Cause that is where all SIP service providers in the world want to send their traffic to.
There is just some confusion going on.
No port on the firewall where the phone is is open.
Itâs just a standard consumer level device, that is apparently doing something it shouldnât do, which is what a user in the thread you linked to describes as:
âWhen the phone communicates to the outside the cheap firewall is opening 5060 to the outside and allowing any traffic back in rather than limiting the traffic to only from the single destination.â
Indeed, that is the problem., some allow using another port, if they wonât/canât you can redirect, the whole world including all the bad actors know that, so UDP/5060 is absolutely poisonous , to you as a recipient of all that shit. This is absolutely unnecessary , if you conât accept that then wait until you are penetrated , and then feel the pain . . .
And no, this is not theory, a long time ago I got bit for +1K , if you want the sordid details I can provide, but you guys can protect yourself if you want to.
I knowâŚ
Exactly but yours does so through a VPN so it should not open port 5060âŚ
This is why I said thereâs something that doesnât fully add upâŚ
The problem I referred you to in the other thread makes perfect sense for someone whose phone doesnât go through a VPN to talk to the PBX but instead directly talks to your PBX port 5060 using the InternetâŚ
Itâs as if your phone also goes through the Internet and opens port 5060 (UDP most likely) that wayâŚ
Is there a possibility there might be something in that phone configuration that might make it try to talk through anything but the VPN?
Good luck and have a nice day!
Nick
Oh yeah, youâre right, thatâs another mystery.
VPN is using port 1194.
Hi!
I mostly saw TCP/23 tonight (telnetâŚ)âŚ
Talking of ports, someone seems interest in port 5038 TCP tonight on quite a few of my IPs (I have a /29)âŚ
Thatâs AMI, right?
Funny thing is I saw no 5060 (UDP or TCP) tonight when I was checking but someone seems to be trying to hack Asterisk PBXesâŚ
Have a nice day!
Nick
Sure, would like to know.
Yes, they are clever, they see you have a FPBX machine and expect your 5038 to be open to attack, Donât allow that.
Hi dicko!
I agree that sometimes it might be that but this time I believe it was a simple port scan to check if that port was open over a very big range of IPsâŚ
They went through all of my subnetâs IPs, even ones which have not been assigned to any server or IPs which have been assigned to mail servers and other similar things.
After a little while they eventually port scanned the (separate) IP through which this subnet is routed as wellâŚ
(That IP is in a range after my subnet which would explain why it was scanned after if this is done sequentiallyâŚ)
Looks like they are specifically scanning for AMI through and over big IP rangesâŚ
Have a nice day!
Nick
Hi @Marbled
Look at psad as a tool to detect/analyse port-scans and ultimately write firewall rules to prevent them
You can also set the phone to not accept unauthenticted sip messages depending on the model
How does the OP know the traffic isnât originating on the other side of the VPN?
If you have no ports open on your router, Iâd guess the traffic is originating from the other side of the VPN, or on your local network.
I donât know that, but what I am seeing indicates the problem is on the remote network.
I have plenty of remote and local phones, but the ghost call issue only appeared on a single remote phone.
Done.
A silly question, have you replaced the Phone with anything else to test?
No not yet. The user returned the phone thinking it was broken.
Give it a try. If its Chinese brand then everything is possible