Call from extension 101 to destination s with duration of 1 sec status answered

Hi guys,

I hope one would read this and help me. After being hacked on Elastix for two times, I made decision to give FreePBX a try as it seemed to me at first glance that it is a collection of light applications (LAMPA Linux Apache Mysql pHp Asterisk). I was right and I could manage to install it with 512 MB RAM, 5GB Hard, 1 CUP resource on OpenVZ (it was not of course easy to get it run). I tried to secure it as much as I could:

  1. Change default password (up to 15 characters with letters and numbers)
  2. Long password for the extensions
  3. Fail2ban is installed with default configuration
  4. Set password for root mysql (I do not understand why FreePBX guys provide this awesome package with no password for Mysql)
  5. Access/Deny for extensions in SIP extension definition.
  6. General Linux securing i.e. SSH key pair

I was almost sure the box was secure enough as Fail2Ban was there running protecting it. But to my surprise I noticed a call from extension 101 to ‘s’ with duration 1 sec. I know these SIP scanners are in internet and scanning the IPs to nest somewhere like lice. But the Box was up for only 24 hours!!? I search the asterisk log and found following in log:

xxx.xxx.xxx.xxx is my box IP address

[2012-11-06 09:08:47] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:47] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [00972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-00000010
”, “Received incoming SIP connection from unknown peer to 00972592659883”) in new stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [00972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-00000010”
, “DID=00972592659883”) in new stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [00972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-00000010
”, “s,1”) in new stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000010”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000010”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:47] VERBOSE[8553] func_timeout.c: Channel will hangup at 2012-11-06 09:09:02.585 MSK.
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000010”, “”) in n
ew stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000010’
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000010”, “”) in n
ew stack
[2012-11-06 09:08:47] VERBOSE[8553] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000010’
[2012-11-06 09:08:49] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:49] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [000972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-0000001
1”, “Received incoming SIP connection from unknown peer to 000972592659883”) in new stack
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [000972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-00000011
”, “DID=000972592659883”) in new stack
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [000972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-0000001
1”, “s,1”) in new stack
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000011”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000011”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:49] VERBOSE[8554] func_timeout.c: Channel will hangup at 2012-11-06 09:09:04.997 MSK.
[2012-11-06 09:08:49] VERBOSE[8554] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000011”, “”) in n
ew stack
[2012-11-06 09:08:50] VERBOSE[8554] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000011’
[2012-11-06 09:08:50] VERBOSE[8554] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000011”, “”) in n
ew stack
[2012-11-06 09:08:50] VERBOSE[8554] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000011’
[2012-11-06 09:08:52] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:52] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [900972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-0000001
2”, “Received incoming SIP connection from unknown peer to 900972592659883”) in new stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [900972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-00000012
”, “DID=900972592659883”) in new stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [900972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-0000001
2”, “s,1”) in new stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000012”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000012”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:52] VERBOSE[8555] func_timeout.c: Channel will hangup at 2012-11-06 09:09:07.501 MSK.
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000012”, “”) in n
ew stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000012’
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000012”, “”) in n
ew stack
[2012-11-06 09:08:52] VERBOSE[8555] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000012’
[2012-11-06 09:08:54] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:54] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [700972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-0000001
3”, “Received incoming SIP connection from unknown peer to 700972592659883”) in new stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [700972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-00000013
”, “DID=700972592659883”) in new stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [700972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-0000001
3”, “s,1”) in new stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000013”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000013”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:54] VERBOSE[8564] func_timeout.c: Channel will hangup at 2012-11-06 09:09:09.558 MSK.
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000013”, “”) in n
ew stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000013’
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000013”, “”) in n
ew stack
[2012-11-06 09:08:54] VERBOSE[8564] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000013’
[2012-11-06 09:08:55] NOTICE[1096] chan_sip.c: Peer ‘eet’ is now Reachable. (290ms / 2000ms)
[2012-11-06 09:08:56] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:56] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [800972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-0000001
4”, “Received incoming SIP connection from unknown peer to 800972592659883”) in new stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [800972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-00000014
”, “DID=800972592659883”) in new stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [800972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-0000001
4”, “s,1”) in new stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000014”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000014”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:56] VERBOSE[8565] func_timeout.c: Channel will hangup at 2012-11-06 09:09:11.158 MSK.
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000014”, “”) in n
ew stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000014’
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000014”, “”) in n
ew stack
[2012-11-06 09:08:56] VERBOSE[8565] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000014’
[2012-11-06 09:08:58] VERBOSE[1096] netsock2.c: == Using SIP RTP TOS bits 184
[2012-11-06 09:08:58] VERBOSE[1096] netsock2.c: == Using SIP RTP CoS mark 5
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [9900972592659883@from-sip-external:1] NoOp(“SIP/xxx.xxx.xxx.xxx-000000
15”, “Received incoming SIP connection from unknown peer to 9900972592659883”) in new stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [9900972592659883@from-sip-external:2] Set(“SIP/xxx.xxx.xxx.xxx-0000001
5”, “DID=9900972592659883”) in new stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [9900972592659883@from-sip-external:3] Goto(“SIP/xxx.xxx.xxx.xxx-000000
15”, “s,1”) in new stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Goto (from-sip-external,s,1)
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/xxx.xxx.xxx.xxx-00000015”, “0?check
lang:noanonymous”) in new stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Goto (from-sip-external,s,5)
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/xxx.xxx.xxx.xxx-00000015”, “TIMEOUT(ab
solute)=15”) in new stack
[2012-11-06 09:08:58] VERBOSE[8566] func_timeout.c: Channel will hangup at 2012-11-06 09:09:13.527 MSK.
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/xxx.xxx.xxx.xxx-00000015”, “”) in n
ew stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000015’
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/xxx.xxx.xxx.xxx-00000015”, “”) in n
ew stack
[2012-11-06 09:08:58] VERBOSE[8566] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/xxx.xxx.xxx.xxx-0
0000015’

