Unknown Registration error

I after installing asterisk 16 I also installed the sample config files and only add one sip account in sip.conf and sip show registry shows that this sip account is registered
I also empty extensions.conf and add my config and all these are working fine in development server.
I recently notice this error and the number 442037694467, extension 100 and IP 103.145.12.189 is strange to me; I never added such. I also I never add this 5076.

Am having the this error in Asterisk CLI and i don’t know the cause:
chan_sip.c:29053 handle_request_register: Registration from ‘“100” sip:100@MyServerIP’ failed for ‘45.143.220.174:5108’ - Wrong password

below is the debug info:

debug details below:
<— SIP read from UDP:103.145.12.189:5076 —>
INVITE sip:*442037694467@MyServerIP SIP/2.0
To: *442037694467sip:*442037694467@MyServerIP
From: 100sip:100@MyServerIP;tag=48cb8110
Via: SIP/2.0/UDP 103.145.12.189:5076;branch=z9hG4bK-57fb1fb344b83fd0f948b5bba1a8f2cd;rport
Call-ID: 57fb1fb344b83fd0f948b5bba1a8f2cd
CSeq: 1 INVITE
Contact: sip:100@103.145.12.189:5076
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 285

v=0
o=sipcli-Session 1216465514 1756939569 IN IP4 103.145.12.189
s=sipcli
c=IN IP4 103.145.12.189
t=0 0
m=audio 5077 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
<------------->
— (12 headers 13 lines) —
Sending to 103.145.12.189:5076 (no NAT)
Sending to 103.145.12.189:5076 (no NAT)
Using INVITE request as basis request - 57fb1fb344b83fd0f948b5bba1a8f2cd
No matching peer for ‘100’ from ‘103.145.12.189:5076’
== Using SIP RTP CoS mark 5
Got SDP version 1756939569 and unique parts [sipcli-Session 1216465514 IN IP4 103.145.12.189]
Found RTP audio format 18
Found RTP audio format 0
Found RTP audio format 8
Found RTP audio format 101
Found audio description format G729 for ID 18
Found audio description format PCMU for ID 0
Found audio description format PCMA for ID 8
Found audio description format telephone-event for ID 101
Capabilities: us - (ulaw|alaw|gsm|h263|g729), peer - audio=(ulaw|alaw|g729)/video=(nothing)/text=(nothing), combined - (ulaw|alaw|g729)
Non-codec capabilities (dtmf): us - 0x1 (telephone-event|), peer - 0x1 (telephone-event|), combined - 0x1 (telephone-event|)
> 0x7f4df0023e50 – Strict RTP learning after remote address set to: 103.145.12.189:5077
Peer audio RTP is at port 103.145.12.189:5077
Looking for *442037694467 in default (domain MyServerIP)

<— Reliably Transmitting (no NAT) to 103.145.12.189:5076 —>
SIP/2.0 404 Not Found
Via: SIP/2.0/UDP 103.145.12.189:5076;branch=z9hG4bK-57fb1fb344b83fd0f948b5bba1a8f2cd;received=103.145.12.189;rport=5076
From: 100sip:100@MyServerIP;tag=48cb8110
To: *442037694467sip:*442037694467@MyServerIP;tag=as037d3e23
Call-ID: 57fb1fb344b83fd0f948b5bba1a8f2cd
CSeq: 1 INVITE
Server: Asterisk PBX 16.11.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0

<------------>
[Jun 21 00:32:12] NOTICE[48250][C-0002a3fe]: chan_sip.c:26817 handle_request_invite: Call from ‘’ (103.145.12.189:5076) to extension ‘*442037694467’ rejected because extension not found in context ‘default’.
Scheduling destruction of SIP dialog ‘57fb1fb344b83fd0f948b5bba1a8f2cd’ in 32000 ms (Method: INVITE)
Really destroying SIP dialog ‘1225569538’ Method: REGISTER
Really destroying SIP dialog ‘1811630775’ Method: REGISTER
Really destroying SIP dialog ‘3722928865’ Method: REGISTER

Retransmitting #4 (no NAT) to 103.145.12.189:5076:

SIP/2.0 404 Not Found

Via: SIP/2.0/UDP 103.145.12.189:5076;branch=z9hG4bK-57fb1fb344b83fd0f948b5bba1a8f2cd;received=103.145.12.189;rport=5076

From: 100sip:100@myserverIP;tag=48cb8110

To: *442037694467sip:*442037694467@myserverIP;tag=as037d3e23

Call-ID: 57fb1fb344b83fd0f948b5bba1a8f2cd

CSeq: 1 INVITE

Server: Asterisk PBX 16.11.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
Content-Length: 0


Really destroying SIP dialog ‘3400868266’ Method: REGISTER
Really destroying SIP dialog ‘3946086476’ Method: REGISTER
Really destroying SIP dialog ‘3508362552’ Method: REGISTER

This device is registered , and is able to make calls using your server, call is not connected because the extension dialed is no found on the extensions.conf file, I suggest you change SIP password and block the above IP

According to ARIN, this address is in the 103.0.0.0/8 netblock which is assigned to APNIC.

So, unless you expect calls from ‘Asia Pacific’ countries, I’d block it. But this approach can quickly devolve into a game of Whac-A-Mole as your attacker just moves to another IP address. Blocking the entire netblock can help, but it’s not a great approach.

You may want to read up on fail2ban. Basically after a configurable number of failed attempts, it adds an ‘iptables’ rule to block the address automagically for a configurable interval.

One of the systems I’m developing right now was getting hammered with INVITES. Like x0,000 per minute.

Fortunately, I noticed most of the attempts were something like:

9x. (the 9 being ‘old-school’ outside line access).
1x. (some sort of international or pricey long distance)
0x. (international access)

Since none of the DIDs assigned to this system start with 0, 1, or 9, I wrote a fail2ban filter that any INVITE starting with 0, 1, or 9 results in an immediate ban.

Problem solved.

Many thanks @ambiorixg12 and @sedwards

My SIP provider has a option to authenticate with just by me entering my Public Server IP instead of SIP user authentication, which one is is more secure?

Also i probably will just block all incoming IP expect my SIP provider IP and the machine that will SSH to this Server, whats your take on this?

IP based is more secure because there are no credentials to be stolen or brute-forced.

This is called ‘whitelisting’ and is preferred to ‘blacklisting.’

Iptables allows you to define rules that include specific ports. You probably want to only allow SIP and RTP from your SIP provider’s network (which may include several hosts and netblocks) and SSH from the 1 expected host.

How your ITSP authenticates you is irrelevant, as this is an attack on you, not directly on the provider.

As you suggest, authenticating the provider by IP address is a very sensible strategy, given that providers don’t generally offer to authenticate themselves withing the protocol, as long as you don’t have any genuine need for outside calls. However that will happen automatically if you use type=peer and a static address. That suggests you have allowguest turned on., which is not generally a good idea on a production system.

Note that chan_sip has community support only status. New installations should use chan_pjsip, unless there is a specific contraindication.
If yo

Thanks to all for the feedback

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.