Anonymous incoming SIP connections

jarchibald · 2019-02-08 20:04:31 UTC

I just did a new install of Freepbx distro.

Created a new trunk, inbound and outboud routes and an extension.

I putty’ed into the server and went into asterisk to see the following:

[2019-02-08 14:15:45] ERROR[27973]: pjproject:0 <?>: sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2019-02-08 14:19:11] ERROR[27973]: pjproject:0 <?>: sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
[2019-02-08 14:37:44] WARNING[27973]: res_pjsip_registrar.c:989 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2019-02-08 14:39:44] ERROR[27973]: pjproject:0 <?>: sip_inv.c .Error parsing/validating SDP body: Missing SDP rtpmap for dynamic payload type (PJMEDIA_SDP_EMISSINGRTPMAP)
== Setting global variable ‘SIPDOMAIN’ to ‘96.47.191.109’
– Executing [9011442030340184@from-sip-external:1] NoOp(“PJSIP/anonymous-00000527”, “Received incoming SIP connection from unknown peer to 9011442030340184”) in new stack
– Executing [9011442030340184@from-sip-external:2] Set(“PJSIP/anonymous-00000527”, “DID=9011442030340184”) in new stack
– Executing [9011442030340184@from-sip-external:3] Goto(“PJSIP/anonymous-00000527”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“PJSIP/anonymous-00000527”, “1?setlanguage:checkanon”) in new stack
– Goto (from-sip-external,s,2)
– Executing [s@from-sip-external:2] Set(“PJSIP/anonymous-00000527”, “CHANNEL(language)=en”) in new stack
– Executing [s@from-sip-external:3] GotoIf(“PJSIP/anonymous-00000527”, “1?noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [s@from-sip-external:5] Set(“PJSIP/anonymous-00000527”, “TIMEOUT(absolute)=15”) in new stack
– Channel will hangup at 2019-02-08 14:49:08.344 EST.
[2019-02-08 14:48:53] WARNING[16505][C-00000527]: func_channel.c:460 func_channel_read: Unknown or unavailable item requested: ‘recvip’
– Executing [s@from-sip-external:6] Log(“PJSIP/anonymous-00000527”, "WARNING,"Rejecting unknown SIP connection from “”) in new stack
[2019-02-08 14:48:53] WARNING[16505][C-00000527]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from "
– Executing [s@from-sip-external:7] Answer(“PJSIP/anonymous-00000527”, “”) in new stack
> 0x7f7c94009cd0 – Strict RTP learning after remote address set to: 46.166.139.12:5072
– Executing [s@from-sip-external:8] Wait(“PJSIP/anonymous-00000527”, “2”) in new stack
– Executing [s@from-sip-external:9] Playback(“PJSIP/anonymous-00000527”, “ss-noservice”) in new stack
– <PJSIP/anonymous-00000527> Playing ‘ss-noservice.ulaw’ (language ‘en’)
– Executing [s@from-sip-external:10] PlayTones(“PJSIP/anonymous-00000527”, “congestion”) in new stack
– Executing [s@from-sip-external:11] Congestion(“PJSIP/anonymous-00000527”, “5”) in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on ‘PJSIP/anonymous-00000527’
– Executing [h@from-sip-external:1] Hangup(“PJSIP/anonymous-00000527”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘PJSIP/anonymous-00000527’

how can I stop the anonymous connections?

I was getting bombarded with these, like every 2 seconds. I did some changes on the FreePBX firewall and setup some GeoIP blocking rules on my Untangle firewall.
but these are still coming in.

I did just notice that the connection before was at 13:32 or 64 min prior.
Does fail2ban look for these entries?

Thanks

Joe

cynjut · 2019-02-11 15:21:12 UTC

Double check your “do not allow anonymous” settings in the Advanced Settings tab. From this snippet, though, it looks like you are already good to go on this.

We’ve established a “Best Practice” of only allowing connections to the SIP ports through the Integrated Firewall from Known Addresses. In the case where you have “travelling” phones (or phones at people’s houses that get a new address every time they connect), you can implement Virtual Private Networks or Dynamic DNS names associated with their address to allow the access your system. In the general case, the Integrated Firewall should be ON and should be allowing ONLY KNOWN ADDRESSES. By using this method, coupled with disallowing Anonymous connections, you can get rid of virtually all of these.

jarchibald · 2019-02-11 15:47:56 UTC

is there a document for the “Best Practise”?

When installing the FreePBX distro, it says that it should be on a DMZ. I didn’t really do that. I port forwarded one of our external IP’s to the PBX and put in some firewall rules to block foreign connections.

I have the integrated firewall turned on, and it seems to be working. There are items in the block list.

I will look for the “Only Known Addresses”. This would be fine for my SIP connections with my VoIP provider, but a remote SIP phone would be difficult as the IP address would change.

I am still trying to figure out how these connections are getting around the gateway firewall. The IP address is foreign (not Canada or the US) and should be blocked. my firewall report shows that the PBX server is the originator.

Thanks for your help

system · 2019-02-18 15:48:00 UTC

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.