Asterisk Forums

[tonj]

centos 5.8 server
asterisk-10.5.1

I'm puzzled by entries in my asterisk log that show someone from outside is trying to make calls through my asterisk machine. Here is a sample entry:
Jul 9 06:38:12 server asterisk[12954]: NOTICE[12983]: chan_sip.c:22081 in handle_request_invite: Call from '' (174.37.166.164:5070) to extension '00441904891651' rejected because extension not found in context 'default'.
Jul 9 06:38:12 server asterisk[12954]: NOTICE[12983]: chan_sip.c:22081 in handle_request_invite: Call from '' (174.37.166.164:5070) to extension '00441904891651' rejected because extension not found in context 'default'.
I don't have any sip ports forwarded at the router. I've also got fail2ban set up to sniff the log and reject ip's that match certain patterns (and it does work). I've also got iptables rules that (should) only allow voice traffic between me and my sip provider. And yet these entries in the log keep appearing. Is there a solution to this?

[david55]

Turn off allowguest in sip.conf.

Your default context appears to be secure, already.

fail2ban only stops repeated attemps; the initial attempts will get through.

You must have a route from the source of the attack. If you really don't have port forwarding on your public interfaces, the attack must be originating locally.

[ianplain]

The attacks are from teh USA and trying to call a york number !!

You MUST have the server visable to the internet or otherwise you wouldnt get these and you wouldnt get any entries that trigger fail2ban.

[tonj]

yes that's what I thought but I've double checked and the only port open in the router is 1194 for vpn. Thus I'm baffled why hacks on port 5070 are getting through.

[david55]

Only blocking TCP?