I have an asterisk on a Raspberry Pi, and the device on the LAN is 192.168.28.3.
I configured my Internet router to reboot every night and this obtains a new public IP address from the ISP each time. I find that a daily changing IP address reduces the chance of hackers locating the SIP service that is running on my network. Lately, someone (presumably from Iceland) got the opportunity to attempt SIP connections. The message file in the log shows these obvious attempts:
NOTICE[409] chan_sip.c: Registration from ‘“5001” sip:5001@192.168.28.3:5060’ failed for ‘185.53.88.36:5138’ - Wrong password
However, I find another type of authentication failure messages like these, at about 2 per second for 10 seconds each time:
sip set debug on would help you to determine exactly what SIP request is generating this reponse, but this is usally a reponse to a wrong password in an INVITE request
I get something like that, in my logs ALL the time. Sometimes it’s actual customers that have removed extensions from their setup, and not from the actual phones, sometimes it’s scanners.
Most of the time I take a look at the IP range of the offending IP, and if they are of no interest to us or our customers, they get blocked in the firewall.
The IP you got, belongs to Cloudstar in the Nederlands, don’t know where you got Iceland from.
Also as far as. I know, they number right after the notice, is the process ID of the asterisk process.
Also these scanners don’t seem to be using any kind of knowledge on known SIP servers, we even get scanned on IP’s that are not even active. So changing you IP every night, has no added security benefit.
It is MUCH better for your security to just use strong passwords, keep your asterisk version updated, and NEVER put anything in the “default” context, which is where unknown SIP devices will end up.