Is someone trying to hack me?

Asterisk Asterisk Support
1

Today I found a bunch of these entries in my logs:

[2024-02-26 11:19:18] NOTICE[5678] res_pjsip/pjsip_distributor.c: Request ‘REGISTER’ from ‘“114” sip:114-jsdjdsjdswjdwdjwkde@192.168.233.235’ failed for ‘192.168.233.238:5064’ (callid: 394581594-5064-1@BJC.BGI.CDD.CDI) - No matching endpoint found

These all seem to be related to a new Yealink W70B I recently installed as that’s the common thread of all the internal numbers being tried. The callerid in that line seems to move between the following three choices and the port seems to move around between 5060 and 5068.

394581594-5064-1@BJC.BGI.CDD.CDI
1789496394-5068-1@BJC.BGI.CDD.CDI
1313736603-5066-1@BJC.BGI.CDD.CDI```

I thought I had IPtables set to not let much of anything in, starting around line 20 it looks like this:

DROP       udp  --  anywhere             anywhere             udp dpt:sip
DROP       udp  --  anywhere             anywhere             udp dpt:5160
ACCEPT     all  --  dns.google           anywhere
ACCEPT     all  --  b.resolvers.level3.net  anywhere
ACCEPT     all  --  c.resolvers.level3.net  anywhere
ACCEPT     all  --  d.resolvers.level3.net  anywhere
DROP       all  --  128.0.0.0/1          anywhere
DROP       all  --  0.0.0.0/1            anywhere
DROP       all  --  anywhere             anywhere             source IP range 0.0.0.0-255.255.255.255

Before that it only allows my providers and things related to the Linux and Asterisk update servers.

Any suggestion or comments welcome.

2

The ports you are looking at (5060-5068) are probably the source port. What do you get when you do:

iptables -L -nv

I suspect there is a rule that is allowing the traffic in.

3

The registration is coming from a private address. That normally means something misconfigured on your private network.

4

Here is what I think is the relevant part of iptables -L -nv. Everything past this is all drops which I think are already taken care of buy the drop lines just before the end.

Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 76.168.134.0-76.168.134.254
 931K  400M ACCEPT     all  --  enp2s0 *       0.0.0.0/0            0.0.0.0/0            state RELATED,ESTABLISHED
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       127.0.0.1            0.0.0.0/0
 692K   97M ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 192.168.233.0-192.168.233.255
    0     0 ACCEPT     all  --  *      *       192.168.211.138      0.0.0.0/0
  367 20293 ACCEPT     all  --  *      *       192.168.211.38       0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       64.154.41.150        0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       76.164.171.238       0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       34.226.36.32/28      0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       34.210.91.112/28     0.0.0.0/0
  124 24728 ACCEPT     all  --  *      *       168.86.128.0/18      0.0.0.0/0
   20 16340 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 54.172.60.0-54.172.60.3
  109  139K ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 54.244.51.0-54.244.51.3
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 208.78.112.64-208.78.112.66
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 67.213.136.64-67.213.136.66
    0     0 ACCEPT     all  --  *      *       67.213.136.64/26     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       208.78.112.64/26     0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 34.203.250.0-34.203.250.255
  208 58868 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5060
    0     0 DROP       udp  --  *      *       0.0.0.0/0            0.0.0.0/0            udp dpt:5160
    0     0 ACCEPT     all  --  *      *       8.8.8.8              0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       4.2.2.2              0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       4.2.2.3              0.0.0.0/0
    0     0 ACCEPT     all  --  *      *       4.2.2.4              0.0.0.0/0
 1663  418K DROP       all  --  *      *       128.0.0.0/1          0.0.0.0/0
 7327 2382K DROP       all  --  *      *       0.0.0.0/1            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            source IP range 0.0.0.0-255.255.255.255
    0     0 ACCEPT     icmp --  *      *       0.0.0.0/0            0.0.0.0/0
    0     0 DROP       all  --  *      *       0.0.0.0/0            224.0.0.1
    0     0 REJECT     all  --  *      *       0.0.0.0/0            0.0.0.0/0            reject-with icmp-port-unreachable
5

Sorry for the delayed response. You said “relevant part” but there could be somewhere else in there where packets are allowed. Can you post your entire output? Also what is the output of iptables-save?

