Server Hacked

Hello,
I haven’t used asterisk or voip for that matter in a while… Looks like sip as become a target!

Anyway First of all one of my sip user on my asterisk got hacked witch is totally my fault because I didn’t put a strong password and opened the sip port on firewall… This is solved, now my sip client can only connect if they are on the local network or vpn. My problem is there is a script somewhere on my network that keep trying to connect to my asterisk server. I installed shorewall on the asterisk server and keep having those attempt to connect in sip on the server. The problem is those attempts comes from ips outside my network. But my network firewall don’t allow sip connection and anyway don’t see those attempts. So I believe that those attempts come from somewhere inside my network. But I just can’s seem to find from where.

So does anyone here ever had this problem? And how did they solved it?

Thanks

think you should have a better look at your firewall.
sure you removed the nat entry and firewall entry?

there are also scripts that can look at sip login failures and then block that ip from your server if to many failure attempts are made.

As a last ditch effort, you could attempt to isolate the Asterisk server from the outside world completely. (I realize that this will take out VPN functionality, but if it’s only the phone server, perhaps it would serve you better to not have it on the internet at all.) Anyhow, if you can detach it from the internet, you would know where to start looking. Then you could hub your connection to the server and start WireSharking the connection to detect what’s going on (Filter the SIP packets). You should be able to find the source culprit this way.