Is this a toll fraud attempt?

Saw this in the Asterisk CLI:

I’m not sure what to make of it. How are non registered IP addresses able to try extensions in my dial plan?

If you are wondering; was not listed in ‘sip show peers’ at the time of the message and my dial plan does not have a [default] context.

SIP registration is about out going calls; it’s purpose is to tell the local system the IP address of the registering system; it is not there to secure the system against incoming calls.

You haven’t supplied the security log output, so it is difficult to be sure what is happening here.

Either you have a weak, or missing, password on a local device, or you have allowguest set to the default of yes. The weak password may be compounded by using type=friend instead of type=peer; type=friend is rarely needed for SIP.

Attempts will still get logged, but an earlier stage, even if you do lock Asterisk itself down. You have to modify the system firewall to prevent them reaching Asterisk.

In future, please don’t ask support questions on discussion forums.

On the general section of the sip.conf file set allowguest=no

This disable unauthenticated calls

These attempts are incredibly common. The best advice I can give, beyond what’s already been offered, is to lock the machine down to your provider(s) if you can- don’t need remote extensions, or don’t have a VPN solution.

It’s harder to lock down RTP ports to your provider if they don’t proxy media, but you can definitely do this on the SIP side.

Thanks for the answers.

For now, I have added allowguest=no below [general] in sip.conf

  1. configuring fail2ban is a to do job
  2. even after fail2ban working correctly ,scan security log searching for wan IP address and collect them …you’ll have to search for country of origin…and possibly ban forever via iptables command

on the cli —> tail /var/log/asterisk/security
on the output search for ----> RemoteAddress=“IPV4/UDP/”

------> iptables -I INPUT 1 -s -j DROP
----> /sbin/service iptables save

checking and adding rules for some days will reduce scanning log by 75%