Topic: Interesting console display

[Teviot]

Hi All

Just had this come up on the console ( BELOW ) while I was trouble shooting. Can someone confirm that this is what I think it is?  An attempt to gain access??

[Oct  2 20:41:10] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"11111" <sip:11111@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"626262" <sip:626262@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"11111" <sip:11111@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:11] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"626262" <sip:626262@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"200" <sip:200@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"400" <sip:400@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"200" <sip:200@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"400" <sip:400@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:12] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"600" <sip:600@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"300" <sip:300@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"600" <sip:600@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"500" <sip:500@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:13] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"700" <sip:700@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"500" <sip:500@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"301" <sip:301@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"700" <sip:700@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"800" <sip:800@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"301" <sip:301@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"5001" <sip:5001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"900" <sip:900@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:14] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"800" <sip:800@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"5001" <sip:5001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"2001" <sip:2001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"900" <sip:900@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"201" <sip:201@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:15] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"2001" <sip:2001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"201" <sip:201@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"501" <sip:501@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"1001" <sip:1001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:16] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"202020" <sip:202020@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"3001" <sip:3001@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"101" <sip:101@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"202020" <sip:202020@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:17] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
[Oct  2 20:41:18] NOTICE[3562]: chan_sip.c:16379 handle_request_register: Registration from '"100" <sip:100@210.79.30.214:5060>' failed for '37.8.22.203' - No matching peer found
home*CLI>

[Franco]

You should install fail2ban or use VPN to gain internal access.

BR,

[Teviot]

You should install fail2ban or use VPN to gain internal access.

BR,

So now you have a recommendation.  Instalation instructions would be better. 

Also you didn't say what you thought the console display was

[Franco]

Hi, this is someone from 37.8.22.203 trying to logon to your server.

How-to: http://wiki.contribs.org/Fail2ban

BR,

[SARK devs]

This was a sip crack attack.  They are very common if you have an open SIP port (5060).   You should limit your firewall to only accept SIP from known hosts.   Fail2ban is also a good idea but it won't stop all SIP attacks.

Best

S

[Teviot]

How-to: http://wiki.contribs.org/Fail2ban

How do I get FAIL2BAN to monitor VOIP??

[Stefano]

google, "fail2ban voip howto" -> first result:

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

should be a good start (regarding fail2ban configuration)

HTH

[Teviot]

google, "fail2ban voip howto" -> first result:

http://www.voip-info.org/wiki/view/Fail2Ban+%28with+iptables%29+And+Asterisk

should be a good start (regarding fail2ban configuration)

HTH

I must be thick.  I still don't get what I need to do to get it to monitor VOIP

[SARK devs]

fail2ban uses a bunch of configuration files in /etc/fail2ban.    You will also see a directory called fail2ban/filter.d  In there are various rule files for the different logfiles that f2b will monitor.   One of them should be called asterisk.conf.  In it is a bunch of rules which f2b will apply to the Asterisk log file to see if there are any baddies sniffing at your server.  If there are it will create a firewall rule on the fly to block the baddie.

That's all there is to it.   

As far as I remember, the SME f2b contrib doesn't work for Asterisk 1.8 so you may want to get the latest Asterisk filter file from the f2b website.

You also need to make a small change to the asterisk logger.conf to generate date stamps that f2b can work with - it's all on the f2b website.

S


 

[Teviot]

Hi All

I think I need step by step instructions.  I have done what I believe to be the changes needed and I don't think it is working for VOIP

I'm still getting the following over and over with different ext numbers tried

[Oct 28 18:39:24] NOTICE[3536]: chan_sip.c:24331 handle_request_register: Registration from '"3006" <sip:3006@210.xxx.xxx.xxx:5060>' failed for '69.197.165.58:5100' - No matching peer found

[Teviot]

bump

[groutley]

Having the same problem..
  not sure what is wrong with my fail2ban setup,  but it is not stopping the flood of failed registration attempts.
I too would like to see something more step by step..
I have followed http://www.sailpbx.com/mediawiki/index.php/SARK_V4.0.0_Fail2ban#Installing_fail2ban_on_earlier_S200_releases
but still the same.

[SARK devs]

You followed the S200 steps for an S200 (or Debian) or for SME server?

S

[groutley]

You followed the S200 steps for an S200 (or Debian) or for SME server?

Running SME here..
 I installed fail2ban according to contrib http://wiki.contribs.org/Fail2ban
then using http://www.sailpbx.com/mediawiki/index.php/SARK_V4.0.0_Fail2ban
customised for asterisk.
I think I have nailed it now..  (not sure really)  but messages have changed  to

Code: [Select]

[2013-11-02 17:18:08] NOTICE[5221] chan_sip.c: Sending fake auth rejection for device 9999<sip:9999@xx.xxx.xx.xx>;tag=abc39781
The trick (I think was in the /etc/asterisk/logger.conf  as per the http://www.fail2ban.org/wiki/index.php/Asterisk

First the security log needs to be enabled in /etc/asterisk/logger.conf:

messages => security, notice,warning,error

"security" was not set..   so I updated that  and then did

Code: [Select]

asterisk -rx "logger reload" to restart the Asterisk logger module.

So at least the messages changed, which gives me an idea that fail2ban changes did something.
I also note in the /var/log/fail2ban/daemon.log  it now states..

Code: [Select]

2013-11-02 15:34:00,716 fail2ban.actions: INFO   [asterisk-iptables] 198.7.59.96 already bannedthe ip address being who was previously attacking my server.
  So is fail2ban now doing what is is meant to ?

G

[SARK devs]

Hi

Good work. Glad you got it running OK.  As to your final question about whether it is working;  look in IP tables and you should see the banned IP being dropped.  It looks as tho' it is.

/etc/init.d/masq status | grep {ip address}


S

[Teviot]

Now that everyone is happy that thing are working, would be possible to get some detailed instructions on how to install and get Fail2ban to work in easy terms maybe step by step instructions for us dumb people

[Stefano]

You already have it.. Just re-read groutley 's post
try and report here any issue you have