Over several years I discover succesfull hacking-attemps on my Asterisk. The machine, provider, IP, Debian and Asterisk-Version has been changed, the working hacking-attemps are keeping.
I´ts every time the same process.
[2012-06-14 09:05:27] NOTICE chan_sip.c: Registration from ‘"378749064"sip:email@example.com’ failed for ‘184.108.40.206’ - No matching peer found
[2012-06-14 09:05:30] NOTICE chan_sip.c: Registration from '"2038492213"sip:firstname.lastname@example.org’
failed for ‘220.127.116.11’ - No matching peer found
Until here a non-working hack.
Yesterday this works:
[2012-06-13 13:14:26] NOTICE chan_sip.c: Registration from ‘"3390288695"sip:email@example.com’ failed for ‘18.104.22.168’ - No matching peer found
Today this works:
[2012-06-14 10:39:41] NOTICE chan_sip.c: Registration from ‘"502715279"sip:firstname.lastname@example.org’ failed for ‘22.214.171.124’ - No matching peer found
There is only this one single line in the log, verbosity is set to 6.
After this I cannot reach my phone-numbers, because the provider has registered it to the IP 126.96.36.199.
They don´t try to make any phone calls, they do nothing. Since about 5 years with dozen of IPs.
There isn´t much to do after this, just adding the IP to denyhosts, after 10 Minutes I can reach my phone numbers again and the registration of the hacker drops. Then, after same months, or a few hours later, the same thing repeats with a different IP. It´s not necessary to change any passwort. Itself I change all Passworts (SIP, Account, machine) it doesn´t change anything or prevents the next attack.
Does anybody know how this works and how I can prevent this?
I´m using currently this Asterisk:
Connected to Asterisk 1.4.42 currently running on server1 (pid = 27398) (The problem is version independent)
In my sip.conf is alwaysauthreject = yes
Because I´m using changing IPs to register I can´t block too much IPs.
(Sorry for my bad english, I hope you understand what i wrote)