Who's trying to make thousands of calls through my system?

Hello,

I am trying to figure out how is possible someone to connect to my system and try to make phone calls.
I created 6 extentions but none of them is extention 345678.

In fact no one knows about my FreePBX system yet. How did they find my IP address?

Anyway, I am trying to learn how to prevent this guy from accessig my system. How can I see the IP address where this SIP call is coming from?

    calldate,clid,src,dst,dcontext,channel,dstchannel,lastapp,lastdata,duration,billsec,disposition,amaflags,accountcode,uniqueid,userfield
"2014-11-22 23:09:31","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000054,,Congestion,5,12,12,ANSWERED,3,,1416715771.3112,
"2014-11-22 23:02:13","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000053,,Congestion,5,12,12,ANSWERED,3,,1416715333.3105,
"2014-11-22 22:54:55","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000052,,Congestion,5,12,12,ANSWERED,3,,1416714895.3098,
"2014-11-22 22:47:38","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000051,,Congestion,5,12,12,ANSWERED,3,,1416714458.3091,
"2014-11-22 22:40:21","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000050,,Congestion,5,12,12,ANSWERED,3,,1416714021.3084,
"2014-11-22 22:33:03","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004f,,Congestion,5,12,12,ANSWERED,3,,1416713583.3077,
"2014-11-22 22:25:46","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004e,,Congestion,5,12,12,ANSWERED,3,,1416713146.3070,
"2014-11-22 22:18:28","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004d,,Congestion,5,12,12,ANSWERED,3,,1416712708.3063,
"2014-11-22 22:11:07","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004c,,Congestion,5,12,12,ANSWERED,3,,1416712267.3056,
"2014-11-22 22:03:47","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004b,,Congestion,5,12,12,ANSWERED,3,,1416711827.3049,
"2014-11-22 21:56:25","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000004a,,Congestion,5,12,12,ANSWERED,3,,1416711385.3042,
"2014-11-22 21:49:06","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000049,,Congestion,5,12,12,ANSWERED,3,,1416710946.3035,
"2014-11-22 21:41:45","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000048,,Congestion,5,12,12,ANSWERED,3,,1416710505.3028,
"2014-11-22 21:34:26","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000047,,Congestion,5,12,12,ANSWERED,3,,1416710066.3021,
"2014-11-22 21:27:06","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000046,,Congestion,5,12,12,ANSWERED,3,,1416709626.3014,
"2014-11-22 21:19:46","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000045,,Congestion,5,12,12,ANSWERED,3,,1416709186.3007,
"2014-11-22 21:12:27","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000044,,Congestion,5,12,12,ANSWERED,3,,1416708747.3000,
"2014-11-22 21:05:07","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000043,,Congestion,5,12,12,ANSWERED,3,,1416708307.2993,
"2014-11-22 20:57:48","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000042,,Congestion,5,12,12,ANSWERED,3,,1416707868.2986,
"2014-11-22 20:50:28","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000041,,Congestion,5,12,12,ANSWERED,3,,1416707428.2979,
"2014-11-22 20:43:09","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000040,,Congestion,5,12,12,ANSWERED,3,,1416706989.2972,
"2014-11-22 20:35:48","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003f,,Congestion,5,12,12,ANSWERED,3,,1416706548.2965,
"2014-11-22 20:28:30","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003e,,Congestion,5,12,12,ANSWERED,3,,1416706110.2958,
"2014-11-22 20:21:10","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003d,,Congestion,5,12,12,ANSWERED,3,,1416705670.2951,
"2014-11-22 20:13:49","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003c,,Congestion,5,12,12,ANSWERED,3,,1416705229.2944,
"2014-11-22 20:06:29","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003b,,Congestion,5,12,12,ANSWERED,3,,1416704789.2937,
"2014-11-22 19:59:09","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000003a,,Congestion,5,12,12,ANSWERED,3,,1416704349.2930,
"2014-11-22 19:51:49","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000039,,Congestion,5,12,12,ANSWERED,3,,1416703909.2923,
"2014-11-22 19:44:34","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000038,,Congestion,5,12,12,ANSWERED,3,,1416703474.2916,
"2014-11-22 19:37:17","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000037,,Congestion,5,12,12,ANSWERED,3,,1416703037.2909,
"2014-11-22 19:30:02","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000036,,Congestion,5,12,12,ANSWERED,3,,1416702602.2902,
"2014-11-22 19:22:45","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000035,,Congestion,5,12,12,ANSWERED,3,,1416702165.2895,
"2014-11-22 19:15:28","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000034,,Congestion,5,12,12,ANSWERED,3,,1416701728.2888,
"2014-11-22 19:08:11","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000033,,Congestion,5,12,12,ANSWERED,3,,1416701291.2881,
"2014-11-22 19:00:54","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000032,,Congestion,5,12,12,ANSWERED,3,,1416700854.2874,
"2014-11-22 18:53:36","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000031,,Congestion,5,12,12,ANSWERED,3,,1416700416.2867,
"2014-11-22 18:46:18","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000030,,Congestion,5,12,12,ANSWERED,3,,1416699978.2860,
"2014-11-22 18:39:00","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002f,,Congestion,5,12,12,ANSWERED,3,,1416699540.2853,
"2014-11-22 18:31:43","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002e,,Congestion,5,12,12,ANSWERED,3,,1416699103.2846,
"2014-11-22 18:24:27","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002d,,Congestion,5,12,12,ANSWERED,3,,1416698667.2839,
"2014-11-22 18:17:10","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002c,,Congestion,5,12,12,ANSWERED,3,,1416698230.2832,
"2014-11-22 18:09:53","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002b,,Congestion,5,12,12,ANSWERED,3,,1416697793.2825,
"2014-11-22 18:02:36","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-0000002a,,Congestion,5,12,12,ANSWERED,3,,1416697356.2818,
"2014-11-22 17:55:18","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000029,,Congestion,5,12,12,ANSWERED,3,,1416696918.2811,
"2014-11-22 17:48:01","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000028,,Congestion,5,12,12,ANSWERED,3,,1416696481.2804,
"2014-11-22 17:40:43","""345678"" <345678>",345678,s,from-sip-external,PJSIP/anonymous-00000027,,Congestion,5,12,12,ANSWERED,3,,1416696043.2797,

