Failed To Authenticate User 1000; Tag=03f82bb9

Home » Asterisk Users » Failed To Authenticate User 1000; Tag=03f82bb9
Asterisk Users 10 Comments

Hi,

I get a lot of these messages on my Asterisk CLI:

“Failed to authenticate user 1000;tagf82bb9″

as if my PBX machine is trying to authenticate to itself. It seems someone is attacking my Asterisk PBX.

Is there a way to fix this problem?

Thank you.

Giorgio Incantalupo

10 thoughts on - Failed To Authenticate User 1000; Tag=03f82bb9

  • Well, you could use some software like denyhosts or fail2ban to block an IP
    after a predefined number of (failed) authentication attempts.

    Regards,

    Ricardo

  • Hi Ricardo,

    we are already using fail2ban but it bans my own ip address not the real original ip of the attacker. How can I find it?

    Thank you

    Giorgio

  • in sip.conf I have guest connections permitted and have them going to the default context which contains :-

    [default]
    ; all unauthenticated connection attempts from the internet come in here. exten => _[+*#0-9].,1,NoOp(Unauthenticated call attempt –
    ${SIP_HEADER(Contact)})
    exten => _[+*#0-9].,n,Congestion

    Then in fail2ban I have it match the following :-

    failregex = Registration from .* failed for \’\’ – Wrong password
    Unauthenticated call attempt .*\@
    \:

  • Hi, Bad boys trying to guess a valid username. in sip.conf uncomment alwaysauthreject=yes and Asterisk always reject 1st invite.

  • Hi Garet,

    ok but since the messages contain my own public IP with this method I’m banning my public IP not the real attacker IP. Am I wrong?

    Giorgio

  • Hi Asghar,

    surely this can improve security but what I’m looking for is something to find the real attacker IP address and ban it. Fail2ban bans my own public ip address.

    Thank you

    Giorgio

  • No the asterisk dialplan entry is pulling the IP address out of the SIP
    Contact: header which in the attacks we have seen always seems to be the correct IP address.

  • Gareth:

    Did you check if your message (or security) log recorded anything during these attempts? If so, can you post the content of the logs during this attack?

    M

  • Hi,

    Seems a great workaround from Gareth Blades. Thanks I will try it.

    Any way to make asterisk log a line in /var/log/messages ?

  • I normally have all the verbose output sent to the log file so anything in the NoOp() line gets logged to the file so thats what I use. You could use the Log() or Verbose() applications if you only have errors written to the file as with those commands you can specify a log level.