Failed Registration From Anonymous user on my sip server

Hi,

Someone is trying to register on my sip server as given in the log file below. How can I disable the person to keep on trying to register ? I tried setting

voip-info.org/wiki/view/Asterisk+security

allowguest=no

===============================================================================

[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706 handle_request_register: Registration from ‘“82442” sip:82442@111.118.185.107’ failed for ‘64.22.111.26:5544’ - Wrong password
[Jun 21 14:03:58] NOTICE[4289]: chan_sip.c:25706

Except by taking legal action against them, you you cannot prevent them from trying, by means that won’t end you up in jail. All you can hope to do is to stop the attempt as close to source as possible.

allowguest only helps if they try to register under a name that is not defined in your system. Unfortunately, like most people, you have ignored the security advice and used sip.conf section names that are related to the extension numbers and therefore guessable, so they have already solved half of the problem. You can help a bit by setting alwaysauthreject, so that they won’t know when they have found a valid device name to start the password search, but the attempts will still get logged.

If your passwords are really strong, they may not be causing any real harm.

However, the next step up is work out which address ranges can legitimately make requests on port 5060 and block them at your firewall. If you cannot reasonably restrict those, you will need to enable the security log to find out the source address of the requests, and try to add firewall rules to block the associated ISP address ranges. Using a port number other than 5060 can also make it difficult for attackers to find you.

If some of your local SIP devices are only used over the LAN, restricting their allowable address range to the LAN will restrict the number of device names for which a password attack could succeed.

Provided attackers tend to make all requests from the same address, you can automate the blocking of that address at the Linux firewall, rather than your boundary firewall, using tools like fail2ban. This tends to rate limit, rather than stop requests.

Using whois, you can find out the abuse contact for the ISP they are using, an if the ISP is in a part of the world subject to the rule of law, you can try asking them to block the user, although attacks tend to come from less lawful countries, and the attacker can create another account.

By adding some IPTables rules you can block malicious VoIP scanners from reaching your Asterisk server. Refer to my IPTables security HOW-TO I wrote up for Asterisk, as linked in this post:

viewtopic.php?f=1&t=89191#p196238