Unwanted SIP Requests and Authentication Failures - Seeking Guidance

Asterisk Asterisk Support
1

Hello Asterisk Community,

I’ve recently observed a surge in unwanted SIP requests on my Asterisk server, leading to authentication failures. I’ve changed the default SIP port, implemented firewall rules, and reviewed my SIP configuration, but the issue persists.

Here are some log entries for reference:
[Jan 17 11:32:00] NOTICE[345576]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘OPTIONS’ from ‘sip:537759@www.mydomain.com’ failed for ‘122.171.23.234:10422’ - Failed to authenticate
[Jan 17 11:32:00] NOTICE[353407]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘OPTIONS’ from ‘sip:813379@www.mydomain.com’ failed for ‘122.171.23.234:10422’ - No matching endpoint found

Changed the default SIP port. Despite these efforts, the unauthorized requests continue.

Any insights or recommendations on further steps I can take to enhance the security of my Asterisk server would be greatly appreciated.

Thank you in advance for your assistance!

2

Welcome to the internet. If you have a public facing device advisories will try to exploit it. Changing the port rarely helps as sites like Shodan scan for all ports. You can try a few things.

  1. The best option would be to only allow IPs where you expect traffic from. This doesnt work for most people as they have dynamic IPs.
  2. If your phone (e.g. Yealink) supports a VPN (like open vpn) use that. This way they need VPN creds to connect.
  3. Use black lists to block known bad hosts (I am on my mobile, I will try to update this post later with links). There are also options to block by country. I use this in reverse. I block by default and use the list to only allow certain countries.
    EDIT: I use GitHub - trick77/ipset-blacklist: A bash script to ban large numbers of IP addresses published in blacklists.
  4. Use Fail2Ban to auto detect hosts trying to attack you and automatically block them.
  5. Make sure you use long passwords that consist of random characters. Dont make the password to extension 100,100!
3

i think these 2 option is good in my case.

  1. Use black lists to block known bad hosts (I am on my mobile, I will try to update this post later with links). There are also options to block by country. I use this in reverse. I block by default and use the list to only allow certain countries.
  2. Use Fail2Ban to auto detect hosts trying to attack you and automatically block them.

Can you send some links or any other information of this.

4

Of course @dovi5988 is right with his advices. But I am not sure if this is really an attacker. At least I never saw attackers sending options requests.

Did you check the ip of the requests if it’s on of your users? If yes, it could be some misconfigured device. That would also explain that everything continued the same way after changing port. Because usually after changing port there’s some moment of quietness until the bad guys found out the new port.

5

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.