Lots of bad calls in CDR. Firewall working?

Getting a ton of these calls in the CDR reports. I have tried both disabling and enable the responsive firewall. I do not have anything whitelisted except my office wan IP. I have multiple instances of the same distro running and all of them seem to exhibit the same symptoms. I could see these coming through if the responsive firewall were enabled but I disabled it and even rebooted and still get tons of these. In any case it really messes up my CDR, but also concerns me security wise.

In CLI I get tons of these. This is not my pbx IP, or my wan IP. I get random IP’s in this list. If the firewall were working why would these be getting through?


– Executing [[email protected]:1] NoOp(“SIP/my.ip.was.here-00000207”, “Received incoming SIP connection from unknown peer to 41011972592167944”) in new stack
– Executing [[email protected]:2] Set(“SIP/my.ip.was.here-00000207”, “DID=41011972592167944”) in new stack
– Executing [[email protected]:3] Goto(“SIP/my.ip.was.here-00000207”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [[email protected]:1] GotoIf(“SIP/my.ip.was.here-00000207”, “0?checklang:noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [[email protected]:5] Set(“SIP/my.ip.was.here-00000207”, “TIMEOUT(absolute)=15”) in new stack
– Channel will hangup at 2016-03-24 09:41:38.140 PDT.
– Executing [[email protected]:6] Log(“SIP/my.ip.was.here-00000207”, "WARNING,“Rejecting unknown SIP connection from 192.162.101.140"”) in new stack
[2016-03-24 09:41:23] WARNING[52569][C-00000206]: Ext. s:6 @ from-sip-external: “Rejecting unknown SIP connection from 192.162.101.140”
– Executing [[email protected]:7] Answer(“SIP/my.ip.was.here-00000207”, “”) in new stack
– Executing [[email protected]:8] Wait(“SIP/my.ip.was.here-00000207”, “2”) in new stack
– Executing [[email protected]:9] Playback(“SIP/my.ip.was.here-00000207”, “ss-noservice”) in new stack
– <SIP/my.ip.was.here-00000207> Playing ‘ss-noservice.ulaw’ (language ‘en’)
– Executing [[email protected]:10] PlayTones(“SIP/my.ip.was.here-00000207”, “congestion”) in new stack
– Executing [[email protected]:11] Congestion(“SIP/my.ip.was.here-00000207”, “5”) in new stack
[2016-03-24 09:41:32] WARNING[2087]: chan_sip.c:4009 retrans_pkt: Retransmission timeout reached on transmission b4e3832f2a1621363d35b2d57d8ac67d for seqno 1 (Critical Response) – See https://w
iki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
== Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/my.ip.was.here-00000207’
– Executing [[email protected]ternal:1] Hangup(“SIP/my.ip.was.here-00000207”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/my.ip.was.here-00000207’
[2016-03-24 09:41:55] WARNING[2087]: chan_sip.c:4009 retrans_pkt: Retransmission timeout reached on transmission d0ae2e15c960c0f3123ed40b72d1d1a7 for seqno 1 (Critical Response) – See https://w
iki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31998ms with no response

You are allowing anonymous SIP calls from outside - turn it off in SIP Settings. Turn Off “Allow SIP Guests”.

That was it, thank you!

I didn’t consider looking there since I don’t remember ever modifying it. Seems like that shouldn’t be the default setting (and maybe it isn’t). Thank you!

Yeah, as with most things Internet, what started out as a good idea (Why wouldn’t I want to talk to anyone that calls me?) always get’s abused by bad actors.

If only we could start shooting crackers…

This is an indication that your Firewall is misconfigured, double check your settings.

The firewall will reject registration attempts using Fail-2-BAN, but these weren’t registration attempts - these were anonymous inbound calls.

1 Like

The FreePBX Firewall module will not “reject [failed] registration attempts using fail2ban”, fail2ban is configured using System Admin, Intrusion detection which operates independently from the FreePBX Firewall.

If the FreePBX Firewall is properly configured, and if Responsive is not enabled, and if the offending IP has not been white listed in Firewall, anonymous SIP connections can’t reach Asterisk and will not show up in the CDR.

Probably not using the Firewall.