CDR showing malicious call attempts

avayax · January 19, 2015, 11:04pm

I have these entries in my call detail records. I know that these are of malicious nature, but what exactly are these and what do hackers want to accomplish with these attempts? I don’t see that there was a number dialed.

I am surprised that this can happen, as my Asterisk is behind a firewall and SIP/RTP ports are only open to a few IP addresses and hostnames. Fail2ban kicked in and blocked the bad IP, but I am still confused why this IP could even get through the firewall to the server with my firewall rules in place.
Also don’t know why there were 9 of these attempts before fail2ban blocked the IP.

2015-01-19 04:21:46,764 fail2ban.actions: WARNING [asterisk-iptables] Ban 62.210.217.80

Allow SIP Guests was set to “Yes”, and is now set to “No”. Anonymous Inbound SIP Calls was also set to “No”.

deanot26508 · January 20, 2015, 8:48pm

Seems to me that you are allowing them in, you need to tighten up your security more.

Asterisk sip settings under the settings Tab… turn off “Allow Anonymous Inbound SIP Calls”.
Same page, under the chan_sip settings, scroll down and find “Allow SIP Guests” and turn it to no.

That should take care of some of it if not most. Make sure your Intrusion Detection is running under system admin.

If you have ports 5060 - 5061 open on your router and you do not have external devices, close these ports. See if that helps you.

I have had no issues in years having these settings like this, it would seem you already found a couple of them and fixed them.