How to stop registration attempts on Asterisk

Posted by Travesty3 on Server Fault See other posts from Server Fault or by Travesty3
Published on 2012-05-31T15:52:36Z Indexed on 2012/05/31 16:43 UTC
Read the original article Hit count: 332

Filed under:
|
|
|
|

The main question:

My Asterisk logs are littered with messages like these:

[2012-05-29 15:53:49] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:50] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:[email protected]>;tag=cb23fe53
[2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:[email protected]>;tag=cb23fe53
[2012-05-29 15:54:02] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 15:54:03] NOTICE[5578] chan_sip.c: Registration from '<sip:[email protected]>' failed for '37.75.210.177' - No matching peer found
[2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"55435217"<sip:[email protected]>' failed for '65.218.221.180' - No matching peer found
[2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"1731687005"<sip:[email protected]>' failed for '65.218.221.180' - No matching peer found
[2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=dEBcOzUysX
[2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=9zUari4Mve
[2012-05-30 01:19:00] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=sOYgI1ItQn
[2012-05-30 01:19:02] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=2EGLTzZSEi
[2012-05-30 01:19:04] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=j0JfZoPcur
[2012-05-30 01:19:06] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=Ra0DFDKggt
[2012-05-30 01:19:08] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=rR7q7aTHEz
[2012-05-30 01:19:10] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=VHUMtOpIvU
[2012-05-30 01:19:12] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:[email protected]>;tag=JxZUzBnPMW

I use Asterisk for an automated phone system. The only thing it does is receives incoming calls and executes a Perl script. No outgoing calls, no incoming calls to an actual phone, no phones registered with Asterisk.

It seems like there should be an easy way to block all unauthorized registration attempts, but I have struggled with this for a long time. It seems like there should be a more effective way to prevent these attempts from even getting far enough to reach my Asterisk logs. Some setting I could turn on/off that doesn't allow registration attempts at all or something. Is there any way to do this?

Also, am I correct in assuming that the "Registration from ..." messages are likely people attempting to get access to my Asterisk server (probably to make calls on my account)? And what's the difference between those messages and the "Sending fake auth rejection ..." messages?

Further detail:

I know that the "Registration from ..." lines are intruders attempting to get access to my Asterisk server. With Fail2Ban set up, these IPs are banned after 5 attempts (for some reason, one got 6 attempts, but w/e).

But I have no idea what the "Sending fake auth rejection ..." messages mean or how to stop these potential intrusion attempts. As far as I can tell, they have never been successful (haven't seen any weird charges on my bills or anything).

Here's what I have done:

  1. Set up hardware firewall rules as shown below. Here, xx.xx.xx.xx is the IP address of the server, yy.yy.yy.yy is the IP address of our facility, and aa.aa.aa.aa, bb.bb.bb.bb, and cc.cc.cc.cc are the IP addresses that our VoIP provider uses. Theoretically, ports 10000-20000 should only be accessible by those three IPs.
    +-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
    | Order |         Source Ip           | Protocol | Direction | Action |        Destination Ip       | Destination Port |
    +-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
    |   1   | cc.cc.cc.cc/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
    |   2   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        80        |
    |   3   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2749       |
    |   4   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        443       |
    |   5   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        53        |
    |   6   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1981       |
    |   7   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1991       |
    |   8   |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2001       |
    |   9   | yy.yy.yy.yy/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |      137-138     |
    |   10  | yy.yy.yy.yy/255.255.255.255 |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        139       |
    |   11  | yy.yy.yy.yy/255.255.255.255 |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |        445       |
    |   14  | aa.aa.aa.aa/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
    |   17  | bb.bb.bb.bb/255.255.255.255 |    udp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |    10000-20000   |
    |   18  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       1971       |
    |   19  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |       2739       |
    |   20  |            any              |    tcp   |  inbound  | permit | xx.xx.xx.xx/255.255.255.255 |     1023-1050    |
    |   21  |            any              |    all   |  inbound  |  deny  |        any on server        |      1-65535     |
    +-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
  2. Set up Fail2Ban. This is sort of working, but it's reactive instead of proactive, and doesn't seem to be blocking everything (like the "Sending fake auth rejection ..." messages).
  3. Set up rules in sip.conf to deny all except for my VoIP provider. Here is my sip.conf with almost all commented lines removed (to save space). Notice at the bottom is my attempt to deny all except for my VoIP provider:
    [general]
    context=default
    allowguest=no
    allowoverlap=no
    bindport=5060
    bindaddr=0.0.0.0
    srvlookup=yes
    disallow=all allow=g726 allow=ulaw allow=alaw allow=g726aal2 allow=adpcm allow=slin allow=lpc10 allow=speex allow=g726
    insecure=invite
    alwaysauthreject=yes
    ;registertimeout=20 registerattempts=0 register => user:pass:[email protected]:5060/700
    [mysipprovider] type=peer username=user fromuser=user secret=pass host=sip.mysipprovider.com fromdomain=sip.mysipprovider.com nat=no ;canreinvite=yes qualify=yes context=inbound-mysipprovider disallow=all allow=ulaw allow=alaw allow=gsm insecure=port,invite
    deny=0.0.0.0/0.0.0.0 permit=aa.aa.aa.aa/255.255.255.255 permit=bb.bb.bb.bb/255.255.255.255 permit=cc.cc.cc.cc/255.255.255.255

© Server Fault or respective owner

Related posts about security

Related posts about firewall