I get notices every seconds, and it won't stop since 3 days

This looks like a DDOS attack, but the link of my server isn’t even public, please help me i don’t really know what to do anymore, Coswo.

I’m on Debian 10 with Asterisk 17.6.0

Now i’m getting

[Aug 31 14:40:10] NOTICE[1784]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"112" <sip:112@myserver>' failed for 'ipofsomeone:5402' (callid: thecallid) - Failed to authenticate

(the number 112 don’t exist)

It will just be an attempt to guess your passwords. Any denial of service will probably be counterproductive for the attacker.

You don’t need to publish the fact you are running Asterisk; you simply need to be open to UDP traffic on port 5060, from the world.

There is a lot of material on the forum about protecting your system, but basically, don’t open the firewall to networks that can never legitimately send VoIP traffic direct for you (in many cases, that means everyone except your ITSP’s). Use faiil2ban to dynamically add firewall rules. Make sure that your passwords are strong. Make sure that the context for calls from your ITSP cannot make any chargeable calls, and transfers are forbidden for calls arriving through that context. Consider using non-standard port numbers.

As you have blurred the source addresses, it is not possible to exclude that this might simply be a misconfigured device that got your address by chance.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.