How is server being accessed?

tfcarlin · November 15, 2014, 3:50am

I have a fairly generic FreePBX Distro (fully updated) installed behind a Netgear router. Allow Anonymous SIP is disabled. To the best of my knowledge no SIP ports are open in my router. How is it that someone is able to access my FreePBX server?

Thanks for the help.

Tim

CDR Report
2014-11-14 20:01:45 CHAN_START 101 101 DEFAULT 011972592207587 from-sip-external SIP/x.x.x.x-00000037
2014-11-14 20:01:45 ANSWER 101 101 101 011972592207587 DEFAULT s from-sip-external Answer SIP/x.x.x.x-00000037
2014-11-14 20:01:46 HANGUP 101 101 101 011972592207587 DEFAULT h from-sip-external SIP/x.x.x.x-00000037
2014-11-14 20:01:46 CHAN_END 101 101 101 011972592207587 DEFAULT h from-sip-external SIP/x.x.x.x-00000037
2014-11-14 20:01:46 LINKEDID_END 101 101 101 011972592207587 DEFAULT h from-sip-external SIP/x.x.x.x-00000037

From /var/log/asterisk/full

[2014-11-14 15:09:44] VERBOSE[1704][C-00000052] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-000000e4”, "WARNING,“Rejecting unknown SIP connection from 212.129.10.161"”) in new stack
[2014-11-14 15:09:44] WARNING[1704][C-00000052] Ext. s: “Rejecting unknown SIP connection from 212.129.10.161”
[2014-11-14 15:49:03] VERBOSE[2576][C-00000005] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-0000001a”, "WARNING,“Rejecting unknown SIP connection from 212.83.132.88"”) in new stack
[2014-11-14 15:49:03] WARNING[2576][C-00000005] Ext. s: “Rejecting unknown SIP connection from 212.83.132.88”
[2014-11-14 15:51:29] VERBOSE[2636][C-00000006] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-0000001b”, "WARNING,“Rejecting unknown SIP connection from 212.83.132.88"”) in new stack
[2014-11-14 15:51:29] WARNING[2636][C-00000006] Ext. s: “Rejecting unknown SIP connection from 212.83.132.88”
[2014-11-14 15:51:32] VERBOSE[2637][C-00000007] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-0000001c”, "WARNING,“Rejecting unknown SIP connection from 212.83.132.88"”) in new stack
[2014-11-14 15:51:32] WARNING[2637][C-00000007] Ext. s: “Rejecting unknown SIP connection from 212.83.132.88”
[2014-11-14 15:53:46] VERBOSE[2686][C-00000008] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-0000001d”, "WARNING,“Rejecting unknown SIP connection from 212.83.132.88"”) in new stack
[2014-11-14 15:53:46] WARNING[2686][C-00000008] Ext. s: “Rejecting unknown SIP connection from 212.83.132.88”
[2014-11-14 18:10:24] VERBOSE[6579][C-0000000b] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000032”, "WARNING,“Rejecting unknown SIP connection from 107.150.44.218"”) in new stack
[2014-11-14 18:10:24] WARNING[6579][C-0000000b] Ext. s: “Rejecting unknown SIP connection from 107.150.44.218”
[2014-11-14 18:10:29] VERBOSE[6580][C-0000000c] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000033”, "WARNING,“Rejecting unknown SIP connection from 107.150.44.218"”) in new stack
[2014-11-14 18:10:29] WARNING[6580][C-0000000c] Ext. s: “Rejecting unknown SIP connection from 107.150.44.218”
[2014-11-14 18:10:30] VERBOSE[6581][C-0000000d] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000034”, "WARNING,“Rejecting unknown SIP connection from 107.150.44.218"”) in new stack
[2014-11-14 18:10:30] WARNING[6581][C-0000000d] Ext. s: “Rejecting unknown SIP connection from 107.150.44.218”
[2014-11-14 20:00:19] VERBOSE[9531][C-0000000e] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000035”, "WARNING,“Rejecting unknown SIP connection from 107.182.20.226"”) in new stack
[2014-11-14 20:00:19] WARNING[9531][C-0000000e] Ext. s: “Rejecting unknown SIP connection from 107.182.20.226”
[2014-11-14 20:00:45] VERBOSE[9532][C-0000000f] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000036”, "WARNING,“Rejecting unknown SIP connection from 107.182.20.226"”) in new stack
[2014-11-14 20:00:45] WARNING[9532][C-0000000f] Ext. s: “Rejecting unknown SIP connection from 107.182.20.226”
[2014-11-14 20:01:45] VERBOSE[9568][C-00000010] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-00000037”, "WARNING,“Rejecting unknown SIP connection from 107.182.20.226"”) in new stack
[2014-11-14 20:01:45] WARNING[9568][C-00000010] Ext. s: “Rejecting unknown SIP connection from 107.182.20.226”

