2

I found following log lines on my asterisk program (VoIP) running on debian Jessie server 3.4.112 for arm

[2016-12-25 01:58:52] NOTICE[12054] res_pjsip/pjsip_distributor.c: 
Request 'INVITE' from '"800" <sip:800@46.12.48.90>' failed for 
'185.40.4.182:5074' (callid: b4d0d997a0a7d532f0f413fb4973271b) - No 
matching endpoint found
[2016-12-25 01:59:09] NOTICE[12054] res_pjsip/pjsip_distributor.c:   
Request 'INVITE' from '"1000" <sip:1000@46.12.48.90>' failed for 
'155.94.64.245:5071' (callid: 77cc719fd0a16aa3993cc1c703755574) - No 
matching endpoint found
[2016-12-25 02:00:27] NOTICE[12054] res_pjsip/pjsip_distributor.c: 
Request 'INVITE' from '"1001" <sip:1001@46.12.48.90>' failed for 
'155.94.64.245:5071' (callid: 97dfdeff0d2178aae0b239e57dfabec2) - No 
matching endpoint found
[2016-12-25 02:00:30] NOTICE[12054] res_pjsip/pjsip_distributor.c:    
Request 'INVITE' from '"1001" <sip:1001@46.12.48.90>' failed for    
'155.94.64.245:5070' (callid: 0bcb73b38cbf914f6e50da5c39abadd1) - No 
matching endpoint found

It seems like some random ips are scanning my network. Where are they coming from? Are they bots of some kind or attackers?

Limit
  • 3,191
  • 1
  • 16
  • 35
AXANO
  • 899
  • 7
  • 23
  • The IP definitely looks suspicious: http://stefan.gofferje.net/it-stuff/sipfraud/sip-attacker-blacklist – Limit Dec 25 '16 at 00:39

1 Answers1

1

Yes, it is likely to be a bot scanning your network - probably looking for vulnerable versions of Asterisk running exposed to the Internet.

You might want to implement fail2ban or something similar in order to auto-ban such IP addresses. Better still, if you know where your Asterisk connections will be coming from, just whitelist those and block everywhere else.

Julian Knight
  • 7,092
  • 17
  • 23