FYI Failed to authenticate device 1000<sip:[email protected]>;tag=cfae1632

[johnny2000]

I am wondering if anyone here have encounter this problem. I have the PIAF with asterisk 1.8 and freepbx 2.11, and lately I noticed this in the log files. device/extension 1000 is not on the server. The xx.xx.xx.xx is the ip address of the PIAF server. It is clearly that someone is trying to hack my server. Fail2ban does not catch this. Anyone here have a solution for this problem. Thank you.

 

[islandtech]

Fail2ban verified to be running? UDP port 5060 not exposed
In freepbx admin > Settings > Allow SIP Guests = no
In freepbx admin > Settings > Allow Anonymous Inbound SIP Calls = no

 

[johnny2000]

Fail2ban verified to be running? UDP port 5060 not exposed
In freepbx admin > Settings > Allow SIP Guests = no
In freepbx admin > Settings > Allow Anonymous Inbound SIP Calls = no

Yes all of those above are satisfied. The server has been running for more than a year now. It is only when "Failed to authenticate device 1000<sip:[email protected]>;tag=cfae1632" that doesn't show the ip address of where the device is coming from. However if it is a failed registration fail2ban catches it.

 

[billsimon]

I don't believe fail2ban is able to detect auth failures until later versions of Asterisk where the security auditing log is available. The reason is that in the standard Asterisk log, we don't get the IP address causing the failed auth. The security log is available in Asterisk 11.

 

[johnny2000]

Are there any work around on this, perhaps on the fail2ban itself, like regex?