Suspicious register requests

Asterisk Asterisk SIP
1

I’m getting register requests from various ip’s.

Screenshot from 2023-08-11 19-13-26
Screenshot from 2023-08-11 19-13-261835×1028 477 KB

/etc/asterisk/pjsip.conf:

[transport-udp]
type=transport
protocol=udp
bind=0.0.0.0

[6001]
type=endpoint
context=from-internal
disallow=all
allow=ulaw
auth=6001
aors=6001

[6001]
type=auth
auth_type=userpass
password=unsecurepassword
username=6001

[6001]
type=aor
max_contacts=1

/etc/asterisk/extensions.conf:

[from-internal]
exten = 100,1,Answer()
same = n,Wait(1)
same = n,Playback(hello-world)
same = n,Hangup()

How do I get rid of these requests? Is it security breach?
I was trying to create basic internal telephony between two numbers with pjsip.
Does anyone have comprehensible guide?

2

Welcome to the internet. You have a lot of attackers out there looking for vulnerable systems. You can do a few things.

  1. Block your server from the internet and only allow traffic from specific IP’s. You can use something like TailScale (https://tailscale.com/) so you can get to your PBX if you are not on the same network.
  2. Use something like APIBan to block known bad actors. See https://www.apiban.org/
  3. Block known bad actors, TOR exit nodes etc. with this script https://github.com/trick77/ipset-blacklist/blob/master/update-blacklist.sh
  4. Install Fail2Ban to block the IP’s from hitting you over and over.
1 Like
3

I’m getting register requests from various ip’s.

Thats’ nothing unusual on an Internet-facing PBX.

[6001]
type=auth
auth_type=userpass
password=unsecurepassword
username=6001

That does not look good - why are you using an insecure password?

How do I get rid of these requests?

Don’t allow access to your Asterisk server from the general Internet.

Is it security breach?

It’s certainly an attempt to place fraudulent calls.

I was trying to create basic internal telephony between two numbers with
pjsip.

So, why is this machine listening on a public IP address?

I would start by listening on your internal network address only, and that
will stop the attackers being able to find your machine.

Antony.

2 Likes
4

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.