Strange dialing

I tried to do that. One of the files was too big - I can solve that, but the other said it has to many non text characters. I have zipped files - is there a better format?

James

For now the only log we need are the (sanitized) entries that occur in /var/log/asterisk/full and ONLY those lines that occur during a ‘strange’ outbound call, not the entire log and certainly nothing with non-text characters.

Here it is. It is amazing how large the files get even though I was the only one on the phone (at least in the office) I called from extension 1012 to external number 613-686-5487 at least 6 times.
full10.tgz (19.5 KB)

James

hi:
Could you check this log, please reset the limitation in trunk and have a try:
– Got SIP response 480 “Trunk Concurrency Limit Reached” back from 192.159.66.3:5060
[2015-11-26 12:49:06] VERBOSE[19651][C-00001209] app_dial.c: – SIP/fpbx-1-W7qTJLasDxCa-000005c5 is circuit-busy
[2015-11-26 12:49:06] VERBOSE[19651][C-00001209] app_dial.c: == Everyone is busy/congested at this time (1:0/1/0)

You nee to fix

[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:38145’ - Wrong password
[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:53654’ - Wrong password
[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:47446’ - Wrong password
[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:48006’ - Wrong password
[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:38751’ - Wrong password
[2015-11-26 12:55:03] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:46613’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:48362’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:43220’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:54458’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:33815’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:41171’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:35794’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:44919’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:48567’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:50598’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:48690’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:53786’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:44954’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:58111’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:59383’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:45037’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:36756’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:44359’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:39321’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:52738’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:51191’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:44013’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:37969’ - Wrong password
[2015-11-26 12:55:04] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:50252’ - Wrong password
[2015-11-26 12:55:05] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:43366’ - Wrong password
[2015-11-26 12:55:05] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:46722’ - Wrong password
[2015-11-26 12:55:05] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:35639’ - Wrong password
[2015-11-26 12:55:05] NOTICE[2254] chan_sip.c: Registration from ‘100 sip:[email protected]’ failed for ‘89.163.148.203:59546’ - Wrong password

before you do anything else

The time condition calls are spurious, turn them off or filter them before posting.

Thanks for these responses. I was gone yesterday afternoon. I will do these things and get back.

James

This is an attempt to register from IP number 89.163.148.203, which is from Germany. I need to firewall off these attempts. Can someone tell me what has to be left open for SIPStation to work, but firewall everything else off?

james

I have removed all time conditions.

James

I don’t know what this is. The IP numbers are from Wisconsin (162.253.134.142, 192.159.66.3) so they may be SIPStation’s IPs. Does anyone know what this error message actually means.

James

full11.tgz (119 Bytes)

Here is another 3 minutes of log files. I have turned off time conditions and it is a smaller snap. I still need to secure the server a little more to avoid people trying to log in from outside. I again called the number 613-686-5487 six times and the same thing happens: 1st time works OK, 2nd time call is ok but the caller ID is wrong, and the 3rd time it calls extension 1900. Then it repeats the pattern.

James

The post is empty, I would suspect a root intrusion via your inadequate firewall look for suspicious files in /tmp

Several things:
1.- Regarding the /tmp directory I see jetty-0.0.0.0 directories, hsperfdata_asterisk and hsperfdata_root directories. Are they safe?
2.- I have set the dial patterns that all long distance call go out the VOIP line from sipstation. Now the long distance calls all work. The local numbers go through a dahdi connection to a land line and they still act up. We have two dahdi external lines, and they act the same. But when I use the VOIP connection for calls, it works fine. I’m sure there is a dahdi configuration problem!
3.- Could I have some pointers on how to tighten the firewall. I have forwarded port 5060 and ports 10000-20000 to the SIP server. We go through two routers from the Internet to our dedicated voip subnet. Otherwise there is no other connection. We have no external SIP phones other that our VOIP provider which is SIP Station. What I need to know is what range of IP addresses to allow, and otherwise no other IP addresses allowed. I suppose iptables would be the way to do this once I know what IP addresses to allow.
James

I would be suspicious of jetty it appears to be a standalone web server.

There are many posts here on securing your server with a firewall and fail2ban, the “Distro” now comes with a firewall for ease of use. PIAF has had one for a while.

But IF you have been compromised, the only SAFE thing to do is start from scratch as it might well be too late to secure it.

Thanks for that. I am wondering whether the ports numbers on the card and the channels in the dahdi setup are the same. I’m thinking that a wrong dahdi DID setup could be the problem.

I have the Freepbx distro. Is a firewall module included? I can’t find any, but it would be a little handier than coding at the command line.

Just to be sure, jetty is not used in Freepbx? Does someone know?

James

full12.tgz (2.0 KB)
Here is a blip from the full log. I just called an external number 613-332-3256, and the internal extension 1900 rang. I can’t see anything wrong in the log file.

Do you recommend using CSF firewall?

James

you are using a round-robin trunk strategy , r0 , so possibly you have screwed up your dahdi setup, call the numbers individually. you probably should be using G0 if your inbound calls come in an ascending hunt. Personally I use CSF but there are other options. and I am not aware of jetty being anywhere in a standard installation of FreePBX, but you have obviously “customized”

I think you’ve hit pay dirt. I was wondering how round-robin trunk strategy is selected/deselected. Do you know how this is done in FreePBX? Remember it is outgoing calls we are looking at.

Regarding firewall, since nothing gets to the server except port 5060 and the port range 10000-20000, would it not be simplest to add a couple iptables rules that require that only trunk1.freepbx.com and trunk2.freepbx.com are allowed on port 5060. According to the documentation this would make the server sufficiently secure. Am I right? Why is such a large range of ports necessary (10000-20000)? Could that not be narrowed down quite a bit? What would I loose to narrow this down to 17000-19000 for example?

James

I’ve found the setting problem, I think. I have to run now, but I’ll test it and get back.

I still desire comment on the firewall issue .

James

You shouldn’t hi-jack your own thread, “strange dialing” start a new thread

OK. Sorry. And that did cure the problem. To recap, the problem was that the settings under “Trunks” there is an option “DAHDI Trunks”. That was set to round robin.

Still wonder why there was the odd CID, but maybe it is the telephone company’s problem.

I learned several things through this so I’m thankful for that.

Regarding the firewall I will do as I thought and if I have a problem I will post it in a new thread.

Thanks again.

James

1 Like