如何停止在 Asterisk 上的註冊嘗試
主要問題:
我的 Asterisk 日誌中充斥著這樣的消息:
[2012-05-29 15:53:49] NOTICE[5578] chan_sip.c: Registration from '<sip:912@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 15:53:50] NOTICE[5578] chan_sip.c: Registration from '<sip:912@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 15:53:55] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:100@xx.xx.xx.xx>;tag=cb23fe53 [2012-05-29 15:53:57] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device <sip:100@xx.xx.xx.xx>;tag=cb23fe53 [2012-05-29 15:54:02] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 15:54:03] NOTICE[5578] chan_sip.c: Registration from '<sip:100@xx.xx.xx.xx>' failed for '37.75.210.177' - No matching peer found [2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"55435217"<sip:55435217@xx.xx.xx.xx>' failed for '65.218.221.180' - No matching peer found [2012-05-29 21:20:36] NOTICE[5578] chan_sip.c: Registration from '"1731687005"<sip:1731687005@xx.xx.xx.xx>' failed for '65.218.221.180' - No matching peer found [2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=dEBcOzUysX [2012-05-30 01:18:58] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=9zUari4Mve [2012-05-30 01:19:00] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=sOYgI1ItQn [2012-05-30 01:19:02] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=2EGLTzZSEi [2012-05-30 01:19:04] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=j0JfZoPcur [2012-05-30 01:19:06] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=Ra0DFDKggt [2012-05-30 01:19:08] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=rR7q7aTHEz [2012-05-30 01:19:10] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=VHUMtOpIvU [2012-05-30 01:19:12] NOTICE[5578] chan_sip.c: Sending fake auth rejection for device "unknown" <sip:unknown@188.64.49.26>;tag=JxZUzBnPMW
我將 Asterisk 用於自動電話系統。它唯一做的就是接收來電並執行 Perl 腳本。沒有撥出電話,沒有接到實際電話的來電,沒有在 Asterisk 註冊的電話。
似乎應該有一種簡單的方法來阻止所有未經授權的註冊嘗試,但我已經為此苦苦掙扎了很長時間。似乎應該有一種更有效的方法來防止這些嘗試甚至到達我的 Asterisk 日誌。我可以打開/關閉一些根本不允許註冊嘗試的設置。有沒有辦法做到這一點?
另外,我是否正確假設“來自…的註冊”消息可能是人們試圖訪問我的 Asterisk 伺服器(可能是在我的帳戶上撥打電話)?這些消息和“發送虛假身份驗證拒絕……”消息有什麼區別?
更多細節:
我知道“來自…的註冊”行是試圖訪問我的 Asterisk 伺服器的入侵者。設置 Fail2Ban 後,這些 IP 在 5 次嘗試後被禁止(出於某種原因,一個嘗試了 6 次,但 w/e)。
但我不知道“發送虛假身份驗證拒絕……”消息是什麼意思,也不知道如何阻止這些潛在的入侵嘗試。據我所知,他們從來沒有成功過(我的賬單或任何東西上都沒有看到任何奇怪的收費)。
這是我所做的:
- 設置硬體防火牆規則,如下所示。在這裡,
xx.xx.xx.xx
是伺服器yy.yy.yy.yy
的 IP 地址,是我們設施的 IP 地址,並且aa.aa.aa.aa
、bb.bb.bb.bb
和cc.cc.cc.cc
是我們的 VoIP 提供商使用的 IP 地址。理論上,埠 10000-20000 應該只能被這三個 IP 訪問。+-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+ | Order | Source Ip | Protocol | Direction | Action | Destination Ip | Destination Port | +-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+ | 1 | cc.cc.cc.cc/255.255.255.255 | udp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 10000-20000 | | 2 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 80 | | 3 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 2749 | | 4 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 443 | | 5 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 53 | | 6 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 1981 | | 7 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 1991 | | 8 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 2001 | | 9 | yy.yy.yy.yy/255.255.255.255 | udp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 137-138 | | 10 | yy.yy.yy.yy/255.255.255.255 | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 139 | | 11 | yy.yy.yy.yy/255.255.255.255 | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 445 | | 14 | aa.aa.aa.aa/255.255.255.255 | udp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 10000-20000 | | 17 | bb.bb.bb.bb/255.255.255.255 | udp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 10000-20000 | | 18 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 1971 | | 19 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 2739 | | 20 | any | tcp | inbound | permit | xx.xx.xx.xx/255.255.255.255 | 1023-1050 | | 21 | any | all | inbound | deny | any on server | 1-65535 | +-------+-----------------------------+----------+-----------+--------+-----------------------------+------------------+
- 設置 Fail2Ban。這是一種工作,但它是被動的而不是主動的,並且似乎並沒有阻止一切(比如“發送假身份驗證拒絕……”消息)。
- 在 sip.conf 中設置規則以拒絕除我的 VoIP 提供商之外的所有內容。這是我的 sip.conf,幾乎所有註釋行都被刪除(以節省空間)。底部的通知是我試圖拒絕除我的 VoIP 提供商之外的所有內容:
[general] context=default allowguest=no allowoverlap=no bindport=5060 bindaddr=0.0.0.0 srvlookup=yes disallow=all allow=g726 allow=ulaw allow=alaw allow=g726aal2 allow=adpcm allow=slin allow=lpc10 allow=speex allow=g726 insecure=invite alwaysauthreject=yes ;registertimeout=20 registerattempts=0 register => user:pass:user@mysipprovider.com:5060/700 [mysipprovider] type=peer username=user fromuser=user secret=pass host=sip.mysipprovider.com fromdomain=sip.mysipprovider.com nat=no ;canreinvite=yes qualify=yes context=inbound-mysipprovider disallow=all allow=ulaw allow=alaw allow=gsm insecure=port,invite deny=0.0.0.0/0.0.0.0 permit=aa.aa.aa.aa/255.255.255.255 permit=bb.bb.bb.bb/255.255.255.255 permit=cc.cc.cc.cc/255.255.255.255
這些防火牆規則實施了多長時間?如果您只是在不久前配置了它們,並且根據您配置它們的方式,這些規則可能僅適用於新的連接嘗試,但仍然允許任何已建立的連接。因此,仍然允許通過已建立的連接進行註冊嘗試。
您沒有提供有關您正在使用的防火牆類型的足夠資訊,但請查看是否可以在埠 5060 上找到已建立連接的列表,然後手動刪除它們。現在應該根據您的防火牆規則阻止後續的新連接嘗試。
我還看到您
bindaddr=0.0.0.0
在 Asterisk 配置文件中進行了設置,這會導致 Asterisk 監聽所有可用的介面。該伺服器有多少個 IP 地址?如果它有超過 1 個 IP 地址,那麼您需要在防火牆規則中指定它們,因為目前您只列出xx.xx.xx.xx
目標 IP 以阻止埠 5060 上的傳入流量。