[3022] chan_sip.c: Registration from leo sip:[email protected] :5060 failed for 108.60.207.106:5084 - Wrong password
[2014-01-15 21:38:20] NOTICE[3022] chan_sip.c: Registration from 1130 sip:[email protected] :5060 failed for 108.60.207.106:5080 - Wrong password
[2014-01-15 21:38:21] NOTICE[3022] chan_sip.c: Registration from 4354 sip:[email protected] :5060 failed for 108.60.207.106:5061 - Wrong password
[2014-01-15 21:38:22] NOTICE[3022] chan_sip.c: Registration from 9762 sip:[email protected] :5060 failed for 108.60.207.106:5083 - Wrong password
[2014-01-15 21:38:28] NOTICE[3022] chan_sip.c: Registration from 6018 sip:[email protected] :5060 failed for 108.60.207.106:5061 - Wrong password
[2014-01-15 21:39:10] NOTICE[3022] chan_sip.c: Registration from 1442 sip:[email protected] :5060 failed for 108.60.207.106:5086 - Wrong password
[2014-01-15 21:39:17] NOTICE[3022] chan_sip.c: Registration from 2378 sip:[email protected] :5060 failed for 108.60.207.106:5084 - Wrong password
dicko
(dicko)
January 16, 2014, 2:52am
6
Same insecurity. you allow connections from anyone on any UDP port? I don’t think that’s a good idea.
I am able to trace that IP to corxchange but I have nothing with them.
This being said the response “someone at that IP address is probing you” is my issue.
I was just not sure if it was my PBX trying to access that IP or the other way around.
I do have a connection allowing anyone to UDP 10000-20000 snat to my PBX because I have 2 trunks from 2 providers and I haven’t figured out yet how to set snat from 2 IPs.
But thanks for the information.