How To Stop Random from-sip-external Attempts

eagle · November 17, 2015, 11:13pm

I’ve just recently got my new V13 system up and running (V13 of Asterisk as well) and I’m noticing some behavior in my log that looks like someone is attempting to hack me. It’s of particular concern to me because the whole reason I moved my PBX and upgraded to V13 is I got hacked pretty hard on my last PBX provider.

A few entries from my log (and I have hundreds of attempts like this:

2015-11-17 18:00:16 1447801216.30614 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 18:00:00 1447801200.30600 100268 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:54:07 1447800847.30534 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:51:10 1447800670.30494 100257 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:47:53 1447800473.30443 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:43:22 1447800202.30392 100267 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:41:39 1447800099.30359 404 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:41:35 1447800095.30356 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:35:14 1447799714.30279 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:35:13 1447799713.30276 100256 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:28:25 1447799305.30192 100266 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:28:06 1447799286.30185 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:21:45 1447798905.30101 1101 Congestion s [from-sip-external] ANSWERED 00:12
2015-11-17 17:19:27 1447798767.30072 100255 Congestion s [from-sip-external] ANSWERED 00:12

They are getting congestion messages but still, I don’t want them to even get answered. In reading some other forum posts I have verified that Allow Anonymous SIP Calls was disabled (default on install apparently) and I disabled Allow SIP Guests (apparently enabled by default) and made sure that Intrusion Detection is operating properly, yet the attempts continue. Fail2Ban is running normally.

I was able to add a few caller ID’s to the blocked list and that has helped with those but there’s one right now that changes all of it’s information each attempt (obviously phishing).

The system is hosted by FreePBXHosting so I have no control over the network.

What else can I do to stop this? While right now it’s not a big deal, they haven’t been able to make phone calls out, I’m afraid eventually they will.

danielf · November 17, 2015, 11:46pm

Hi,

Increase your verbosity (core set verbose 4) and paste the log of this incoming calls.

Thank you,

Daniel Friedman
Trixton LTD.

eagle · November 17, 2015, 11:58pm

I did that in my CLI and I’m not sure if this is what you want, but afterwards I had several attempts and here are the contents of my asterisk log:

[2015-11-17 18:54:29] VERBOSE[13233] asterisk.c: Remote UNIX connection
[2015-11-17 18:54:29] VERBOSE[14504] asterisk.c: Remote UNIX connection disconnected
[2015-11-17 18:54:29] VERBOSE[13233] asterisk.c: Remote UNIX connection
[2015-11-17 18:54:29] VERBOSE[14506] asterisk.c: Remote UNIX connection disconnected
[2015-11-17 18:55:00] VERBOSE[14525] pbx_spool.c: Attempting call on Local/s@tc-maint for application NoCDR() (Retry 1)
[2015-11-17 18:55:00] VERBOSE[14526] dial.c: Called s@tc-maint
[2015-11-17 18:55:00] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:1] NoCDR(“Local/s@tc-maint-00000676;2”, “”) in new stack
[2015-11-17 18:55:00] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:2] Set(“Local/s@tc-maint-00000676;2”, “TCMAINT=RETURN”) in new stack
[2015-11-17 18:55:00] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:3] Gosub(“Local/s@tc-maint-00000676;2”, “timeconditions,1,1()”) in new stack
[2015-11-17 18:55:00] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:1] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/1/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:55:00] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:2] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/1/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000676;2”, “08:00-17:00,mon-fri,,,America/Denver?truestate”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Goto (timeconditions,1,12)
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:12] GotoIf(“Local/s@tc-maint-00000676;2”, “0?falsegoto”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:13] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(DB(TC/1)=)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:14] Set(“Local/s@tc-maint-00000676;2”, “DEVICE_STATE(Custom:TC1)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:15] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:16] GotoIf(“Local/s@tc-maint-00000676;2”, “0?ext-queues,400,1”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:17] Set(“Local/s@tc-maint-00000676;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:18] Set(“Local/s@tc-maint-00000676;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [1@timeconditions:19] Return(“Local/s@tc-maint-00000676;2”, “”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:4] Gosub(“Local/s@tc-maint-00000676;2”, “timeconditions,5,1()”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:1] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/5/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:2] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/5/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000676;2”, “,,14-25,nov,America/Denver?truestate”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Goto (timeconditions,5,12)
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:12] GotoIf(“Local/s@tc-maint-00000676;2”, “0?falsegoto”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:13] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(DB(TC/5)=)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:14] Set(“Local/s@tc-maint-00000676;2”, “DEVICE_STATE(Custom:TC5)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:15] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:16] GotoIf(“Local/s@tc-maint-00000676;2”, “0?app-announcement-1,s,1”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:17] Set(“Local/s@tc-maint-00000676;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:18] Set(“Local/s@tc-maint-00000676;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [5@timeconditions:19] Return(“Local/s@tc-maint-00000676;2”, “”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:5] Gosub(“Local/s@tc-maint-00000676;2”, “timeconditions,4,1()”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:1] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/4/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:2] Set(“Local/s@tc-maint-00000676;2”, “DB(TC/4/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000676;2”, “08:00-17:00,mon-fri,,,America/Denver?truestate”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Goto (timeconditions,4,12)
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:12] GotoIf(“Local/s@tc-maint-00000676;2”, “0?falsegoto”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:13] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(DB(TC/4)=)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:14] Set(“Local/s@tc-maint-00000676;2”, “DEVICE_STATE(Custom:TC4)=NOT_INUSE”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:15] ExecIf(“Local/s@tc-maint-00000676;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:16] GotoIf(“Local/s@tc-maint-00000676;2”, “0?ext-queues,401,1”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:17] Set(“Local/s@tc-maint-00000676;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:18] Set(“Local/s@tc-maint-00000676;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [4@timeconditions:19] Return(“Local/s@tc-maint-00000676;2”, “”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:6] System(“Local/s@tc-maint-00000676;2”, “/var/lib/asterisk/bin/schedtc.php 60 /var/spool/asterisk/outgoing 0”) in new stack
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Executing [s@tc-maint:7] Answer(“Local/s@tc-maint-00000676;2”, “”) in new stack
[2015-11-17 18:55:02] VERBOSE[14526] dial.c: Local/s@tc-maint-00000676;1 answered
[2015-11-17 18:55:02] NOTICE[14525] pbx_spool.c: Call completed to Local/s@tc-maint
[2015-11-17 18:55:02] VERBOSE[14527][C-00000dab] pbx.c: Spawn extension (tc-maint, s, 7) exited non-zero on ‘Local/s@tc-maint-00000676;2’
[2015-11-17 18:56:00] VERBOSE[14573] pbx_spool.c: Attempting call on Local/s@tc-maint for application NoCDR() (Retry 1)
[2015-11-17 18:56:00] VERBOSE[14574] dial.c: Called s@tc-maint
[2015-11-17 18:56:00] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:1] NoCDR(“Local/s@tc-maint-00000677;2”, “”) in new stack
[2015-11-17 18:56:00] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:2] Set(“Local/s@tc-maint-00000677;2”, “TCMAINT=RETURN”) in new stack
[2015-11-17 18:56:00] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:3] Gosub(“Local/s@tc-maint-00000677;2”, “timeconditions,1,1()”) in new stack
[2015-11-17 18:56:00] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:1] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/1/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:56:00] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:2] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/1/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000677;2”, “08:00-17:00,mon-fri,,,America/Denver?truestate”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Goto (timeconditions,1,12)
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:12] GotoIf(“Local/s@tc-maint-00000677;2”, “0?falsegoto”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:13] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(DB(TC/1)=)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:14] Set(“Local/s@tc-maint-00000677;2”, “DEVICE_STATE(Custom:TC1)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:15] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:16] GotoIf(“Local/s@tc-maint-00000677;2”, “0?ext-queues,400,1”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:17] Set(“Local/s@tc-maint-00000677;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:18] Set(“Local/s@tc-maint-00000677;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [1@timeconditions:19] Return(“Local/s@tc-maint-00000677;2”, “”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:4] Gosub(“Local/s@tc-maint-00000677;2”, “timeconditions,5,1()”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:1] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/5/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:2] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/5/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000677;2”, “,,14-25,nov,America/Denver?truestate”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Goto (timeconditions,5,12)
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:12] GotoIf(“Local/s@tc-maint-00000677;2”, “0?falsegoto”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:13] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(DB(TC/5)=)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:14] Set(“Local/s@tc-maint-00000677;2”, “DEVICE_STATE(Custom:TC5)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:15] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:16] GotoIf(“Local/s@tc-maint-00000677;2”, “0?app-announcement-1,s,1”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:17] Set(“Local/s@tc-maint-00000677;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:18] Set(“Local/s@tc-maint-00000677;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [5@timeconditions:19] Return(“Local/s@tc-maint-00000677;2”, “”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:5] Gosub(“Local/s@tc-maint-00000677;2”, “timeconditions,4,1()”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:1] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/4/INUSESTATE)=INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:2] Set(“Local/s@tc-maint-00000677;2”, “DB(TC/4/NOT_INUSESTATE)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:3] GotoIfTime(“Local/s@tc-maint-00000677;2”, “08:00-17:00,mon-fri,,,America/Denver?truestate”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Goto (timeconditions,4,12)
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:12] GotoIf(“Local/s@tc-maint-00000677;2”, “0?falsegoto”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:13] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(DB(TC/4)=)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:14] Set(“Local/s@tc-maint-00000677;2”, “DEVICE_STATE(Custom:TC4)=NOT_INUSE”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:15] ExecIf(“Local/s@tc-maint-00000677;2”, “0?Set(NOT_INUSE)”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:16] GotoIf(“Local/s@tc-maint-00000677;2”, “0?ext-queues,401,1”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:17] Set(“Local/s@tc-maint-00000677;2”, “TCSTATE=true”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:18] Set(“Local/s@tc-maint-00000677;2”, “TCOVERRIDE=false”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [4@timeconditions:19] Return(“Local/s@tc-maint-00000677;2”, “”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:6] System(“Local/s@tc-maint-00000677;2”, “/var/lib/asterisk/bin/schedtc.php 60 /var/spool/asterisk/outgoing 1”) in new stack
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Executing [s@tc-maint:7] Answer(“Local/s@tc-maint-00000677;2”, “”) in new stack
[2015-11-17 18:56:01] VERBOSE[14574] dial.c: Local/s@tc-maint-00000677;1 answered
[2015-11-17 18:56:01] NOTICE[14573] pbx_spool.c: Call completed to Local/s@tc-maint
[2015-11-17 18:56:01] VERBOSE[14575][C-00000dac] pbx.c: Spawn extension (tc-maint, s, 7) exited non-zero on ‘Local/s@tc-maint-00000677;2’

danielf · November 18, 2015, 12:15am

Hi,

What you see is the time conditions polling. It is not at attack. If you want to disable it go to the advanced settings and set the value of Enable Maintenance Polling to `false.

Thank you,

Daniel Friedman
Trixton LTD.

eagle · November 18, 2015, 12:35am

Daniel,

Thank you for clearing that up :). Is there any downside to turning off the maintenance polling other than it not appearing in the log? I have a complex series of time conditions and I don’t want to inadvertently break them.

plindheimer · November 18, 2015, 12:40am

His first trace is NOT from the time conditions polling.
[first was added after original post to clear any confusion with the second trace provided of the time conditions maintenance]

You are correct that those traces you first posted are from an outside attempt trying to get to your server. They have NOTHING to do with the time condition polling. The context that is being hit is from-sip-external which is where anonymous calls are sent and the setting of allow anonymous just controls whether those calls are sent to the ‘from-pstn’ part of the dialplan or wether they are played an ss-no-service message. All of that is configured in the sip settings module. However, if you did tell it to not allow guests, then it should not even be getting to the dialplan. You should confirm that configuration and if necessary, review the auto-generated sip configuration files to make sure the setting is being applied. It could be a bug if not, but first double check.

You should also be turning on the firewall since you have no firewall as it will give significanlty additional protection by throttling those attempts and eventually blocking them.

None the less, check if the guest setting is really applying because if it is not, then you should report a bug.

eagle · November 18, 2015, 12:48am

Thank you for pointing that out, I thought it looked like attacks to me but since my log showed all of the time condition polling I assumed that Daniel was correct. I’ve always had wicked time conditions and never seen this behavior before but I was running an ancient version of FPBX so my V13 naivety was showing through.

I’ll report a bug (I just reported another one on an unrelated issue) on this because guest setting IS applied.

plindheimer · November 18, 2015, 12:54am

can you go into the file, I think it’s sip_general_additional.conf and put that in the bug report to confirm that the guest setting is setup so we can determine if something isn’t being set there, as that’s what we’ll probably otherwise ask you for when the bug is reviewed.

eagle · November 18, 2015, 12:55am

I have posted the issue already but I’ll update it to include the contents of the file.

As for the firewall, I’ve been reading a bit of hit and miss on that and - frankly - am a bit afraid to turn it on. Aside from that it does mention in the initial screens that if you are already firewalled or cannot put your server in the DMZ that you shouldn’t turn it on. Am I incorrect on this?

plindheimer · November 18, 2015, 1:03am

In your case you aren’t firewalled. Also, it doesn’t hurt to put the firewall on even if you have another firewall.

There have been some bugs in as far as the firewall is new, we’ve been flushing them out. In your case, since you’re on a hosted system you should have access to the console through some sort of VPS console if I’m not mistaken. That means if you make a mistake, or if we make a mistake (that would never happen ), then you can get in to the console and turn off iptables to get back in. As it stands right now, since you’re on a hosted system, you don’t have any firewall, unless I missunderstood.

eagle · November 18, 2015, 1:04am

Only my assumption that a publicly available PBX server on a hosted provider is sitting behind SOME kind of firewall :). I’ll turn it on and cross my fingers.

eagle · November 18, 2015, 1:11am

This could be coincidental but after enabling the firewall. the scheduler.php is taking 100% of my CPU (my CPU generally runs about 3-8% on this computer with phone calls active). I turned off the FW and no difference on the CPU utilization.

I killed the process and it has not returned.

I assume this is likely my backup, but it just ran yesterday and is set for monthly so I don’t know why it would try to run again.

xrobau · November 18, 2015, 1:28am

scheduler.php is a part of dashboard that runs every couple of minutes to get a snapshot of your system state.

I find it pretty unlikely that it would have anythign to do with firewall. But, I’ve never seen it spin on 100% CPU usage though 8-(

eagle · November 18, 2015, 1:31am

Probably not, like I said it’s likely coincidental, but wanted to make sure I noted it. It was running at 100% for about 5 minutes before I finally killed it and it hasn’t come back to jack my CPU up again so it may have simply been a fluke.

eagle · November 18, 2015, 1:52pm

Daniel, I appreciate your continued input :). I have not done anything with the polling, obviously I started looking at the other things that p_lindheimer pointed out. Since fixing the issue with the guest access not applying to the configuration file and enabling the firewall I have not received a single from-sip-external log in my entry (about 12 hours now), where I was getting hundreds throughout the day. Of course that could still change as the day progresses but so far it’s looking very clean.

I didn’t want to change the polling of my conditions until I understood if turning that off would have an adverse impact on them, now that I know that it seems the impact is low I’ll try that because it really does clog up my CLI if I’m trying to debug any call issues.

danielf · November 18, 2015, 1:56pm

Hi,

Keep me posted if you will need my help.

Thank you,

Daniel Friedman
Trixton LTD.

eagle · November 18, 2015, 1:58pm

This statement is not entirely true :). I’m new to version 13 and this was a new migration to a new PBX hosted provider. I’ve been running FreePBX since version 1 and while I don’t have your experience in it I am not a total neophyte. The one I came from was 2.x because my previous system was Asterisk 1.6 and it couldn’t go much further and after failed attempts at in-place upgrades I decided to go with a FreePBX 13 preconfigured distro. That being said, most of what I do with the system is GUI based with a little bit of “tweaking config files”, so I don’t claim to be an expert by any means but I am capable for most of the day to day stuff.

el_es · November 18, 2015, 2:58pm

I think, you missed this (emphasis mine).
Meaning, Philippe meant the very first (less verbose) log dump, probably.
The verbosity of second dump probably prevented any of the Congestion msgs to be caught within the log buffer… see the differences in timestamps (~3 minutes in less-verbose, under 1s in more-verbose).
Nobody’s perfect

danielf · November 18, 2015, 3:17pm

Hi,

You can trust my judgement that I did not missed anything @el_es. First you need to reduce the log amount and then it is easier to see who is attacking you. You can wink as much as you want, I know that I am right and he is wrong.

Thank you,

Daniel Friedman
Trixton LTD.

jfinstrom · November 18, 2015, 3:36pm

Some post have been flagged and removed as “off-topic” from this thread. I think other posts should be as well. This post is not about “your feelings” it is about the users issue. If you have nothing constructive to say related to his issue please move on.