Getting calls from reandom ip address

Can some one help me please? I’m getting this every day at lease three times a day in my VPS.
How do I stop this?
I only want to get call from my service provider i.e. known IP address not from random IP address.
Please some one help?

[2013-04-05 20:59:21] NOTICE[1683][C-000000e3] chan_sip.c: Call from ‘’ (94.23.32.211:5074) to extension ‘00972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 20:59:21] NOTICE[1683][C-000000e4] chan_sip.c: Call from ‘’ (94.23.32.211:5084) to extension ‘000972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 20:59:22] NOTICE[1683][C-000000e5] chan_sip.c: Call from ‘’ (94.23.32.211:5082) to extension ‘900972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:13:26] NOTICE[1683][C-000000e6] chan_sip.c: Call from ‘’ (94.23.32.211:5070) to extension ‘00972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:13:27] NOTICE[1683][C-000000e7] chan_sip.c: Call from ‘’ (94.23.32.211:5084) to extension ‘000972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:13:28] NOTICE[1683][C-000000e8] chan_sip.c: Call from ‘’ (94.23.32.211:5082) to extension ‘900972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:27:36] NOTICE[1683][C-000000e9] chan_sip.c: Call from ‘’ (94.23.32.211:5071) to extension ‘00972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:27:36] NOTICE[1683][C-000000ea] chan_sip.c: Call from ‘’ (94.23.32.211:5082) to extension ‘000972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:27:37] NOTICE[1683][C-000000eb] chan_sip.c: Call from ‘’ (94.23.32.211:5088) to extension ‘900972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:41:44] NOTICE[1683][C-000000ec] chan_sip.c: Call from ‘’ (94.23.32.211:5080) to extension ‘00972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:41:45] NOTICE[1683][C-000000ed] chan_sip.c: Call from ‘’ (94.23.32.211:5071) to extension ‘000972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:41:45] NOTICE[1683][C-000000ee] chan_sip.c: Call from ‘’ (94.23.32.211:5071) to extension ‘900972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:55:38] NOTICE[1683][C-000000ef] chan_sip.c: Call from ‘’ (94.23.32.211:5078) to extension ‘00972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:55:39] NOTICE[1683][C-000000f0] chan_sip.c: Call from ‘’ (94.23.32.211:5074) to extension ‘000972597540595’ rejected because extension not found in context ‘xxxx’.
[2013-04-05 21:55:40] NOTICE[1683][C-000000f1] chan_sip.c: Call from ‘’ (94.23.32.211:5078) to extension '900972

The people really need to READ the best practices txt file or the asterisk WIKI.

For fast response that is a hacking attempt because you have:

[ul]Opened ports
Allowguest=yes
[/ul]

Set allowguest=no, alwaysauthreject=yes, use a block host program(like fail2ban or blockhosts), don’t use default contexts.

Thanks fro the replay.
I have set alwaysauthreject=yes
I’m not using default context.
Also I have to leve Allowguest=yes open because my DID provider sending calls via IP not register.
My question is:- is it possible to allow calls from only known IP address? If yes give me some idea to work around this problem

Also am using fail2ban.

Many thanks

You must be using a default context if you are relying on allowguest. Your default context may not be named “default”, but it is still a default context.

I would have a weaker requirement on default contexts. Default contexts should be carefully written so as not to do anything that you would not want a criminal to be able to do. That won’t stop the attacks being logged. (SIP was intended as being peer to peer - unfortunately the need to access the PSTN and now the development of SIP fraud means that model is difficult to sustain.)

ITSPs normally don’t register with you and most people don’t have any problems turning off allowguest. Your ITSP may be suggesting allowguest because reducing security is always the lazy solution to problems of authentication. All you actually need to do is to define peers for every one of the addresses which your ITSP may use as a source address, all ending up on the same context. You need to use rmotesecret on the peer you use for outgoing calls (in most cases this is a better solution than “insescure”.

Unless you also set up your firewall to block 5060 from all but your ITSP and local network, you will continue to get atttacks logged. Tools like fail2ban which dynamically create blocking firewall rules will rate limit, but not stop the attacks getting as far as Asterisk.

Note that alwaysauthreject is about denying the attacker knowledge that they have found a valid device resource name and therefore that they only need to search the password space. It doesn’t block the attacks any earlier.

I suspect your resources names are the same as extension number. They should be much less guessable than that. Whilst alwaysauthreject will make an attackers job harder, if you name your SIP resources after extensions, they will still have a very limited set to search.

I wonder why there has been a sudden increase in reports of attacks recently, and why so many people with ITSPs with multiple source addresses are coming out of the woodwork. In my experience the time to first attack has always been quite short for several years.

IPTables was built to control who access your Linux systems.

The bottom line anymore is calls cost and people are trying to hack IP PBXes.

Lock the box down to known vendors, users, LAN’s and necessary services. Consider using Keys for SSH access etc.

Don’t leave it wide open. If you do, people who like to make free, and generally expensive calls, will appreciate it.