Ghost calls from 1000@public_IP_address to my remote phone

Cause that is where all SIP service providers in the world want to send their traffic to.

There is just some confusion going on.

No port on the firewall where the phone is is open.
It’s just a standard consumer level device, that is apparently doing something it shouldn’t do, which is what a user in the thread you linked to describes as:

“When the phone communicates to the outside the cheap firewall is opening 5060 to the outside and allowing any traffic back in rather than limiting the traffic to only from the single destination.”

Indeed, that is the problem., some allow using another port, if they won’t/can’t you can redirect, the whole world including all the bad actors know that, so UDP/5060 is absolutely poisonous , to you as a recipient of all that shit. This is absolutely unnecessary , if you con’t accept that then wait until you are penetrated , and then feel the pain . . .

And no, this is not theory, a long time ago I got bit for +1K , if you want the sordid details I can provide, but you guys can protect yourself if you want to.

I know…

Exactly but yours does so through a VPN so it should not open port 5060…

This is why I said there’s something that doesn’t fully add up…

The problem I referred you to in the other thread makes perfect sense for someone whose phone doesn’t go through a VPN to talk to the PBX but instead directly talks to your PBX port 5060 using the Internet…

It’s as if your phone also goes through the Internet and opens port 5060 (UDP most likely) that way…

Is there a possibility there might be something in that phone configuration that might make it try to talk through anything but the VPN?

Good luck and have a nice day!

Nick

Oh yeah, you’re right, that’s another mystery.
VPN is using port 1194.

Hi!

I mostly saw TCP/23 tonight (telnet…)…

Talking of ports, someone seems interest in port 5038 TCP tonight on quite a few of my IPs (I have a /29)…

That’s AMI, right?

Funny thing is I saw no 5060 (UDP or TCP) tonight when I was checking but someone seems to be trying to hack Asterisk PBXes…

Have a nice day!

Nick

Sure, would like to know.

Yes, they are clever, they see you have a FPBX machine and expect your 5038 to be open to attack, Don’t allow that.

Hi dicko!

I agree that sometimes it might be that but this time I believe it was a simple port scan to check if that port was open over a very big range of IPs…

They went through all of my subnet’s IPs, even ones which have not been assigned to any server or IPs which have been assigned to mail servers and other similar things.

After a little while they eventually port scanned the (separate) IP through which this subnet is routed as well…

(That IP is in a range after my subnet which would explain why it was scanned after if this is done sequentially…)

Looks like they are specifically scanning for AMI through and over big IP ranges…

Have a nice day!

Nick

Hi @Marbled

Look at psad as a tool to detect/analyse port-scans and ultimately write firewall rules to prevent them

You can also set the phone to not accept unauthenticted sip messages depending on the model

How does the OP know the traffic isn’t originating on the other side of the VPN?

If you have no ports open on your router, I’d guess the traffic is originating from the other side of the VPN, or on your local network.

I don’t know that, but what I am seeing indicates the problem is on the remote network.
I have plenty of remote and local phones, but the ghost call issue only appeared on a single remote phone.

Done.

A silly question, have you replaced the Phone with anything else to test?

No not yet. The user returned the phone thinking it was broken.

Give it a try. If its Chinese brand then everything is possible :wink: