Request 'INVITE' and 'REGISTER' from old sip endpoints that no longer exist

In my asterisk terminal, I am receiving multiple NOTICES from old devices that nolonger exist and its saying ‘Failed to Authenticate’.

I am using asterisk in realtime, I am sure that the extensions in question are not registered on any client computer.

I assume it’s inbound registrations.

You can check on the network level, using tools like sngrep, ngrep-sip, ngrep or tcpdump, to get the IP address of the devices trying to register, if they are not in the notice already.

If the registrations are outbound, a restart of Asterisk should do the trick, if all traces of the old devices are gone from the configuration.

I did run sngrep, on the SIP From section, I see extensions that I never registered before. It runs every 2 seconds iterating over 20 extensions that do not exist, that were never registered on any device.

Are your Asterisk server the source or destination of the traffic? If it’s the source, there’s a misconfiguration somewhere, if it’s the destination, something outside of Asterisk is misconfigured and still tries to register, and you’ll have to track down that device, and physically disconnect it from the network, or reconfigure it.

If the server is publicly accessible, it could be random scans, they usually assume 3 or 4 digit extensions starting from 100 or 1000. Our setup does not use the extensions as the username, and as such those scans are easily identified, but your setup might be different.

If the source IP is external (public internet), I would suspect that these are attempts to abuse your system (fraud calls). You may block this with a firewall or a tool like fail2ban.
If you are sure that no misuse is possible, you can also ignore the messages (but only then).

Thank you, I figured it out, its a hacking attempt, I blocked the device on firewall and it stopped.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.