You can keep using 5060 if you lock it down.
Some providers won’t give you a Trunk for something other than 5060
And sure enough there’s that damn scan again, happened as you said it would. Guess it’s time for that port scan.
EDIT: Did an nmap on the pfSense and the SIP ports aren’t open, so now I’m lost as to why the scan keeps happening.
EDIT 2: Here’s something interesting. I’ve tried dialing in our office phone number twice and both times the scanner popped up. I tried another phone number that’s connected to our office, scanner popped up again. This time there isn’t a single port open. ALL firewall rules that allowed for SIP and RTP ports to be open have been disabled.
What do you mean by scanner? Are you getting some kind of error o warning message?
No, it says “warning, friendly scanner from” and it’s an IP to VoicePulse’s public network for its SIP services. Now I’m trying to figure out why it keeps telling me the number I’m dialing isn’t in service even though I can dial out just fine…
You can (on most router/firewalls , pfsense included) write a rule(s) to remap as many ip/port rules from your wan to your lan, so if you choose to listen publicly to 38324 (for example) for sip connections from your asterisk (or any other sip server), and thusly provision your external extensions to use that port (don’t forget that you are the boss), you can remap your boring_wont_let_me_not_use_5060 vsp providers connections from them through your router using that remapping, the knuckle-draggers won’t get in unless the hammer you for 64000 connections, but then your port flood detection would kick in 
, but your stupid trunks and your well behaved external extensions will. Pretty well an teenager can use sipvicious or any of it’s variants to spoof sip connections to your external ip , generally on 5060, but the variants scan more often 5000-5999, don’t use them!! have a solid IDS but most of all realize that these guys are cleverer than you.
1 Like
Appreciate the suggestion, but I need inbound calls to work again before I mess with any other firewall settings. This whole “number not in service” bit is on my last nerves. I’d like to go home sometime soon lol
That message is not a “bad” warning per-se. Is your inbound a catch-all? If your inbound doesn’t specify a DID, you will get that message, but that doesn’t mean your pbx is being targeted by an attacker.
Inbound, I don’t think, is a catch-all. Inbound specifies a DID. The last time I saw “warning, friendly scanner from” and Google’d it, nothing but SIPVicious came up, and the first time the person tried to make calls from multiple sources (one ending up in China). The second time (the reason why I’m here right now) they were making hour-long outbound calls through our system. And now every time an inbound call comes through, the scanner goes off.
Having 5060 open in anyway to the Innertubes, expose you to attack, UDP connections are intrinsically prone to being spoofed, just don’t accept 5060 from anyone, yet remap your trusted providers to yourchosen random port (not secure, but neither regularly attacked) .
I don’t have my SIP port opened to the internet aside from my VoSP and I get the friendly scanner message on my catch-all inbound route but not on any other route that has a DID defined for it. That is why I asked.
I didn’t get the scanner message on any routing at all until about a month ago, towards the very end of March. By that time the systems were up and running for two weeks.
I still can’t figure out why it keeps telling me the number is not in service.
not accepting 5060 from anyone but your providers direct ip(s) will improve security, if you still get probed, then yes, question your VoSP but provide them with a diagnostic pcap.
FINALLY figured out why Inbound calls weren’t working! Drum roll please!!!
You can’t set E164 to True in VoicePulse. You must set it to False. I knew this because I watched a tutorial saying not to do it and yet they were set to true anyway; I had to go back to that same tutorial to think to look at that variable. Man IT is stressful, and it’s always the smallest things.
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.