FreePBX calls itself at 4:20 am?


#1

Early this morning, FreePBX (latest distro) apparently decided to call itself. The CID was the DID for one of my trunks (an analog line that comes in through a Cisco SPA8080). In looking at the logs, I noticed this line, which puzzles me. Any idea what’s going on?

Set(“PJSIP/9493359290-00000021”, “FROMEXTEN=unknown”)


#2

It’s not uncommon for spammers to spoof the called party’s own number, hoping that they will be curious and answer. However, it does seem strange that they would do it in the wee morning hours.

Do you get CDRs from Onvoy/Intelliquent for the number? If so, you can confirm that the call did not originate within the PBX.

Sorry, I don’t know whether your log entry is significant.

But hey, it’s 4:20 and in Newport Beach, it’s legal :slight_smile:


(Lorne Gaetz) #3

Need a full call trace in order to fully understand what happened. The CallerID alone indicates nothing.
https://wiki.freepbx.org/display/SUP/Providing+Great+Debug#ProvidingGreatDebug-AsteriskLogs-PartII


(Moussa) #4

In the SIP Setting, make sure that “Allow Anonymous Inbound SIP Calls” and “Allow SIP Guests” are set to “No”


#5

moussa584, I don’t allow anonymous inbound, but I do allow SIP guests. I though I had to do this because I have at least one remote extension (IAX2 from my cellphone).


(Moussa) #6

I am not sure about this one. I use PJSIP on my cellphone and I have “Allow SIP Guests” set to “No”


#7

Hmm, SIP != IAX2


#8

Thanks, moussa854. I’ll disallow guests. In 5 years of running a FreePBX, I’ve never had this issue, but it seems I learn something new everyday. :slight_smile:

Good point, dicko. For what it’s worth, I’m having problems with the IAX2 extension and I’ll probably switch it over to pjsip. This is a installation in a VM and I decided to do as much in pjsip as possible; the system it replaced was all chan_sip. The transition has not exactly been smooth, but I’m far from a pro at this.


#9

I don’t get CDRs from Onvoy/Intelliquent (I’m not even sure who that is :slight_smile: ). FreePBX’s own CDR report doesn’t give me any information. However, you’ve given me an idea. This is an Ooma line – I can check their call log. Thanks!


#10

Interesting. Ooma shows the call as originating from a local (to me) Newport Beach number that I don’t recognize. I’m definitely setting Allow SIP Guests to “no.” I may also block that number.


(Itzik) #11

Lock down 5060 and your problem will “Go away”


#12

Don’t use 5060 and your problem will “Go away” more effectively.


#13

I can’t lock down 5060. One of my phones connects to the office PBX of my employer, over which I have no control, and it uses 5060.


#14

That is an outbound connection, we are talking here inbound rules.


#15

Stop forwarding port 5060/5160 from your router, unless you need remote extensions. And if you need remote extensions, don’t forward port 5060/5160. Instead use a VPN.


(Itzik) #16

Or you can allow port forwarding from trusted sources


(Moussa) #17

If you are using OpenSSL 1.0.2 in your FreePBX then it is not a good idea to have the server open to the world. OpenSSL 1.0.2 reached End of Life and will not receive security patches. It is a good idea to have multiple layers of defense so if one fails the other(s) will protect your server.


#18

There are always known and unknown vulnerabilities. Opening a port exposes you to both.


#19

Oy vey. :slight_smile:

I truly appreciate everyone’s input, but . . .

As I indicated, review of the Ooma call log confirmed that this was a valid call, i.e. some idiot called that number at 4:20 am. The mystery which remains is why FreePBX identified it as “unknown extension.” I have two analog phone lines of which this is one. One is Ooma and one is MagicJack. I’m too cheap to port the numbers over to a SIP trunk provider. The analog phone lines are managed by a Cisco SPA8800 which I have been using since I first set up FreePBX some years ago. I’m not a VOIP or IT professional – I’m just a somewhat-advanced hobbyist. Getting SPA8800 to cooperate with FreePBX has been, to say the least, a challenge. Even before I updated to the latest distro and switched over to pjsip (primarily), either it or FreePBX had trouble with the CID on an incoming call. According to FreePBX’s Asterisk log, it is still sending events that result in error messages. However, I can both place and receive calls over both analog lines, so that is good enough now for me.

My server is not exposed to the internet. It is behind a router with a firewall.

I don’t know what OpenSSL is, but I will investigate. Unless it is part of the latest FreePBX distro, it is not installed on my PBX.

I have no choice regarding port forwarding of 5060, because it is required for one of my phones to reach my employer’s PBX, over which I have no control. All of my pjsip and chan_sip devices use either 5061 or 5160. I am considering using a VLAN to isolate the VOIP devices from the rest of the LAN, possibly with a cheap managed switch for my office phone.

For what it’s worth, though both Fail2Ban and FreePBX’s firewall have indicated attempted attacks from time-to-time, my system has not yet been hacked, and, per the logs of my VOIP providers, no unauthorized calls have been made. Once again, for me, that’s good enough. :slight_smile: I would never consider providing professional services – I’m far too ignorant of VOIP and SIP to do that – so a working PBX is all that I really want, and I appear to have that now.


#20

I think you are missing an important point.

.
.
I have no choice regarding port forwarding of 5060, because it is required for one of my phones to reach my employer’s PBX, over which I have no control.
.
.

There is absolutely no port forwarding involved in outgoing connections, the connection is made and the resulting conversations will be ‘associated’ transparently back to your endpoint.

Feel free to manipulate your inbound traffic appropriately , UDP/5060 is the absolutely worst choice ever for VOIP , but you chose that and that is the most likely reason you are getting SIP calls at 4:20 am