Is this a hacking?

Asterisk Asterisk Support
1

Hello.

I just saw that in my asteris-r verbose :

[Nov 16 21:56:15] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5074) to extension '000972592995047' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 21:56:17] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5071) to extension '00972592995047' rejected because extension                          not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 21:56:20] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.57.84.70:5074) to extension '900972592995047' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:44] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5071) to extension '972592871975' rejected because extension                          not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:45] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '+972592871975' rejected because extensio                         n not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:46] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '00972592871975' rejected because extensi                         on not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:48] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '900972592871975' rejected because extens                         ion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:51] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5074) to extension '000972592871975' rejected because extens                         ion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 22:59:52] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5070) to extension '0000972592871975' rejected because exten                         sion not found in context 'default'.
  == Using SIP RTP CoS mark 5
[Nov 16 23:00:05] NOTICE[8334]: chan_sip.c:22895 handle_request_invite: Call fro                         m '' (50.56.249.175:5071) to extension '000000972592871975' rejected because ext                         ension not found in context 'default'.

it seem to be a call try to israel.

The problem is that i don’t have any default extension on my extension.conf nor my sip.conf

is there a way to know more about how this person acceded to my asterisk ? (which sip account ?)

thank you

2

You should set the allowguest=no in order to disallow anonymous calls attempts & also if you dont need remote extensions you shouldn’t open sip public ports in your router/firewall.

3

As noted, your allowguest is probably unsafe.

Unfortunately, this sort of attack is normal, and it is unlikely that you have been specifically targetted. Anything that is reachable from the internet via port 5060 will receive many attacks a day.

You need to assume that that such attempts will be frequent, and make sure they don’t succeed, rather than worrying about tracking down the source.

There are tools, like fail2ban, that will scan the logs and temporarily block addresses that are making multiple failed attempts, although they can only do so after some have reached Asterisk.

4

Thank you for your answer.

Now i have that :

[Nov 18 18:47:30] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:31] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:32] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1f55bf3 [Nov 18 18:47:34] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:35] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:35] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=0024de86 [Nov 18 18:47:38] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:39] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:39] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=dc2768f1 [Nov 18 18:47:43] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=14115deb [Nov 18 18:47:43] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=14115deb [Nov 18 18:47:48] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:49] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:49] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=a1c606d4 [Nov 18 18:47:53] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=5742bd4c [Nov 18 18:47:53] NOTICE[21122]: chan_sip.c:22793 handle_request_invite: Sending fake auth rejection for device 301<sip:301@xx.xxx.xxx.xxx>;tag=5742bd4c

is that because i changes the allowguest and the hacker is blocked ?

Thank you

5

They were blocked by your not having a default context. They are now blocked somewhat further upstream.

6

Before changing the allowhost, i added in my extension.conf

[default] exten => s,1,Hangup()

this was a good thing to do ?

7

Yes, this is defnitly a good thing to do.

This adds a layer of security in case the allowguest=yes. If you set allowguest=no, the calls are rejected before they reach the dialplan. But to have a Hangup() rule in the default context never hurts :wink: