How to stop bots calling


(Xxoorr) #1

Hello,
I am experiencing difficulties making proper configuration on the remote PBX phone.
We are using PBX system in our main office and with the PBX IP I have remote phone configured on port 5060. The problem is that a lot of ‘dead calls’ are under way - random 3 and 4 digit phone numbers are calling and no one is on the line. For that reason I bought SonicWall TZ300 which is connected into its WAN port and the connection is coming from an internal switch. The Grandstream phone is on the same switch. What rule should I create to allow only the PBX IP from the main office coming through the firewall and how to deny all other traffic so we won’t get any more of these bot calls?


(Avayax) #2

I am not sure if I understand your setup correctly, but generally, to make a remote phone register to your phone server sitting behind a firewall, you must open port 5060 and RTP ports to allow traffic through your firewall and forward that traffic to the IP address of your PBX. It’s very important to whitelist the IP addresses that you allow traffic from through your firewall. That will be the public IP address of your remote phone (the IP address your ISP provides to you and your router). If you don’t whitelist the IP addresses, you will most certainly get hacked, as you have already seen.
If your remote phone sits behind a router with dynamic IP addresses, you should use VPN.
VPN is preferred anyway.


(Bob Reiber) #3

dumb questions - are you using the freepbx firewall? and if yes is it properly configured? and are you allowing anonymous Inbound SIP Calls? and are you allowing Sip guests?


(Xxoorr) #4

Thank you for your reply guys.
avayax:
you must open port 5060 and RTP ports to allow traffic through your firewall and forward that traffic to the IP address of your PBX
How can I forward the traffic from 5060 and RTP to my PBX IP?
Which IP should I allow into the firewall - I guess the PBX IP, but your are saying I should whitelist the IP addresses that I want to allow - well what else IP addresses I may need? I couldn’t think of allowing anything else but the PBX public IP.
My remote phone is sitting behind an ATT router but all the devices has Static IP’s as well with the phone(Grandstream).
So I have an Att router which is plugged into a switch and from that switch I have my Firewall connected onto its WAN port. The LAN port on the firewall is plug into a computer so this way I can login and configure the firewall. The phone is connected into the same switch. So first I have router, then switch which is giving the connection via ethernet to the Firewall and to the Phone.

bksales - I am using SonicWall TZ300. I don;t know what is freepbx firewall.
I don’t allow anonymous SIP calls - option is set to 'NO’
Allow SIP guest is set to ‘YES’

I am sorry for all my confusion but I am new into the PBX matter but I am willing to learn, so please let me know guys if you need any screenshots of my network setup or any PBX configuration that might help us resolving this case.


(Xxoorr) #5

Update: This is what I’ve received from one of our IT guys:

"I would leave it at 5060 and only allow that port open from the PBX IP, I think that is the easiest way. If you need to open any other ports, then you can do the same thing and only allow the PBX IP access.

If you are putting the firewall between the phone and the switch, then the phone might get a different IP block than the rest of the network. So you might need to create a NAT rule to translate the IP of the Firewall to the IP of the phone"

What do you guys think will be the best approach?


(Avayax) #6

What FreePBX version and distro are you using?

So your phone is the remote phone and you are working from that remote network? The Firewall you are talking about is not in your main office?
Just trying to understand your setup.

On the remote network, where your remote phone sits, you don’t need to open and forward any ports.

That has to be done on the firewall that sits in front of your PBX. Looks like it is in your main office. If your company is operating more remote phones, then this might be done already.
If not, port 5060 on that firewall needs to be forwarded to the internal IP of the PBX, RTP ports as well, or you will have audio issues. RTP ports usually range from port 10000-20000, but you can use a smaller range.
SIP and RTP ports should only allow traffic to come in from the external IP address of your ATT router, where your remote phone sits.

The way this works is, that a remote phone knocks at the firewall in front of your PBX, wanting to register with the server, and the firewall lets the traffic through if allowed.

Again, running a VPN is the better way to do that.


(Xxoorr) #7

Incredible PBX 12.0.70
Asterisk (Ver. 13.4.0)

The main office network is fully setup up and running and the PBX is hosted there and is getting its public IP - I’ve got nothing to mess around at that location.
The remote phone is on the remote network and that is where I am making these configuration. The only connection between both locations is that the remote phone SIP account is configured with that PBX IP from the main office and of course it has its own internal network IP taken from the router. The reason is - if someone call our main office and choose that remote particular extension - we want to dial at the remote location where the employee is located.

Here is a network diagram on the remote location, please note that there weren’t any firewall, we just got that to cut the bot calls.

Port 5060 is open on the main office firewall where is the PBX. Then the remote phone is configured with that PBX IP xxxx.xxxx.xxxx.xxxx:5060 and the phone is working properly inbound and outbound, just receive many dead calls which I don’t know how to stop.
No other remote phones this is the only one.


(Avayax) #8

Is port 5060 on your main office firewall open to the internet at large and not source restricted to receive only traffic from authorized IP addresses?
If so, then that is a security hazard and not recommendable.
Hackers will probe your firewall, find that you have port 5060 open and try to guess an existing extension and password. Once they found a good one, they will try and make toll calls from that extension.
Maybe that has already happened, don’t know. You can check your call records for calls that look suspicious.
Also turn “Allow SIP guests” off.

What do you mean by getting bot calls, what exactly is happening there?


(Avayax) #9

Here are a few general security tips for an Asterisk PBX:
Under Asterisk SIP settings do this:

Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

Under extensions, use the permit/deny lines only allow a reasonable subset of IP addresses to reach each listed extension. If the extension is internal to your main office network, put the range of possible network addresses in the permit line. If it’s a remote phone, put a range of public IP address in there, that registration attempts could come from, if possible.

Check this link on Asterisk security: http://blogs.digium.com/2009/03/28/sip-security/
This too from the PIAF guys where your build comes from:
http://nerdvittles.com/?p=580
http://nerdvittles.com/?p=3148

With Incredible PBX, you might have more luck on their forums. This forum is FreePBX distro mostly, what you have is a little different: http://pbxinaflash.com/community/forums/


(Xxoorr) #10

Is port 5060 on your main office firewall open to the internet at large and not source restricted to receive only traffic from authorized IP addresses?

How can make sure 100% if it is or not, cause I can’t find it anywhere?
Thank you for the recommendations - I’ve turned Off “Allow SIP guests” and change the other SIP settings from your next post.
By bots calling I mean random calls to the remote phone from numbers as 1000 and when picked up - complete silence, no one is on the line. And those are coming along with the other legit calls from clients of our company and both incoming and outgoing calls are working properly.
Here is a screen of the calls history - note that only bots calls are on place on the weekend cause there is nobody at the office.


(Bob Reiber) #11

i offer a few comments

  1. your remote setup is really a no-no. you are using your wan connection as a converged network (voice and data) and you have no traffic shaping in place. this means that if you look at a streaming video on your pc, your voice quality will go in the dumper. the sonic wall is not capable of decent traffic shaping. you need to put a good session border controller in as the primary internet interface. you can put your sonic wall behind it if you want to keep the sonic wall. the phrase i use to describe this sort of network set up is plug and pray.
  2. assuming you leave your network as it is, then the next questions are: what it address does your phone have? is it a public ip address or a non-routable ip address? and do you have a firewall installed for your pbx?
  3. if you do not have a firewall installed for your pbx (meaning the firewall sits between the pbx and the internet) then there is no way you are going to be able to secure your system. if you do have a firewall, then you need to add rules that allow udp ports 5061-5070, 10000-20000 through the firewall and route them directly to your pbx AND limit the forwarding to the public ip address of your remote phone and from the address(es) of your sip trunk providers. in other words, sip traffic should be allowed only from those specific ip addresses.

beyond that go spend some time on the PIAF forums.


(Avayax) #12

Who is administrating the firewall in the main office, where your PBX is, your IT guys?
They should be able to tell you what port forwarding rules they have in place on their firewall for port 5060.

As “bksales” has said, your network setup at your remote location doesn’t seem to be correct.
What IP address does your remote phone have, a public or private IP?

And is that At&t router set to bridge mode or something?

I assume you are working from home and At&t is your internet service provider, correct?
Then this router should serve as a firewall too, hand out private IP addresses to your phone and your PC and no extra Sonic Wall firewall would be needed.


(Xxoorr) #13

then the next questions are: what it address does your phone have? is it a public ip address or a non-routable ip address? and do you have a firewall installed for your pbx?

The phone has private Static address - 192.168…, but then how it is connected to the main office PBX IP? - Well when set up this remote phone - there is account setup options - which allowed me to enter the PBX Public IP and the port to connect on that IP, so I’ve done that on port 5060 and whoever calls the main office and requested the remote phone extension - there is no problem at all, the phone is fully working, this makes me think that port 5060 is indeed open on the main office firewall, otherwise how the connection is made?
And yes we have firewall in the main office but I am not sure how it is connected to the PBX, I’ve requested that info from the old IT guy so hopefully we’ll have some answers soon.

