Ghost calls and phone changing IP

I had some issues connecting phones to my Freepbx system through a firewall. That was eventually resolved. Since then 2 new issues have popped up:

  1. Ghost calls. The phone in my house works fine, I can make and receive calls. But the phone has started to ring, typically in the evening, and the only thing that is on the display is the number 2000. When I pick up, there is silence on the line, and the phone disconnects after a few seconds. I have looked through the postings here, and it seems that these are port scanning events that trigger the phone to ring. The discussions about how to stop this quite technical, and involve port settings and other IT stuff. Is there a clear description somewhere what needs to be done to stop this? It is possible that I may have opened ports that are not required, but I am not entirely sure which ports need to be open. For example, I have read that 5060 UDP must be open, but other sites also mention 5061. So, what are the ports that need to be open at a minimum?

  2. This is a problem that one of my coworkers has. I hd set up a phone at my home to connect to the phone system, and then tested it from the office (just to make sure), and both connections worked. She then took the phone home and connected it, and it seemed to work. But then she reported that the phone had switched to “No Service” and she said that when she looked on the phone, the IP address was different (changed from 192.168.x.y to 192.168.a.b. Her home net is 192.168.x). I have no idea how this is even possible. Why would the phone switch to a different subnet. To make this more confusing even, the phone seems to switch back and forth between the 2 IPs, sometimes working, at other times not. What could be the reason for this? The phone is connected directly to the modem, which is also the DHCP server.

It is quite likely that (1) is nothing to do with FreePBX, and is the result of hackers searching for open PBXes to allow them to make money from premium rate numbers they own, or less likely, simply to make free toll calls, and accessing your home system directly from the internet. In that case, they won’t appear in FreePBX logs.

More generally, I think it is going to be very difficult to debug your system without your being able to answer some difficult IT questions. In particular you seem to have two NAT traversals, or a VPN that you didn’t mention.

Best practice would be to not use either 5060 or 5061, but some arbitrary port that is not well known to hackers, but that has to be done at a system level, not just at the remote sites.

. . .That was eventually resolved . . .

is almost certainly the cause of your problem. Please explain exactly how “That was eventually resolved”

As otherwise stated using unfiltered UDP/5060 for voip is a guaranteed recipe for burgeoning disaster, be that on your home router or indeed on your PBX itself.

Thanks for the quick responses. Yes, there are 2 NATs to traverse: The one at my home (a fiber connection through CenturyLink and dynamic WAN IP Address, which can change, and the one in the office (similar setup, but with a static IP address). Configuring both firewalls for the phones was what caused some issues, as well as the SIP ALG settings. But that was resolved and the phone now works reliably, except for the issues I mentioned. There is no VPN connection from my firewall to the office firewall (we had that in a previous incarnation, but that was abandoned for several reasons).

“unfiltered UDP/5060”: Where can I find more information about that. Is that to say that the firewall only accepts UDP/5060 traffic from specific IP addresses? Is that a setting in the firewall, or a setting in the Asterisk SIP settings? And how would that work with a dynamic IP address on my home network (The WAN IP)?

No the other way around, only accept connections from your changed SIP port which will not be 5060 because that is where your ‘ghost calls’ originate

Just don’t involve UDP/5060 in any of your infrastructure unless you need to pinhole your retrograde provider (do that at your point of their ingress, down line, it will not be a problem with your endpoints) , it is intrinsically insecure and just a bad idea.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.