<div dir="ltr">
<p class="">Hello, </p><p class="">I am getting a different type of hacking attempt. Different in the sense that these hacking attempts do not have an IP address associated with them that can be added to iptables and blocked with the linux firewall.</p><p class="">These appear to be coming from a sip account that is trying to connect to extensions on my system that does not exist. </p><p class="">They range from 1 or 2 attempts each hour, to several hundred requests per hour. Below is a copy of the most recent attempts of this nature and then further below are the attempts that I am familiar with that contain an IP address that just gets added to IP tables and they go away. </p><p class="">Can someone help me understand the best way to handle these hacking attempts and how to best secure my system from them?</p><p class="">Also, how are these hackers finding my system from all of the millions and millions of IP Addresses on the internet. Does Asterick send out a beacon to some central repository if you will that lists all the IP's of Asterisks systems so that hackers have a list of machines they can try to exploit? <br></p><p class=""><br></p><p class="">Here is a list of what the new hacking attempts look like:</p><p class=""><br></p><p class="">[root@KK7XX ~]# asterisk -r</p>
<p class="">Asterisk , Copyright (C) 1999 - 2008 Digium, Inc. and others.</p>
<p class="">Created by Mark Spencer <<a href="mailto:markster@digium.com">markster@digium.com</a>></p>
<p class="">Asterisk comes with ABSOLUTELY NO WARRANTY; type 'core show warranty' for details.</p>
<p class="">This is free software, with components licensed under the GNU General Public</p>
<p class="">License version 2 and other licenses; you are welcome to redistribute it under</p>
<p class="">certain conditions. Type 'core show license' for details.</p>
<p class="">=========================================================================</p>
<p class="">Connected to Asterisk currently running on KK7XX (pid = 6712)</p>
<p class="">Verbosity is at least 3</p>
<p class="">KK7XX*CLI> rpt lstats 28806</p>
<p class="">NODE PEER RECONNECTS DIRECTION CONNECT TIME CONNECT STATE</p>
<p class="">---- ---- ---------- --------- ------------ -------------</p>
<p class="">[[Mar 23 22:38:55] NOTICE[6719] chan_sip.c: Call from '' to extension '0012143299739' rejected because extension not found.</p>
<p class="">[Mar 23 22:39:15] WARNING[6719] chan_sip.c: Maximum retries exceeded on transmission 0a86e18b712596ba5ba160f771f680f5 for seqno 1 (Critical Response) -- See doc/sip-retransmit.txt.</p>
<p class="">[Mar 23 22:47:58] NOTICE[6719] chan_sip.c: Call from '' to extension '000972543480900' rejected because extension not found.</p>
<p class="">[Mar 23 23:20:57] NOTICE[6719] chan_sip.c: Call from '' to extension '00972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:20:59] NOTICE[6719] chan_sip.c: Call from '' to extension '011972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:21:00] NOTICE[6719] chan_sip.c: Call from '' to extension '1011972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:21:02] NOTICE[6719] chan_sip.c: Call from '' to extension '0011972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:21:03] NOTICE[6719] chan_sip.c: Call from '' to extension '9011972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:21:05] NOTICE[6719] chan_sip.c: Call from '' to extension '+11972598998181' rejected because extension not found.</p>
<p class="">[Mar 23 23:42:19] NOTICE[6719] chan_sip.c: Call from '' to extension '0011442032902187' rejected because extension not found.</p>
<p class="">[Mar 23 23:42:39] WARNING[6719] chan_sip.c: Maximum retries exceeded on transmission 8893e02d7f1d65b9f9e93cb1ce75d147 for seqno 1 (Critical Response) -- See doc/sip-retransmit.txt.</p>
<p class="">[Mar 23 23:48:09] NOTICE[6719] chan_sip.c: Call from '' to extension '00972543480900' rejected because extension not found.</p>
<p class="">[Mar 24 01:19:41] NOTICE[6719] chan_sip.c: Call from '' to extension '00972598998181' rejected because extension not found.KK7XX*CLI></p><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">The above hacking attempts are different from the (what I would call) normal hacking attempts like the following that have an IP address that gets added to iptables and the Linux firewall blocks them:</div><div class="gmail_extra"><br></div><div class="gmail_extra">
<p class="">[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9996"<<a href="http://sip:9996@10.0.0.28:5060">sip:9996@10.0.0.28:5060</a>>' failed for '62.210.251.151' - No matching peer found</p>
<p class="">[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9997"<<a href="http://sip:9997@10.0.0.28:5060">sip:9997@10.0.0.28:5060</a>>' failed for '62.210.251.151' - No matching peer found</p>
<p class="">[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9998"<<a href="http://sip:9998@10.0.0.28:5060">sip:9998@10.0.0.28:5060</a>>' failed for '62.210.251.151' - No matching peer found</p>
<p class="">[Mar 21 16:38:31] NOTICE[2855] chan_sip.c: Registration from '"9999"<<a href="http://sip:9999@10.0.0.28:5060">sip:9999@10.0.0.28:5060</a>>' failed for '62.210.251.151' - No matching peer found</p></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra">Any help anyone has to offer would greatly be appreciated.</div><div class="gmail_extra"><br></div><div class="gmail_extra">73, </div><div class="gmail_extra"><br></div><div class="gmail_extra">Luke</div></div>