Who is administrating the firewall in the main office, where your PBX is, your IT guys?
I am administrating the systems on both offices now, our IT guys are no longer with us.
The PBX is on linux server in our main office it has public IP, which is used to connect to that PBX from the remote location.

Here is a screenshot from PBX web interface - as we can see port 10000-20000 are allowed on RTP protocol

This hidden external IP address is the IP of the PBX and with that IP I can login to PBX web interface, and that IP is used on the remote phone when I’ve created SIP account to connect from the remote location to the main office PBX. Still though the remote phone has its own internal static IP which make him recognizable on the internal remote location.
Thanks again for your answers both, it really make me understand a little how this exactly work, so if you need any more screenshot please let me know.

And is that At&t router set to bridge mode or something?

I assume you are working from home and At&t is your internet service provider, correct?
Then this router should serve as a firewall too, hand out private IP addresses to your phone and your PC and no extra Sonic Wall firewall would be needed.

At&t router is just plugged to a modem from where is taking the internet, and then this router manage the internal network - it is really nothing special, small office with few workstations and the router seem kinda limited on options, that’s why we proceeded with getting this Firewall, cause by far all was working only on internal level, and with that remote phone which needs to be connected remotely, we thought extra layer of security could help us securing the systems.
Although into this At&t router there are still options to open ports ranges, I can’t see how it would secure the phone.


(Xxoorr) #14

I received info what should I do from the old admin. Here what he says:
“The only thing you need to configure is the new firewall in the remote location. Open 5060 and the higher ports but only allow the PBX IP in on those ports.”

So if you can guide me how can I do that it would be awesome.
From what I see - first I should create custom address object on a WAN zone with PBX public IP.
Second I should create access rule to allow from WAN to LAN with the service - above configured address object, and lastly I should create a NAT policy to translate incoming packets and forward them to the phone. Is this the right approach?


(Avayax) #15

You certainly don’t have to open ports on your remote firewall to let the PBX in.
Your phone sends a registration request out to the internet, hits the firewall in front of the PBX server, knocks at port 5060, and is then allowed to the server and then the ports are kept open.
Your calls are already working, so you don’t need to open any more ports, especially not on your remote network.
Opening ports always makes a system less secure, not more secure.

Your problems were these bad calls, right?

I don’t know if those are actually from an attack, they could be, and you should find out, but you could also be seeing this issue: How To Stop Random from-sip-external Attempts
They solved this by disabling time conditions polling in advanced settings and set the value of Enable Maintenance Polling to `false.

You just want to check your main office firewall if it is set up securely.
The fact that you can log into the public IP of the PBX and get to FreePBX GUI means, that on the main office firewall, port 80 is forwarded to your PBX.
Now ask your old IT guy if they have set up remote management of the main office firewall.
If so, log into the main office firewall (if it has a GUI), and look at port forwarding rules and check which IP addresses are allowed to access port 80, SIP 5060, and 22 SSH from the internet.
You should see the public IP address of your remote network there.
If there are no restrictions, it’s very bad.

Looks like you are shooting for an unnecessarily complicated setup on your remote site, with two firewalls, the router and your sonicwall.


(Xxoorr) #16

Yes I have an access to the firewall running with GUI but I am not sure how to check which IP addresses are allowed to access port 80, SIP 5060, and 22 SSH from the internet, although port 80 must be open to any because we are hosting servers and services which should allow access not only to specific people.


(Avayax) #17

Look for firewall rules or port forwarding rules, then you should find something.


(Xxoorr) #18

The fact that you can log into the public IP of the PBX and get to FreePBX GUI means, that on the main office firewall, port 80 is forwarded to your PBX.

Actually I forgot to say, I can go to the PBX GUI but only after I am connected into my office PC, otherwise is not possible, from home I can’t login to the PBX with my home IP.


#19

I would like to point out that if you set asterisk to not listen for SIP on ports like 50NN then 99.9 percent of your problems of bogus attempts will go away, use a random port between 20001 and 50000 to listen for SIP connections, you have full control over your phones as to what port they will signal on , remote or local. You can sometimes arrange for your vsp to use your chosen port for connections but if they can’t/won’t do that then one rule on your firewall for each vsp to map incoming udp(maybe tcp also )/5060 to your listening port. All these BS connections will just “go away”


(Xxoorr) #20

I don’t see any calls in the PBX history since I’ve Disallowed SIP guest, so hopefully this is the resolution, I will keep an eye in the next few hours/days and will let you guys know what is the situation. Thank you all for the time spent really appreciate your help, specially avayax, this guy is awesome!