I’m seeing this behaviour on my server. Every 10 mins a “failed to authenticate device” message appears on the log. With each attempt the only difference is the SIP extension, which methodically attempts 100,101,111,1000,1001,1111 and onwards through 9999. It then proceeds similar sequences seeding at say 1101 and just keeps going.
Clearly it’s an attempt to find an obvious misconfigured extension and gain entry. The interval between attempts is I believe is so as not to alert Fail2ban. The error message does not show the source IP address which is a pity as it could be added to IPTables.
Another minor irritant is that this behavior seems to cause consequent errors - “chan_sip.c:4104 retrans_pkt: Timeout on 55b0bc68f5328f1b5851fc3e1574ce68 on non-critical invite transaction.”
The whole thing sure adds colour to the log file Short of a wireshark capture I wonder how I could determine the origin of these attempts?