570 entries from-sip-external

I am not sure which board to post this on.
Asterisk version: 13.12.1
Freeobx version: 13.0.190.11

I was getting quite some from-sip-external notifications in my logs (it has stopped since).
These entries appeared every 3-5minutes.
i thought this to be some sort of attack but I am not quite understanding how I should read this. If it was an attack, how can I mitigate it in the future? (I’ve seen nothing else like this in the logs)

asterisk/cdr-csv/Master.csv

   line:42777:"","2324","s","from-sip-external","""2324"" <2324>","SIP/IPADDRESSHIDDEN-00000051","","Congestion" ,"5","2017-05-11 16:37:30","2017-05-11 16:37:30","2017-05-11 16:37:43",12,12,"ANSWERED","DOCUMENTATION","1494520650.545",""
    ....>
    568 entries later:
    <----
    line:43682:"","2324","s","from-sip-external","""2324"" <2324>","SIP/IPADDRESSHIDDEN-000003f6","","Congestion"   ,"5","2017-05-12 22:45:48","2017-05-12 22:45:48","2017-05-12 22:46:00",12,12,"ANSWERED","DOCUMENTATION","1494629148.7071",""

Thank you for your time and expertise!

The 7th field from the end is the time stamp of the call - you could look through your /var/log/asterisk/full log and watch the call’s progress. That should tell you a lot more about how the call was handled and if, for example, the call was on an extension but the password was wrong (which would be my guess).

If that’s the case, it might be time to set up the Adaptive firewall to manage your SIP connections.

The fact that it started at 4:30 in the afternoon and stopped around 11 that night would lead me to believe it was an attack of some kind.

1 Like

Hi Dave,

Further looking into the full log I noticed a repeat of this:
(Where 00002325 ranges 00002*** including 2324!)

[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:1] NoOp("SIP/IPADDRESS-00002325", "Received incoming SIP connection from unknown peer to 004578746888") in new stack
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:2] Set("SIP/IPADDRESS-00002325", "DID=004578746888") in new stack
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:3] Goto("SIP/IPADDRESS-00002325", "s,1") in new stack
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx_builtins.c: Goto (from-sip-external,s,1)
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:1] GotoIf("SIP/IPADDRESS-00002325", "0?checklang:noanonymous") in new stack
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx_builtins.c: Goto (from-sip-external,s,5)
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:5] Set("SIP/IPADDRESS-00002325", "TIMEOUT(absolute)=15") in new stack
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] func_timeout.c: Channel will hangup at 2017-06-02 07:13:35.864 UTC.
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:6] Log("SIP/IPADDRESS-00002325", "WARNING,"Rejecting unknown SIP connection from 89.163.242.170"") in new stack
[2017-06-02 07:13:20] WARNING[3502][C-0000209f] Ext. s: "Rejecting unknown SIP connection from 89.163.242.170"
[2017-06-02 07:13:20] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:7] Answer("SIP/IPADDRESS-00002325", "") in new stack
[2017-06-02 07:13:21] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:8] Wait("SIP/IPADDRESS-00002325", "2") in new stack
[2017-06-02 07:13:23] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:9] Playback("SIP/IPADDRESS-00002325", "ss-noservice") in new stack
[2017-06-02 07:13:23] VERBOSE[3502][C-0000209f] file.c: <SIP/IPADDRESS-00002325> Playing 'ss-noservice.alaw' (language 'en')
[2017-06-02 07:13:28] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:10] PlayTones("SIP/IPADDRESS-00002325", "congestion") in new stack
[2017-06-02 07:13:28] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:11] Congestion("SIP/IPADDRESS-00002325", "5") in new stack
[2017-06-02 07:13:33] VERBOSE[3502][C-0000209f] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/IPADDRESS-00002325'
[2017-06-02 07:13:33] VERBOSE[3502][C-0000209f] pbx.c: Executing [[email protected]:1] Hangup("SIP/IPADDRESS-00002325", "") in new stack
[2017-06-02 07:13:33] VERBOSE[3502][C-0000209f] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/IPADDRESS-00002325'
[2017-06-02 07:13:52] WARNING[2821] chan_sip.c: Retransmission timeout reached on transmission 957c07fd6a1e5cac7e07c3b2286c91f5 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response

That definitely looks like some sort of attack

89.163.242.170

Is that your address? If not, then Yes, it was a thwarted attack.

it is not. I am glad to see therm all getting rejected.
Thank you Dave!

Yes, but why are you getting attacked in the first place?
Is your PBX exposed to the internet, or do you have port 5060 opened on your firewall?

Don’t allow inbound anonymous or guest calls.

In addition to @dicko’s advice, I also found that the “type” for the local network makes a big difference. I had one of mine set to “Trusted” and every time a SIP call would roll it, it would just hammer away on the server. Changing it to (I think) “Local” actually turned the Fail2Ban feature back on for that link and stopped the inbound callers (we need to have the port open for external soft-phones and “house” phones) from pounding their way in.

Fail2ban can’t work with anonymous nor guest calls, all it can do is watch the logs, even with “security” on, such calls are only identifiable to you local PBX’s or router’s ip,(which you obviously don’t want to ban)…Yes that’s probably an Asterisk thing, but the SIP protocol over UDP is equally guilty

Turn off allowing SIP guests and turn on your responsive firewall. Turn off services you dont need and encrypt all your traffic. Works for me. They never get in on mine and I see thousands of unsuccessful attacks every day on my machine :slight_smile:

The PBX box is exposed to the internet (not at my recommendation).

Where do I turn off ‘allow SIP guests’ ?

Allow Sip Guests Where is the setting?

/admin/config.php?display=sipsettings
Scroll down to Allow SIP Guests.

Also, make your extension numbers start out of 'normal range, typically i like to start my ext #'s at 5600+ while alot of admins start at ext’s 100-1000

While you’re in the config.php, turn off anonymous sip calling if enabled.

As we’ve been discussing in another thread, starting your extensions in the 11* or 12* range can cause hard to figure out (for novice admins) to figure out problems with direct dialing voicemail. Finding a range of extensions that doesn’t compete with dial codes for functions in the systems is a “Level 3” sort of Admin function.