Grandstream 2160 ringing all by itself (this seems really weird)

I have a grandstream 2160 as an external extension on our freepbx pbx.

This one extension rings sporadically but frequently, but no one is there. When this happens, it appears to be coming from callerid’s of three or four digits - 100, 1001, 1002, numbers like that. We’ll get 50 calls a day like this to this extension, and only to this extension. None of the other extensions ring from these calls.

I’ve assumed the calls were our freepbx somehow being probed, or some type of phone spam.

But today, my freepbx machine died in the data center. And the phone still rang from these callerid’s. Yup, phone was plugged in and on the internet, but the freepbx machine was offline, and it still rang. So it’s not the freepbx.

I think it’s either the phone. or somehow someone is probing the phone externally. Other phones on the same network (other external extensions at the same location, but not grandstream phones) don’t ever ring like this.

I’m puzzled, confused and baffled. Don’t even know where to start now. Any thoughts on how these calls are being generated and how to stop them?

The Palestinians/Russians/Chinese really don’t care about Asterisk per se. they generally scan and on success, attempt to penetrate anything that responds on UDP/TCP ports 5060-5070 (SIP commonmly referenced as VOIP) , if your hardware/software is exposed to the internet and listening, then you need to tighten up your firewall and/or the configuration of the device that is answering those connections, my rule #1 is DON’T use 5060 unless you have to (extensions can always be changed, not always your VSP’s), it’s a no brainer :wink:

On a slightly less paranoid note - I’d start by using a machine that can scan your network and watch for traffic that’s going to the phone. Using TCPDUMP (for example) and watching the traffic to the phone could indicate which evil empire is trying to call you. It could also help you find other less nefarious causes, like the phone is trying to connect to another VOIP connection or that the power to the phone is causing intermittent operations that result in a random ring.

If there’s no traffic to the phone and it rings, the phone is bad. If there is traffic, tcpdump will tell you what to look for.

I use some grandstream cordless phones, as cynjut mentions above, restore of the power or a reboot of the phones due to config changes makes mine ring, just one or two rings, but it is there. I presume you may have the IP of the phone and system open to the net, if it is webbased, most these days are.

hehe, just because you are not paranoid, it doesn’t mean that they are not out to get you, they are and they are also cleverer than us, as you will eventually see . . .

Solution found here:

The solution is, a setting on the phone “Accept Incoming SIP from Proxy ONly”. I set this to yes, so that the phone will only accept calls from my phone server. It seems to be a known problem.

I still don’t understand (and don’t need to :slight_smile: ) how they can probe the phone when it’s behind the firewall with no ports open, but locking it down at the phone level seems to work. Or I hope so, I just set this up now.

I still don’t understand (and don’t need to )

I would have to ask you to cogitate about “what could possibly go wrong with that thinking ??”


I would also rethink that, seems if someone is attempting to access your phones, you would be wanting to know how they are doing it, so you can secure it more.

If you have your firewall only accept SIP traffic from your peers, you will block all unwanted sip communications.

This would be a more efficient way to control the network, rather than have to configure each phone.

You should all bear in mind that the exposed extension is apparently “off network”, if he has control over that external network, he should probably investigate why dangerous sh*& is allowed though that firewall, It is not anything to do directly with FreePBX or Asterisk. it is his own vulnerable external network, if sip vicious can get in then he should be scared, his windows clients could also likely fall soon to the north Koreans , they do that cra$ every day . . .

As much as you don’t need to know I think you should know. This has to deal with “local” vs “remote” ports. Yealinks are especially vulnerable to this because their local ports start at 5060. While other manufacturers local ports are random. What happens in the case of Yealinks (and grandstreams) is that they “poke” a hole in your firewall so that the remote server (asterisk, freeswitch, etc) can “hit” that port, when they use 5060 they are using the commonly known port that all SIP uses so it’s easy for a sipvicious attack to just ring your phone all the time. I’ve had this happen several times, the best thing to do is just go into the phone’s interface and change the “local” port. Everyone should do that anyways.


I had the same issue but only with netgear routers. I switched it to a linksys and they stopped.

What router are you using?

as mentioned above its not a hack in your box it’s a hack on you local network and phone.

Switch to a $30 linkeys and it will stop.

Unfortunately, some routers have very poor security practices. I’ve seen Belkin routers, for example, that will open Port 5060 to ALL incoming traffic when a phone simply reaches out to register with a single VOIP provider. If you have such a router, you essentially don’t have a firewall for your phone.

I’d try another router.

1 Like