dicko · November 15, 2014, 4:25am

Do you also reject "guest"calls? (allowguest=no)

tfcarlin · November 15, 2014, 4:40am

Thanks, I just added that to sip_general_custom.conf

I’ll follow up tomorrow to see if that helps.

tm1000 · November 15, 2014, 4:52am

That’s a setting in sip settings. You shouldn’t be setting it manually in the custom file

tfcarlin · November 15, 2014, 10:01pm

Andrew, I’m running FreePBX 12.0.9 on Distro 6.12.65-20. I don’t see an option for allowguest in http://x.x.x.x/admin/config.php?display=sipsettings.

Dicko, I don’t see new entries in …/full or in the CDR report, THANKS!

Tim

dicko · November 15, 2014, 10:11pm

It’s actually there under a different name, but don’t worry it will work just fine in

sip_general_custom.conf

or from the GUI, as everything will be set by Asteriskj to the last readline following the file inclusion tree, and sip_general_custom.conf is read after the GUI set one in sip_general_additional.conf
.

tfcarlin · November 15, 2014, 10:26pm

Ah, now I found it. I neglected to notice the chan sip (A) on the upper right hand of the screen. Nice to know as I was also setting bind port back to 5060 in the custom file as well.

dan_ce · July 17, 2019, 3:45pm

Hi, I have the same question - a FreePBX server sat behind a NAT firewall with no open ports - how is it that I am getting “pings” hitting the server from an IP in the Netherlands? Even just from a networking point of view I don’t understand this.
Thanks!

dicko · July 17, 2019, 3:49pm

Where are you seeing these so called ‘pings’ ?

dan_ce · July 17, 2019, 4:36pm

I’m seeing them in the logs, or, I was, until I turned off allow sip guests

e.g. Ext. s: “Rejecting unknown SIP connection from 212.xxx.10.xx”

I just don’t understand how they’re able to pass through the firewall and the NAT to even attempt a connection

dicko · July 17, 2019, 4:40pm

That would depend on the efficacy of your firewall, NAT is kindofa a red herring.

dan_ce · July 17, 2019, 4:42pm

Golly. My understanding of Modem/router NAT firewalls just got turned on its head. Thanks Dicko!

dicko · July 17, 2019, 4:49pm

dropping 212.xxx.10.xx at a hardware firewall would stop asterisk seeing it , dropping 212.xxx.10.xx iptables on the FreePBX box would stop Asterisk seeing it, but not sngrep which watches traffic pre iptables. In the absense of both, then anonymous and guest connections can be rejected but still seen in the logs

dan_ce · July 18, 2019, 9:19am

Interesting! I had a look at the port forwarding page on the router and what’s strange is that port 5062 was forwarded to the FreePBX server on the LAN, but it was only when querying port 5160 (my SIP port) that this tool found an open port. Querying 5060 (my PJSIP port) returned a closed port.
I’ve had a look at my Asterix SIP settings page in FreePBX and found no reference to port 5062 anywhere.
Anyway after deleting the port forwarding 5062 rule, both ports return closed using the above online port scanning tool.

Thanks!