On Mon, 8 Sep 2014, motty cruz wrote:
I continue to see the following msg on my Asterisk log:[Sep 8 15:34:37] NOTICE[7375]: chan_sip.c:23277 handle_request_invite: Failed to authenticate device 9009<sip:9...@196.107.xx.xx>;tag=8dd48dd2
First step is to determine the source -- is it coming from your network or from the Internet. 'sip set debug on,' tcpdump, ngrep, wireshark can all be useful.
If it is coming from your network, make note of the MAC address. The first 3 octets are the OUI. Google 'OUI Lookup.' This will tell you the manufacturer (or at least who made the board inside the device). This may give you a clue like 'Cisco Linksys LLC' and you may remember you have an old Sipura (which was bought by Linksys, which was bought by Cisco) laying around that somebody may have decided to 're-purpose' without telling you.
If it is coming from the Internet, learn a bit about iptables. The best case scenario is that you know everybody that should be accessing your pbx so you can 'whitelist' the good guys and DROP everything else. Some people moan about how they have clients that travel. Unless they travel to China, Russia, North Korea, Crapistan, etc, just block entire regions of the world. That will knock off 90% of your 'attack surface.' Maybe you can limit traffic to just a couple of class C addresses.
Finally, mop up the anklebitters with fail2ban. Oh, and nice long 'random' passwords on all of your SIP endpoints and if you can get away from 4 digit extensions, all the better.
-- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
