Receiving alot of call from non existing extension

Hello.

I receiving arround 60 call per day from non existing extension ?

This is verry frustrating…

Does someone know what is the problem ?
Thank

Hi!

If I had to guess I would say that your box might be externally accessible and someone might be trying to hack into it…

Have a nice day!

Nick

That is generally because you allow guest SIP calls, you shouldn’t allow that unless you indeed want to accept them

For this to happen though is box needs to be externally accessible, no? Unless you reallllllly have to you should not expose your SIP ports like this…

It might be on purpose though since I believe he wants to start a SIP network… :wink:

Have a nice day!

Nick

Thank you guys.

But when i set Allow SIP Guest to “No”, now it not working, if i call from my cellphone to my Freepbx number, this is transfer me the
call on my cellphone … .?

But if i set SIP guest to YES, everything is work verry well…

Any idea :frowning: ?

Do you set followme? maybe the followme will call to your cellphone if the extension would not answer.

Just set to NO right now but still receiving call from non existant extension…

Still the same sh***

any help please :frowning: ?

There are two things that can cause that, anonymous SIP/Guest SIP calls allowed , if you are using IP authorization with your provider, allow “anonymous” and deny “guest”, other wise your trunks need to be “registered” with the provider to allow inbound, none of the above pertains to outbound.

Both are a risk, if you need it then you will have to setup your firewall to accept ONLY accepatable hosts/networks.

Hi!

It would be best if you gave more information on your setup…

Why are people from the outside able to probe your box in the first place? Is it on a VPS or something similar?

Have a nice day!

Nick

I think I can help with this as I have had users have this issue before.

Short Answer: you need a firewall to protect both your PBX and your PC

Long answer:

Bit of background info to start. My PBX is setup behind an enterprise level firewall with no external access. Users must use a VPN to connect to the PBX. No external traffic (IP’s) have been seen in any logs on the server so it is secure.

Our area has several ISPs which our home users use. Most of the ISPs provide a ROUTER that has a built in consumer grade firewall in it. This consumer grade firewall blocks most of the unsolicited traffic from the internet and if you PC has a firewall you are generally protected. However… we have one ISP here that only provides a cable modem and does not supply a ROUTER (with firewall) to the consumer. They expect them to have one (such as a DLink, Asus, etc). This is absolutely horrible as it could leave these users without any protection at all, especially if they did not have a software firewall PC as a second layer of defense.

Here is what happened:

One user (out of about 90) complained that they were receiving inbound calls from an extension that did not exist on their softphone installed on their PC. No other user experienced this issue at the time. Checking server logs did not show any external connections at all either. These calls were not coming from the server.

I assumed that this had to be an issue with them specifically so I sent a support link for a remote session to this user. What I found out was that this user had the ISP mentioned above that only provided a modem… not firewall/router and for some reason they did not have their own for wifi, etc. The user did have windows firewall but that did not seem to be doing anything to stop this SIP fishing attack. Calls would come in to this user any time that his softphone was loaded.

What was happening?

Essentially the “hackers” spam out calls to huge ranges of IP addresses phishing for unprotected computers. If a computer is not behind a firewall and there is say a softphone running, that softphone will essentially answer the “phishing call” and present the user with that call. What I believe happens is that when the home user answers the call, the “hackers” script attempts to either bridge a call, conferences a call, transfer a call or something to that affect so that they can basically use your phone to make free calls. It has been while since this happened so those details might be a bit off at this point but the bottom line is that the computer did not have a firewall to deny this random traffic.

Solution:

Installed a software firewall on the home users PC (such as comodo, zone alarm, etc).
Instructed them to purchase a Router (or call ISP for one if possible) as the primary layer of defense.

Additionally to OP: Secure your PBX with a good firewall as well.

In the end:

The firewalls stopped this user from getting unsolicited calls.

1 Like

Are these actually showing up in your CDR? If not, someone could be hitting your phones directly if you have 5060 exposed. Had an issue recently where a few users were complaining of hundreds of calls per day from odd extensions. Nothing was showing up in CDR and they were remote users with phones at home, their phones were exposed with 5060 naked on their firewall. Once I changed the port on the phones themselves, it all stopped. Never ran into this before because every firewall I have seen with phones behind it on the NAT, randomizes the listening port that’s exposed. With these user’s home routers, they were exposing the exact port that the phone was listening on. Seems pretty stupid if you ask me, what if they have more than one SIP device. In any case, I am sure there are lots of home routers that do this and by default most phones listen on 5060.

1 Like

@fonewiz, can you expand on the home router setup that would allow the SIP port 5060 to be exposed?

I also came across the issue of a remote extension being bombarded by spurious calls, and changing the remote phone’s port number from 5060 to 5070 did the trick.

I would be interested in learning about any router configuration change(s) that might achieve a similar result.

Thanks

My goal with home/remote users is to not mess with their router config if possible, it gets into a can of worms I don’t want to open.

So, I just stick to changing the local SIP port on the phone. I would not change it to 5070 or anything close to 5060 because these are easy to guess for the scumbags that will try to hit the phone on other ports close to 5060.

I am not saying this is as a matter of fact, it’s just what I do. As they say, your mileage may vary.

Also, I am not 100% sure why some NAT routers expose the actual port and why others change the port number that is exposed. There are some NAT routers that do this on purpose and call it a “VoIP Feature” but I am saying that there are plenty of NAT routers that do NOT expose the real SIP port of the phone, without any special features.