Inundated with hacking attempts on 5060 UDP

mike_b · April 5, 2018, 10:22pm

I am having some trouble with my Asterisk/FreePBX system as it seems to drop the connection to the SIP provider. I found out that the COMCAST DNS server seems to be pretty unreliable, so I added a couple of other DNS servers, and things seemed to be improving, but then it dropped out again (although it reconnected after an hour or so (around 3 am) by itself. I started to look at other possibilities and stunbled upon the fact that port 5060 is used for signaling. I checked my firewall and 5060 TCP was forwarded to my system, but not UDP. So I set up another rule to forward UDP5060 to my system. Almost immediately I started to receive what I think are hacking attempts (see below). First I tried to block the IPs through my firewall, but that did not seem to work. Even though the firewall says it was blocking the IPs, the hacking continued (from several IP addresses). I then disabled the UDP5060 again, but the attempts continue. A reboot of the system did not do anyhting either.

Is that just coincidence, that the hacking attempts started when I forwarded 5060 UDP? If not, why havent they stopped after I disabled the UDP forwarding again?

Here is a typical log entry:

[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [99901500420556674626@from-sip-external:1] NoOp(“SIP/x.x.x.x-0000000a”, “Received incoming SIP connection from unknown peer to 99901500420556674626”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [99901500420556674626@from-sip-external:2] Set(“SIP/x.x.x.x-0000000a”, “DID=99901500420556674626”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [99901500420556674626@from-sip-external:3] Goto(“SIP/x.x.x.x-0000000a”, “s,1”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Goto (from-sip-external,s,1)
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/x.x.x.x-0000000a”, “0?checklang:noanonymous”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Goto (from-sip-external,s,5)
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/x.x.x.x-0000000a”, “TIMEOUT(absolute)=15”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] func_timeout.c: – Channel will hangup at 2018-04-05 16:05:25.424 MDT.
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:6] Log(“SIP/x.x.x.x-0000000a”, "WARNING,“Rejecting unknown SIP connection from 185.107.80.8"”) in new stack
[2018-04-05 16:05:10] WARNING[3490][C-00000008] Ext. s: “Rejecting unknown SIP connection from 185.107.80.8”
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:7] Answer(“SIP/x.x.x.x-0000000a”, “”) in new stack
[2018-04-05 16:05:10] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:8] Wait(“SIP/x.x.x.x-0000000a”, “2”) in new stack
[2018-04-05 16:05:12] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:9] Playback(“SIP/x.x.x.x-0000000a”, “ss-noservice”) in new stack
[2018-04-05 16:05:12] VERBOSE[3490][C-00000008] file.c: – <SIP/x.x.x.x-0000000a> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2018-04-05 16:05:18] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:10] PlayTones(“SIP/x.x.x.x-0000000a”, “congestion”) in new stack
[2018-04-05 16:05:18] VERBOSE[3490][C-00000008] pbx.c: – Executing [s@from-sip-external:11] Congestion(“SIP/x.x.x.x-0000000a”, “5”) in new stack
[2018-04-05 16:05:23] VERBOSE[3490][C-00000008] pbx.c: == Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/x.x.x.x-0000000a’
[2018-04-05 16:05:23] VERBOSE[3490][C-00000008] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/x.x.x.x-0000000a”, “”) in new stack
[2018-04-05 16:05:23] VERBOSE[3490][C-00000008] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/x.x.x.x-0000000a’
[2018-04-05 16:05:42] WARNING[2245] chan_sip.c: Retransmission timeout reached on transmission 5419fc3efc9767227533005d22a8c9a2 for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions

dickson · April 6, 2018, 12:16am

This is not untypical traffic you’ll get. Changing ports won’t do much either, they (scripters) just scan the ports and find them. Are you using the FreePBX distro? Or other form of installation?
Fail2Ban running on your machine. FreePBX firewall system as well?
What kind of hardware firewall are you using?

How often are you seeing these? Constantly? Or occasionally?

mike_b · April 6, 2018, 12:40am

Thanks for the quick answer. I just disabled the UDP5060 port forwarding, rebooted the computer and firewall, and the attacks seem to have gone. The log has been completely quiet for an hour. Phone works fine without the UDP5060 forwarding. I just have to keep an eye on the computer to watch out for disconnects from the SIP provider. Still haven’t figured that out.
These attacks came like clockwork every 3 minutes. They used different ID’s and at least 3 different IP addresses.
I am using the FreePBX distro, running on a standard PC (nothing special). I have a NetGear Firewall, but that will be changed soon to a different firewall (faster). I am not sure if the installation on the computer has it’s own firewall (not really a Linux expert).
It seems to be running stable right now, so I will refrain from playing around with it until the new Firewall is installed.
Thanks again.

dickson · April 6, 2018, 1:00am

Make sure you have the FreePBX firewall running. It does a very good job. Keep the open ports to your PBX to a minimum, it will help blacklist IPs that are attacking you.

Stewart1 · April 6, 2018, 1:05am

I disagree on this one. In my experience, choosing a random port between 5100 and 6000 will reduce this traffic by at least 95% (scanning every port on every IPV4 address not feasible for most attackers). I recommend it primarily to remove the clutter from your logs, making it easier to find important stuff, security-related or otherwise. However, it won’t improve security much; anyone targeting you specifically, those who already know you have a PBX, and those who discover that from another common port left open, will scan every port on your IP address. So, you should still take care to set up your hardware and software firewalls properly, use fail2ban and strong passwords, etc. If you change the bind port, you will of course have to change your extensions to match.

On your original trouble (which IMO was not security related), does your Netgear get a public IP address on its WAN interface? If not, your Comcast modem is likely configured as a router and could be the source of the problem. Also, make sure that any SIP ALG in the firewall is disabled.

If you don’t have any extensions outside your LAN and all your trunks use registration, there is usually no need to forward the SIP port.

If the problem recurs, please post: Provider? Registration shown as lost on their portal? Registration shown as lost by Asterisk? If so, what error occurred? Asterisk show the peer as Unreachable? Do outbound calls work during this interval?

system · April 6, 2019, 1:05am

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.