There are dogged, read persistent, scanners for sip connections to your machines, They WILL get into your system eventually unless you have rigorous and exclusive firewall rules, only allow “known hosts and networks” for your endpoints, (VSP’s and extensions), but just DON’T use 5060 (and probably anything close like 5082) for SIP, when possible use an arbitrary choice somewhere between 1024 and 65000 that doesn’t collide with another of your services, things like fail2ban can ameliorate the situation for lax firewall rules, but you will presumably need to update your regexes to cover pjsip where necessary.

dicko, have a look at your firewall (iptables) and only allow specific IP addresses to access the system (whitelist) This can be configured easily by using the Webmin function.

If you have external sites which have Dynamic DNS, then look up Travelin Man 3 on nerdvittles. I am using that with a total of more than 30 external users, and for the time since I installed it, there have been NO unrecognized connections.

Before it was installed, there were thousands, and one successfully replicated an extension, and then blew through about $200 in a couple of hours, calling Caribbean Islands.

Let me know if you need more direction on this.

This ought to be interesting.

I moved all my external extentions and FreePBX do a different SIP port. I left RTP as it is. I wish I could install snort on the router.

My karate teacher used to tell me if your defence does not hurt the attacker, then you’re just a punching bag.

So, in order to hurt the attacker I would like to send all these attacks to a voice mail so that their customers complain about being charged for minutes they don’t get connected to the real destination but to the voicemail.

My new question is how to make a catch-all (just like email catch-all feature) extention so that all call not coming from my extentions of my DIDs go to a catch-all extention?

Thanks

Couple of points, suggestions and such:-

You are unlikely to be able to effectively bother these attackers, they are usually not people, just scripts “probing”, once succesful they will leverage your mistakes and start sending real traffic through.

A firewall is an absolute necessity, proper rules even more so. Personally I use CSF/LFD to build my iptables because it will construct a very solid firewall to which you can add your own rules. In CSF the “whitelist” is called csf.allow and the blacklist csf.deny, here is a perl script I wrote called ip2route to facilitate adding appropriate rules to either:-

#!/usr/bin/perl
if ($ARGV[0] =~ '^[01]\.|^10\.|^192\.168|^172\.16|^255\.') { exit };
if ($ARGV[0] =~ '^your\.ip\.add\.ress|^other\.networks\.you\.trust') { exit };
use Socket;
use Net::Whois::IANA;
my $sitename = $ARGV[0]; 
my $ip = inet_ntoa(inet_aton($sitename));
my $iana = new Net::Whois::IANA;
$iana->whois_query(-ip=>$ip);
my $array_ref = $iana->cidr();
my @array = @$array_ref;
my @route=sort {  substr(($a),index(($a),'/')+1) cmp substr(($b),index(($b),'/')+1)   } @array;
my @parentroute =reverse sort {  substr(($a),index(($a),'/')+1) cmp substr(($b),index(($b),'/')+1)   }  @array;
my $whois = $iana->source();
$whois =~ s/#.*//;
if ( ($parentroute[0] ne $route[0]) && (substr($whois,0,4) eq "ARIN") )  {
printf "%-18.18s #%-18.18s # %-7.7s %s %-18.18s %-40.40s %s\n",$parentroute[0],$route[0],$whois,uc(substr($iana->country(),0,2)),$iana->netname(),$iana->descr();
}
else
{
printf "%-18.18s # %-7.7s %s %-40.40s %s\n",$route[0],$whois,uc(substr($iana->country(),0,2)),$iana->netname(),$iana->descr();
}

You can feed it with a file full of lines of ipaddress or names thusly:-

for ip in $(cat filefullofuniqueips);do ./ip2route $ip;done|tee filename

you can fill a goodguys file with something like:-

  cat /var/log/asterisk/security*|grep SuccessfulAuth|grep -oE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])'|sort -nu|tee -a goodguys

if /var/log/asterisk/secure* is a rotated set of log files that log the asterisk SECURE lines.

Similarly for badguys use /var/log/fail2ban* if so you have set it up (highly recomnmended)

cat /var/log/fail2ban*|grep -oE ‘((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]).){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])’|sort -nu|tee -a badguys

For something more revealing you could use /var/log/apache2/* (or wherever your system logs http(s) logs to)

cat /var/log/apache2/*|grep -oE ‘((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5]).){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])’|sort -nu|tee -a httpguys

You might be surprised at the same old badguys who show up in there, many VOIP attacks start with a probing of your http server

You will find that if you operate on a set of logs files that spans a reasonable period, and because of the way DHCP/The Internet works you will not need Ward’s “travelling guy” at all, because you are whitelisting/blacklisting the route and not just the ip address of your clients/attackers.

As to “bad” NANP areacodes, it has been covered here in these forums quite a few times. just add these routes to a “trunk going nowhere” route to at the top of your list.

At the end of a few hours with this script you will have quite a list, mostly of the “cloud servers” around the world that the guys from PS and CN (and others) use, but surprisingly short and within iptables reach.

A little caveate for the perl script, the Net::Whois::IANA PM will need to be added to your perl deployment. Also if the route has been reassigned or reallocated then also the parent route is printed for ARIN, flavor to taste.

A small demo of the script:-

    ./ip2route  community.freepbx.org
    64.71.148.0/29     # ARIN    GB HURRICANE-CE1586-5A1                     MX Telecom, Ltd.
        
    ./ip2route www.freepbx.org 
    199.102.236.0/22   # ARIN    US WISCYB-IPV4-2                            Wisconsin CyberLynk Network, Inc.

      ./ip2route 173.198.132.45
    173.198.128.0/19   #173.196.0.0/15     # ARIN    US RCWE               Time Warner Cable Internet LLC
  
    ./ip2route 5.11.42.45
    5.11.40.0/22       # RIPE    PS PS-ORANGE-PALESTINE                      Orange Palestine Group Co. for Technological Investment Joint Stock Private Company