Hi,
We are continuously getting the message in the asterisk.
[Sep 10 12:55:23] NOTICE[15043]: chan_sip.c:23647 handle_request_invite: Failed to authenticate device 601sip:601@111.118.185.107;tag=2f498fbd
Why is this message coming ?
Thanks
Deepak
1 Like
The indicated caller has tried to make a call without successfully authenticating themselves as device 601, or you have alwaysalwaysauthreject and and an unregistered device tried to call with a From header claiming it was device 601, but you have no device 601, or it is a peer, not a friend or user. (NB making the device a friend is normally the wrong fix.)
I’m seeing this behaviour on my server. Every 10 mins a “failed to authenticate device” message appears on the log. With each attempt the only difference is the SIP extension, which methodically attempts 100,101,111,1000,1001,1111 and onwards through 9999. It then proceeds similar sequences seeding at say 1101 and just keeps going.
Clearly it’s an attempt to find an obvious misconfigured extension and gain entry. The interval between attempts is I believe is so as not to alert Fail2ban. The error message does not show the source IP address which is a pity as it could be added to IPTables.
Another minor irritant is that this behavior seems to cause consequent errors - “chan_sip.c:4104 retrans_pkt: Timeout on 55b0bc68f5328f1b5851fc3e1574ce68 on non-critical invite transaction.”
The whole thing sure adds colour to the log file 
Short of a wireshark capture I wonder how I could determine the origin of these attempts?
- Tom
The source address is in the security log. Fail2ban works by scanning that to detect attacks.
Hi David 55,
And indeed it is to be found there. The nefarious one is no longer reaching me!
Many thanks,
- Tom
Hi
I am having the same issue.
I can’t find the security log (it is not in /var/log or /var/log/asterisk ).
Can you point me in the right direction ?
Thanks in advance.