Is this an attempt of hacking?

I have an asterisk on a Raspberry Pi, and the device on the LAN is

I configured my Internet router to reboot every night and this obtains a new public IP address from the ISP each time. I find that a daily changing IP address reduces the chance of hackers locating the SIP service that is running on my network. Lately, someone (presumably from Iceland) got the opportunity to attempt SIP connections. The message file in the log shows these obvious attempts:

NOTICE[409] chan_sip.c: Registration from ‘“5001” sip:5001@’ failed for ‘’ - Wrong password

However, I find another type of authentication failure messages like these, at about 2 per second for 10 seconds each time:

NOTICE[13522][C-00000050] chan_sip.c: Failed to authenticate device sip:119802@;tag=513769191

119802 is not a configured extension on my system. What type of activity is generating this message?

That notice number 13522 is 450 sometimes.

My security log is 3.6GB large and I haven’t got the chance to check to see if there is a corresponding entry for this activity.

sip set debug on would help you to determine exactly what SIP request is generating this reponse, but this is usally a reponse to a wrong password in an INVITE request

I get something like that, in my logs ALL the time. Sometimes it’s actual customers that have removed extensions from their setup, and not from the actual phones, sometimes it’s scanners.

Most of the time I take a look at the IP range of the offending IP, and if they are of no interest to us or our customers, they get blocked in the firewall.

The IP you got, belongs to Cloudstar in the Nederlands, don’t know where you got Iceland from.

Also as far as. I know, they number right after the notice, is the process ID of the asterisk process.

Also these scanners don’t seem to be using any kind of knowledge on known SIP servers, we even get scanned on IP’s that are not even active. So changing you IP every night, has no added security benefit.

It is MUCH better for your security to just use strong passwords, keep your asterisk version updated, and NEVER put anything in the “default” context, which is where unknown SIP devices will end up.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.