Asterisk 13 -> 16 Command Line Errors


(Firstfilter) #1

Good day all. I upgraded my FreePBX 15 install from Asterisk 13 to 16 today. It went smoothly and everything seems to work (no ‘feedback’ from the users so far!) However, I’m getting a number of errors when sitting at the command line (asterisk -r) that I can’t make heads or tails of.

The look like:

[2021-06-16 14:41:13] NOTICE[16479][C-0000004a]: chan_sip.c:19635 send_check_user_failure_response: Failed to authenticate device sip:108@192.168.0.75:5060;tag=520945752 for INVITE, code = -1

[2021-06-16 14:41:45] WARNING[16479]: chan_sip.c:4140 retrans_pkt: Retransmission timeout reached on transmission 1797911772-1663464715-1003314331 for seqno 2 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response

I’ve never seen these before. They come in singles or bunches with slightly different errors and addresses.

top looks fairly under control, nothing is hitting the CPU or memory too hard. 0.3 0.3 0.3 kind of thing.

I’m not a FreePBX/Asterisk master by a long stretch and I couldn’t come up with anything from Google or the forum search here. Should I be concerned, or is that just ‘normal’ with 16?

Thanks!


(David55) #2

Both should be addressed. Did you follow the link in the message for the second one?

The first one says that extension 108 is trying to initiate a call uasing an unknown user/password combination, although AUTH_SECRET_FAILED also seems to be used for some catch all cases in validating peers.


(Greg Snover) #3

Under the GUI - Reports - Weak Password Detection, make sure you don’t have any.

Since it’s a new install/upgrade turn off SIP Guests and Anonymous:

The snippet shows an internal address, so it’s probably not a cracking attempt, but be paranoid and be sure.

It’s probably just a misconfigured phone, but be proactive and be sure - Have you looked at that IP and seen what is there?


(Firstfilter) #4

Yes, I read through it, but I don’t have an extension at 108. I’m thinking now that the responsive firewall isn’t picking something up.

Or, perhaps the list of banned ip’s gets reset on an Asterisk upgrade and it’s going through the process of re-banning ip’s? It just looks bad right after the upgrade because all of the ‘usual suspects’ get un-banned and try to register. Intrusion detection humors them for a while before the hammer comes down. The notices and warnings have slowed down even in the last hour an top has settled right down to idle.

I might just be getting jumpy!


(Firstfilter) #5

No weak passwords detected, SIP Guests and Anon are both off. I think maybe I was a bit TOO paranoid right after the upgrade! I may have jumped the gun starting a thread here.

The internal address is my FreePBX server.


(Greg Snover) #6

Your Server should not be trying to authenticate an extension against itself - Is your box exposed to the outside world?


(Firstfilter) #7

It is, when we went to work from home we had to expose it and lean on the firewalls to keep it secure.


(David55) #8

The Address is being taken straight from the From header in the request, and would typically be the server address for a genuine call. I don’t think that you can read much into it, except that, being a non-routable address, it has either been mangled by a router or came from somewhere inside your LAN, as an external attacker wouldn’t really know which address to try.

Asterisk doesn’t normally care about the address used.


(Firstfilter) #9

That makes sense to me. I only have about 10 extensions in the building and 1 remote right now so I’m not sure which device has gone rogue.

The weird thing is I’ve never used extensions in the 1xx range, I’ve always used 2xxx for extensions (I’m a faithful student of Crosstalk Solutions Youtube videos!) I’m thinking these are coming from outside and either my ISP’s router or mine is forwarding requests to my FreePBX box. Either way, things really calmed down overnight. My top cpu load is 0.05 0.08 0.12 - totally idle and back to normal. I’m going to chalk this up to me being jumpy!

Thanks!


(Greg Snover) #10

This - I was wondering if it was an attacker, but an internal address is difficult (but not impossible) to fake.

Having the box exposed to the outside world is not a problem as long as you are using a GOOD firewall - either the built-in FreePBX firewall (cranked up to max - Responsive on any protocol you are using - SIP/PJSIP/IAX) or a very competent external firewall (we use SonicWALL’s).

75% of my boxes are publicly exposed - by the end of next month, it will be 100% - but because of the fantastic work done by the Sangoma folks on the Firewall (shameless plug, but it’s awesome) publicly exposed does NOT mean open to the internet at large - it means open only to the locations I specifically whitelist - everywhere else is blocked and my boxes are invisible to them!

Another thing to do at your earliest convenience is to change the ports that SIP/PJSIP listen on - it’s only about an hours work even with a lot of phones, and it will reduce your attack surface tremendously! Move the ports up into the 50-64K range somewhere (almost nothing uses those high ports - and attackers almost never scan there!) and you will see attacks against your box drop off to nothing. Not my idea - one of @dicko’s greatest contributions to this community in my opinion!

If you have a crappy SIP Trunking provider, you might not be able to use a non-standard port - but if your trunk registers (as opposed to them just fire-hosing the traffic at your IP) you should have no problem having your box on a non-standard port.


(Firstfilter) #11

I would like to change to non-standard ports but doing that is just ever so slightly beyond my technical skill level. I could probably make it work (assuming voip.ms supports such a config) but it likely wouldn’t go smoothly. Maybe when I have some time on a Sunday when we’re otherwise closed.

I would also like to change to PJSIP at some point (tried when the conversion tool first came out - it didn’t go well and I’ve been gun shy ever since) so maybe I’ll take a crack at it and have the guys from Crosstalk double check my work before it goes live. That’s what I did when I deployed my first FreePBX server, I set it up using the guides, tested it for basic functionality, and then had them check for security/correctness before going live. It worked out quite well that way.


(Greg Snover) #12

It’s not trivial switching the ports or switching to PJSIP - I am doing 2-3 boxes a day right now, so I have a lot of practice, but it is not trivial.

Having said that, you can start switching experimentally because you don’t have to switch everything at once.

  1. Pick a port for PJSIP and since you are not using it right now, there is no effect on the rest of your Phones and Trunks.

  2. You do need to do a fwconsole restart after you change the PJSIP Port - so make sure nobody is on the phone, or do it after hours.

  3. Once you have PJSIP on a good, high port, switch a phone as a test - if you are using endpoint manager, it will automatically re-write and re-boot the phone to take the new settings - if you don’t have EPM, you will have to do it manually.

That way you can start playing with it - take the plunge with PJSIP - Things really do work better, and some things are only possible with PJSIP.


#13

Well, if you have a crappy VSP, you can easily add a ‘pin-hole’ (or more if needed) that intercepts the IP’s of said ‘crapster’ and rewrites UDP/5060 connections to your preferred ‘listening port’ , this mostly for IP based trunks, registrations should inform the crapper of your curremt address.


(Greg Snover) #14

That’s a cool idea - I tend to chuck the crappy VSP but if you can’t, that would work!

So many ways to skin a cat…


(system) closed #15

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.