I set up a FreePBX (Asterisk) server in my home and opened a 5060 UDP port using my Mikrotik RB951G-2HnD router. Currently, I did not set any firewall filtering rule to secure the 5060 port. Now the problem is when I look into the asterisk log file, I noticed a bunch of unusual activity there. It looks like my server getting random SIP attacks using port 5060. Because of that, my PBX server's CPU & memory usage always remains high. I know that I can change the default port 5060 to something else but why will not I secure this port and use the default one? It's easy for everyone to use the default one.
In my asterisk log file, I found thousands of lines like this:
[2022-08-04 22:03:10] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:14] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:141@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:61176' (callid: e5f4a479704493e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:20] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:284@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:53437' (callid: e5f4a614058530e4f7a) - Failed to authenticate
[2022-08-04 22:03:23] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:299@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:54905' (callid: e5f4a895692138e4f7a) - Failed to authenticate
[2022-08-04 22:03:36] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
[2022-08-04 22:03:37] NOTICE[26744]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '<sip:315@XXX.XXX.XXX.XXX>' failed for '10.10.10.1:50105' (callid: e5f4a487266884e4f7a) - Failed to authenticate
- XXX.XXX.XXX.XXX = My public IP
- 10.10.10.1 = My local IP gateway
- 10.10.10.0/24 = My local network IP
- 10.10.10.111 = My PBX server's IP
Now, can you guys please help me out to stop this kind of attack? Once I installed FreePBX in a VPS with default port 5060 opened. In that VPS there was no unusual activity in the asterisk log file like this. Definitely, this attack can be prevented by using a firewall rule which I just don't know how. So if you know, please guide me to prevent this attack.
Thank You.