Some script kitty has decided to try and find a weak point in my Asterisk box.
In the basic Asterisk (11.5) log I get this:
[Sep 26 11:46:38] NOTICE[29782][C-00000ece] chan_sip.c: Failed to authenticate device 401<sip:401@<my.ip.add.ress>;tag=e41ef400
[Sep 26 11:49:21] NOTICE[29782][C-00000ed1] chan_sip.c: Failed to authenticate device 501<sip:501@<my.ip.add.ress>;tag=36ae8fa5
In the security log I get the corresponding messages:
[Sep 26 11:46:38] SECURITY[29750] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“1380210398-480847”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccounID=“sip:401@<my.ip.add.ress>”,SessionID=“0x203cb08”,LocalAddress=“IPV4/UDP/<my.ip.add.ress>/”,RemoteAddress=“IPV4/UDP/185.19.216.116/5100”,Challenge=“3098232e”
[Sep 26 11:49:21] SECURITY[29750] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“1380210561-121061”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccounID=“sip:501@<my.ip.add.ress>”,SessionID=“0x25ef378”,LocalAddress=“IPV4/UDP/<my.ip.add.ress>/”,RemoteAddress=“IPV4/UDP/185.19.216.116/5076”,Challenge=“79ad26df”
BTW, I left the source port as I had found it in case anyone cares to block the PITA.
PROBLEM: The messages log does not contain any useful blocking information AND the security log doesn’t identify this as an attack and log entries are identical to a legitimate device connecting to the server.
Interestingly I don’t get an invalid device error (there is no 401 or 501 device on the server).
I can block the IP manually, but I can’t see a reasonable way to block it mechanically. PLUS I don’t know why I am getting an Informational event when there is no device 401 or 501.
Suggestions? Comments?