My FreePBX box is behind a router which is set to reject all SIP traffic not coming from my ISP, Flowroute.
The CDR Reports show connections like the one below. I don’t know where it’s coming from but it’s annoying. Is there any way to stop this traffic from getting to the PBX?
Thanks Larry
You need to check your firewall rules, Palestinians ARE trying to eat your phone system 
(or perhaps someone within your own Comcast/TimeWarner network maybe )
post the issue of
iptables -L
(obfuscate your own networking though)
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
nat_reflection_fwd all -- anywhere anywhere
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain nat_reflection_fwd (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/24 10.0.0.41 tcp dpt:8080 /* wan */
ACCEPT udp -- 10.0.0.0/24 10.0.0.41 udp dpt:8080 /* wan */
ACCEPT tcp -- 10.0.0.0/24 10.0.0.41 tcp dpt:51413 /* wan */
ACCEPT udp -- 10.0.0.0/24 10.0.0.41 udp dpt:51413 /* wan */
ACCEPT tcp -- 10.0.0.0/24 zebay.lan tcp dpt:www /* wan */
ACCEPT tcp -- 10.0.0.0/24 zebay.lan tcp dpt:https /* wan */
ACCEPT udp -- 10.0.0.0/24 freepbx.lan udp dpts:sip:5082 /* wan */
ACCEPT udp -- 10.0.0.0/24 freepbx.lan udp dpts:19000:20000 /* wan */
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- sip-lv1.flowroute.com anywhere udp spt:sip dpt:sip
ACCEPT udp -- wsip-70-167-153-130.oc.oc.cox.net anywhere udp spt:sip dpt:sip
REJECT udp -- anywhere anywhere udp dpt:sip reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:www
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `DROP(wan):'
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `REJECT(wan):'
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.41 tcp dpt:8080
ACCEPT udp -- anywhere 10.0.0.41 udp dpt:8080
ACCEPT tcp -- anywhere 10.0.0.41 tcp dpt:51413
ACCEPT udp -- anywhere 10.0.0.41 udp dpt:51413
ACCEPT tcp -- anywhere zebay.lan tcp dpt:www
ACCEPT tcp -- anywhere zebay.lan tcp dpt:https
ACCEPT udp -- anywhere freepbx.lan udp dpts:sip:5082
ACCEPT udp -- anywhere freepbx.lan udp dpts:19000:20000
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
zebay.lan = 10.0.0.23
freepbx.lan = 10.0.0.38
I suggested that you obfuscate your network please edit your post
nmap -vv your.ip.address
shows that you have sip on tcp open, these guys are not stupid they have read the SIPVicious manual and many more. . .
(also never ever run ssh on port 22, that is also just plain asking for it, some might consider it "theatrically " a waste of time but I would never run SIP on 5060 either 99.999% of all attacks are against that port ;-))
Dicko, I’m confused about obfuscating my address. There’s no reference to a WAN address and the class C internal address (10.0.0.0/24) is not accurate as posted.
This stuff is new to me. I thought I had enabled SIP only on UDP, not TCP. Also, where is SSH defined; I don’t see it?
I also thought that restricting inbound SIP from only two IP addresses would take care of noisy people. But I can change that.
Well, something is getting in, don’t you agree ?
Perhaps it’s time for tcpdump to see what
tcpdump -vvnn port 5060
Thanks dicko, I resolved the issue.
I was not restrictive enough with the SIP protocol. It was allowing traffic from the outside rather than just the provider’s IP addresses.