Help working out how I am seeing incoming activity with no firewall rules set to forward?

Hi All,
I am seeing incoming call attempts but need to understand how they are getting to freepbx.
its behind a router on a private lan with no ports configured to forward to the pbxVM address,
Version FreePBX 13.0.1alpha55 (tried alpha to see if that helped :slight_smile:
OS Digium 2.6.32-504.8.1

Thanks

Section from the Log file

Asterisk Log Files
[2015-06-03 18:54:18] VERBOSE[9000][C-00001682] func_timeout.c: – Channel will hangup at 2015-06-03 18:54:33.389 BST.
[2015-06-03 18:54:18] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/19.155.7.18-000015f1”, "WARNING,“Rejecting unknown SIP connection from 5.189.149.155"”) in new stack
[2015-06-03 18:54:18] WARNING[9000][C-00001682] Ext. s: “Rejecting unknown SIP connection from 5.189.149.155”
[2015-06-03 18:54:18] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:7] Answer(“SIP/19.155.7.18-000015f1”, “”) in new stack
[2015-06-03 18:54:18] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:8] Wait(“SIP/19.155.7.18-000015f1”, “2”) in new stack
[2015-06-03 18:54:20] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:9] Playback(“SIP/19.155.7.18-000015f1”, “ss-noservice”) in new stack
[2015-06-03 18:54:20] VERBOSE[9000][C-00001682] file.c: – <SIP/19.155.7.18-000015f1> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2015-06-03 18:54:26] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:10] PlayTones(“SIP/19.155.7.18-000015f1”, “congestion”) in new stack
[2015-06-03 18:54:26] VERBOSE[9000][C-00001682] pbx.c: – Executing [s@from-sip-external:11] Congestion(“SIP/19.155.7.18-000015f1”, “5”) in new stack
[2015-06-03 18:54:31] VERBOSE[9000][C-00001682] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/19.155.7.18-000015f1’
[2015-06-03 18:54:31] VERBOSE[9000][C-00001682] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/19.155.7.18-000015f1”, “”) in new stack
[2015-06-03 18:54:31] VERBOSE[9000][C-00001682] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/19.155.7.18-000015f1’
[2015-06-03 18:54:50] WARNING[1915] chan_sip.c: Retransmission timeout reached on transmission 1c00e4f0d10cb9ebf9462e6aba7673ba for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2015-06-03 18:55:43] NOTICE[1915] chan_sip.c: Registration from ‘“11” sip:[email protected]:5060’ failed for ‘162.248.79.163:5063’ - Wrong password
[2015-06-03 18:55:44] NOTICE[1915] chan_sip.c: Registration from ‘“11” sip:[email protected]:5060’ failed for ‘162.248.79.163:5063’ - Wrong password
[2015-06-03 18:55:44] NOTICE[1915] chan_sip.c: Registration from ‘“11” sip:[email protected]:5060’ failed for ‘162.248.79.163:5063’ - Wrong password
[2015-06-03 18:55:44] NOTICE[1915] chan_sip.c: Registration from ‘“11” sip:[email protected]:5060’ failed for ‘162.248.79.163:5063’ - Wrong password
[2015-06-03 18:55:44] NOTICE[1915] chan_sip.c: Registration from ‘“11” sip:[email protected]:5060’ failed for ‘162.248.79.163:5063’ - Wrong password
[2015-06-03 18:58:22] VERBOSE[1915][C-00001683] netsock2.c: == Using SIP RTP TOS bits 184
[2015-06-03 18:58:22] VERBOSE[1915][C-00001683] netsock2.c: == Using SIP RTP CoS mark 5
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [9900972592439303@from-sip-external:1] NoOp(“SIP/19.155.7.18-000015f2”, “Received incoming SIP connection from unknown peer to 9900972592439303”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [9900972592439303@from-sip-external:2] Set(“SIP/19.155.7.18-000015f2”, “DID=9900972592439303”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [9900972592439303@from-sip-external:3] Goto(“SIP/19.155.7.18-000015f2”, “s,1”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Goto (from-sip-external,s,1)
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/19.155.7.18-000015f2”, “0?checklang:noanonymous”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Goto (from-sip-external,s,5)
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/19.155.7.18-000015f2”, “TIMEOUT(absolute)=15”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] func_timeout.c: – Channel will hangup at 2015-06-03 18:58:37.048 BST.
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/19.155.7.18-000015f2”, "WARNING,“Rejecting unknown SIP connection from 5.189.149.155"”) in new stack
[2015-06-03 18:58:22] WARNING[9107][C-00001683] Ext. s: “Rejecting unknown SIP connection from 5.189.149.155”
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:7] Answer(“SIP/19.155.7.18-000015f2”, “”) in new stack
[2015-06-03 18:58:22] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:8] Wait(“SIP/19.155.7.18-000015f2”, “2”) in new stack
[2015-06-03 18:58:24] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:9] Playback(“SIP/19.155.7.18-000015f2”, “ss-noservice”) in new stack
[2015-06-03 18:58:24] VERBOSE[9107][C-00001683] file.c: – <SIP/19.155.7.18-000015f2> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2015-06-03 18:58:29] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:10] PlayTones(“SIP/19.155.7.18-000015f2”, “congestion”) in new stack
[2015-06-03 18:58:29] VERBOSE[9107][C-00001683] pbx.c: – Executing [s@from-sip-external:11] Congestion(“SIP/19.155.7.18-000015f2”, “5”) in new stack
[2015-06-03 18:58:34] VERBOSE[9107][C-00001683] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/19.155.7.18-000015f2’
[2015-06-03 18:58:34] VERBOSE[9107][C-00001683] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/19.155.7.18-000015f2”, “”) in new stack
[2015-06-03 18:58:34] VERBOSE[9107][C-00001683] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/19.155.7.18-000015f2’
[2015-06-03 18:58:54] WARNING[1915] chan_sip.c: Retransmission timeout reached on transmission 608390b07cad08d8a8d3a75b1056190b for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[2015-06-03 19:02:21] VERBOSE[1915][C-00001684] netsock2.c: == Using SIP RTP TOS bits 184
[2015-06-03 19:02:21] VERBOSE[1915][C-00001684] netsock2.c: == Using SIP RTP CoS mark 5
[2015-06-03 19:02:21] VERBOSE[9211][C-00001684] pbx.c: – Executing [00972592439303@from-sip-external:1] NoOp(“SIP/19.155.7.18-000015f3”, “Received incoming SIP connection from unknown peer to 00972592439303”) in new stack

On Asterisk SIP settings you have “allow anonymous inbound calls” (or something like that) checked. Uncheck it.

Also make sure you’re running fail2ban - you’re getting nailed with fraudulent registration attempts.

Thanks for the info, I will disable it. had to rebuild after I trashed it, I plan to use wireshark etc to try work out how its being hit.

You’re being hit from cloud servers from France, Russia, and the USA as well as rogue servers from the middle east, most likely. That’s the majority of the fraud traffic we get.