6

Not an issue at all, I’m always grateful for help. A question, 2 of the last lines I posted:

1663  418K DROP       all  --  *      *       128.0.0.0/1          0.0.0.0/0
 7327 2382K DROP       all  --  *      *       0.0.0.0/1            0.0.0.0/0

Seem to have caught all the remaining packets as ever line past that shows zero packets and zero bytes. Or am I possibly missing something. I was under the impression that that second line would catch and drop everything? Here is the output of iptables-save.

# Generated by iptables-save v1.8.7 on Wed Mar  6 09:53:26 2024
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1201204:661870059]
-A INPUT -m iprange --src-range 76.168.134.0-76.168.134.254 -j DROP
-A INPUT -i enp2s0 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -s 127.0.0.1/32 -j ACCEPT
-A INPUT -m iprange --src-range 192.168.233.0-192.168.233.255 -j ACCEPT
-A INPUT -s 192.168.211.138/32 -j ACCEPT
-A INPUT -s 192.168.211.38/32 -j ACCEPT
-A INPUT -s 64.154.41.150/32 -j ACCEPT
-A INPUT -s 76.164.171.238/32 -j ACCEPT
-A INPUT -s 34.226.36.32/28 -j ACCEPT
-A INPUT -s 34.210.91.112/28 -j ACCEPT
-A INPUT -s 168.86.128.0/18 -j ACCEPT
-A INPUT -m iprange --src-range 54.172.60.0-54.172.60.3 -j ACCEPT
-A INPUT -m iprange --src-range 54.244.51.0-54.244.51.3 -j ACCEPT
-A INPUT -m iprange --src-range 208.78.112.64-208.78.112.66 -j ACCEPT
-A INPUT -m iprange --src-range 67.213.136.64-67.213.136.66 -j ACCEPT
-A INPUT -s 67.213.136.64/26 -j ACCEPT
-A INPUT -s 208.78.112.64/26 -j ACCEPT
-A INPUT -m iprange --src-range 34.203.250.0-34.203.250.255 -j ACCEPT
-A INPUT -p udp -m udp --dport 5060 -j DROP
-A INPUT -p udp -m udp --dport 5160 -j DROP
-A INPUT -s 8.8.8.8/32 -j ACCEPT
-A INPUT -s 4.2.2.2/32 -j ACCEPT
-A INPUT -s 4.2.2.3/32 -j ACCEPT
-A INPUT -s 4.2.2.4/32 -j ACCEPT
-A INPUT -s 128.0.0.0/1 -j DROP
-A INPUT -s 0.0.0.0/1 -j DROP
-A INPUT -m iprange --src-range 0.0.0.0-255.255.255.255 -j DROP
-A INPUT -j LOG
-A INPUT -s 87.0.0.0/8 -j DROP
-A INPUT -m iprange --src-range 76.168.134.0-76.168.134.254 -j DROP
-A INPUT -s 201.0.0.0/8 -j DROP
-A INPUT -m iprange --src-range 72.44.32.0-72.44.63.255 -j DROP
-A INPUT -m iprange --src-range 67.202.0.0-67.202.63.255 -j DROP
-A INPUT -m iprange --src-range 75.101.128.0-75.101.255.255 -j DROP
-A INPUT -m iprange --src-range 174.129.0.0-174.129.255.255 -j DROP
-A INPUT -m iprange --src-range 204.236.192.0-204.236.255.255 -j DROP
-A INPUT -m iprange --src-range 184.73.0.0-184.73.255.255 -j DROP
-A INPUT -m iprange --src-range 216.236.128.0-216.236.191.255 -j DROP
-A INPUT -m iprange --src-range 184.72.0.0-184.72.63.255 -j DROP
-A INPUT -m iprange --src-range 79.125.0.0-79.125.127.255 -j DROP
-A INPUT -m iprange --src-range 89.255.0.0-89.255.63.255 -j DROP
-A INPUT -m iprange --src-range 38.99.27.1-38.99.27.254 -j DROP
-A INPUT -m iprange --src-range 23.239.69.226-23.239.69.226 -j DROP
-A INPUT -s 2.0.0.0/7 -j DROP
-A INPUT -s 5.0.0.0/8 -j DROP
-A INPUT -s 6.0.0.0/8 -j DROP
-A INPUT -s 7.0.0.0/8 -j DROP
-A INPUT -s 9.0.0.0/8 -j DROP
-A INPUT -s 10.0.0.0/7 -j DROP
-A INPUT -s 12.0.0.0/6 -j DROP
-A INPUT -s 23.0.0.0/8 -j DROP
-A INPUT -s 32.0.0.0/3 -j DROP
-A INPUT -s 37.0.0.0/8 -j DROP
-A INPUT -s 45.0.0.0/8 -j DROP
-A INPUT -s 62.0.0.0/8 -j DROP
-A INPUT -s 64.0.0.0/8 -j DROP
-A INPUT -s 66.0.0.0/8 -j DROP
-A INPUT -s 69.0.0.0/8 -j DROP
-A INPUT -s 71.0.0.0/8 -j DROP
-A INPUT -s 72.0.0.0/7 -j DROP
-A INPUT -s 75.0.0.0/8 -j DROP
-A INPUT -s 76.0.0.0/6 -j DROP
-A INPUT -s 80.0.0.0/4 -j DROP
-A INPUT -s 82.0.0.0/8 -j DROP
-A INPUT -s 85.0.0.0/8 -j DROP
-A INPUT -s 96.0.0.0/4 -j DROP
-A INPUT -s 112.0.0.0/5 -j DROP
-A INPUT -s 121.0.0.0/8 -j DROP
-A INPUT -s 122.0.0.0/7 -j DROP
-A INPUT -s 124.0.0.0/6 -j DROP
-A INPUT -s 128.0.0.0/7 -j DROP
-A INPUT -s 130.0.0.0/8 -j DROP
-A INPUT -s 132.0.0.0/6 -j DROP
-A INPUT -s 136.0.0.0/7 -j DROP
-A INPUT -s 139.0.0.0/8 -j DROP
-A INPUT -s 140.0.0.0/8 -j DROP
-A INPUT -s 142.0.0.0/8 -j DROP
-A INPUT -s 143.0.0.0/8 -j DROP
-A INPUT -s 144.0.0.0/4 -j DROP
-A INPUT -s 160.0.0.0/5 -j DROP
-A INPUT -s 168.0.0.0/8 -j DROP
-A INPUT -s 170.0.0.0/7 -j DROP
-A INPUT -s 176.0.0.0/4 -j DROP
-A INPUT -s 188.0.0.0/8 -j DROP
-A INPUT -s 192.99.0.0/16 -j DROP
-A INPUT -s 192.187.96.0/19 -j DROP
-A INPUT -s 193.0.0.0/8 -j DROP
-A INPUT -s 194.0.0.0/7 -j DROP
-A INPUT -s 196.0.0.0/7 -j DROP
-A INPUT -s 199.0.0.0/8 -j DROP
-A INPUT -s 200.0.0.0/6 -j DROP
-A INPUT -s 205.0.0.0/8 -j DROP
-A INPUT -s 206.0.0.0/7 -j DROP
-A INPUT -s 209.0.0.0/8 -j DROP
-A INPUT -s 210.0.0.0/7 -j DROP
-A INPUT -s 212.0.0.0/7 -j DROP
-A INPUT -s 217.0.0.0/8 -j DROP
-A INPUT -s 218.0.0.0/7 -j DROP
-A INPUT -s 220.0.0.0/6 -j DROP
-A INPUT -s 224.0.0.0/3 -j DROP
-A INPUT -p icmp -j ACCEPT
-A INPUT -d 224.0.0.1/32 -j DROP
-A INPUT -j REJECT --reject-with icmp-port-unreachable
COMMIT
7

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.