Topic: Interesting console display

[Teviot]

Hi All

Just had this come up on the console ( BELOW ) while I was trouble shooting. Can someone confirm that this is what I think it is?  An attempt to gain access??

[Oct  2 20:41:10] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"11111" <sip:11111@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"626262" <sip:626262@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"11111" <sip:11111@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"626262" <sip:626262@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"200" <sip:200@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"400" <sip:400@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"200" <sip:200@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"400" <sip:400@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"600" <sip:600@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"600" <sip:600@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"500" <sip:500@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"700" <sip:700@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"500" <sip:500@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"301" <sip:301@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"700" <sip:700@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"800" <sip:800@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"301" <sip:301@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"5001" <sip:5001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"900" <sip:900@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"800" <sip:800@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"5001" <sip:5001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"2001" <sip:2001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"900" <sip:900@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"201" <sip:201@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"2001" <sip:2001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"201" <sip:201@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"501" <sip:501@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"202020" <sip:202020@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"3001" <sip:3001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"202020" <sip:202020@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:18] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
home*CLI>

[Franco]

You should install fail2ban or use VPN to gain internal access.

BR,

[Teviot]

You should install fail2ban or use VPN to gain internal access.

BR,

So now you have a recommendation.  Instalation instructions would be better. 

Also you didn't say what you thought the console display was

[Franco]

Hi, this is someone from 37.8.22.203 trying to logon to your server.

How-to: http://wiki.contribs.org/Fail2ban

BR,

[SARK devs]

This was a sip crack attack.  They are very common if you have an open SIP port (5060).   You should limit your firewall to only accept SIP from known hosts.   Fail2ban is also a good idea but it won't stop all SIP attacks.

Best

S

[Teviot]

How-to: http://wiki.contribs.org/Fail2ban

How do I get FAIL2BAN to monitor VOIP??

[Stefano]

google, "fail2ban voip howto" -> first result:

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

should be a good start (regarding fail2ban configuration)

HTH

[Teviot]

google, "fail2ban voip howto" -> first result:

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

should be a good start (regarding fail2ban configuration)

HTH

I must be thick.  I still don't get what I need to do to get it to monitor VOIP

[SARK devs]

fail2ban uses a bunch of configuration files in /etc/fail2ban.    You will also see a directory called fail2ban/filter.d  In there are various rule files for the different logfiles that f2b will monitor.   One of them should be called asterisk.conf.  In it is a bunch of rules which f2b will apply to the Asterisk log file to see if there are any baddies sniffing at your server.  If there are it will create a firewall rule on the fly to block the baddie.

That's all there is to it.   

As far as I remember, the SME f2b contrib doesn't work for Asterisk 1.8 so you may want to get the latest Asterisk filter file from the f2b website.

You also need to make a small change to the asterisk logger.conf to generate date stamps that f2b can work with - it's all on the f2b website.

S


 

[Teviot]

Hi All

I think I need step by step instructions.  I have done what I believe to be the changes needed and I don't think it is working for VOIP

I'm still getting the following over and over with different ext numbers tried

[Oct 28 18:39:24] NOTICE[3536]: chan_sip.c:24331 handle_request_register: Registration from '"3006" <sip:3006@210.xxx.xxx.xxx:5060>' failed for '69.197.165.58:5100' - No matching peer found

[Teviot]

bump

[groutley]

Having the same problem..
  not sure what is wrong with my fail2ban setup,  but it is not stopping the flood of failed registration attempts.
I too would like to see something more step by step..
I have followed http://www.sailpbx.com/mediawiki/index.php/SARK_V4.0.0_Fail2ban#Installing_fail2ban_on_earlier_S200_releases
but still the same.

[SARK devs]

You followed the S200 steps for an S200 (or Debian) or for SME server?

S

[groutley]

You followed the S200 steps for an S200 (or Debian) or for SME server?

Running SME here..
 I installed fail2ban according to contrib http://wiki.contribs.org/Fail2ban
then using http://www.sailpbx.com/mediawiki/index.php/SARK_V4.0.0_Fail2ban
customised for asterisk.
I think I have nailed it now..  (not sure really)  but messages have changed  to

Code: [Select]

[2013-11-02 17:18:08] NOTICE[5221] chan_sip.c: Sending fake auth rejection for device 9999<sip:9999@xx.xxx.xx.xx>;tag=abc39781
The trick (I think was in the /etc/asterisk/logger.conf  as per the http://www.fail2ban.org/wiki/index.php/Asterisk

First the security log needs to be enabled in /etc/asterisk/logger.conf:

messages => security, notice,warning,error

"security" was not set..   so I updated that  and then did

Code: [Select]

asterisk -rx "logger reload" to restart the Asterisk logger module.

So at least the messages changed, which gives me an idea that fail2ban changes did something.
I also note in the /var/log/fail2ban/daemon.log  it now states..

Code: [Select]

2013-11-02 15:34:00,716 fail2ban.actions: INFO   [asterisk-iptables] 198.7.59.96 already bannedthe ip address being who was previously attacking my server.
  So is fail2ban now doing what is is meant to ?

G

[SARK devs]

Hi

Good work. Glad you got it running OK.  As to your final question about whether it is working;  look in IP tables and you should see the banned IP being dropped.  It looks as tho' it is.

/etc/init.d/masq status | grep {ip address}


S