Could any body tell me if I have been hacked? and if so:

1 Should I install every things again?
2 Why should I do to avoid this happen again?
3 If this comes with the fresh installation, why not no body does something and patch it in the distro?

Many thanks for any kind of clue,

Sincerely,
Hair Pooling Man

Well, you are already providing the service, so learning at customer expense.

The PBX is just one component of a commercial offering.

Our main corporate sponsor Schmooze communications has a wonderful turn key hosting platform, it’s what I use in my business and I tried everything and made every mistake before I decided on this solution.

You will still need to provide resilient Internet connection and perimeter security.

A SIP proxy/registration server in front of the hosted virtual server also makes DID management easier.

Do you have any better suggestion for telephony system to open it to internet?

Human learns from mistakes so am I. Not every guru was there from first day.

PS. It is not “th connect to the public”, it is “to connect to the public” :wink:

Patch what? You have you server connected to the Internet of course it is going to accept calls. They don’t route anywhere.

If you are not providing services to the public why do you need your phone system on Internet.

What do you mean by public!!? You mean any random person? The IP PBX is up there for my clients who pays to get registered and would be able to use the service.

I did not define extension ‘101’ in my system. So I have no clue where the hell that came into my box.

I read somewhere that I should disable Setting-> Asterisk SIP Setting -> Allow SIP Guests in FreePBX GUI but I am not sure if it was enough or not.

Please advice.

It’s “please advise” not “please advice”.

What I think is that FreePBX is not a softswitch platform designed to provide service to customers. It does not have any built in security and, like every phone system ever made, is not design to connect to the public Internet.

If you are going to try and use FreePBX as a carrier switch then you need to fully understand SIP and security.

Since you lack even basic knowledge of the system I suggest that you are not qualified to be offering this as a service.

If you are going to make money off the system at least be competent. Don’t your customers deserve that?