Lots of unknown sip calls in logs

Beone · September 6, 2013, 10:15pm

Hi,
I see a lot of unknown sip calls coming into my pbx with callerid’s like 100, 105, 600, etc What is this and how can I stop it?

Thx

[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [111100972595660432@from-sip-external:2] Set("SIP/81.82.253.38-00000074", "DID=111100972595660432") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [111100972595660432@from-sip-external:3] Goto("SIP/81.82.253.38-00000074", "s,1") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Goto (from-sip-external,s,1)
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/81.82.253.38-00000074", "0?checklang:noanonymous") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Goto (from-sip-external,s,5)
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [s@from-sip-external:5] Set("SIP/81.82.253.38-00000074", "TIMEOUT(absolute)=15") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] func_timeout.c: -- Channel will hangup at 2013-09-06 23:41:55.467 CEST.
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [s@from-sip-external:6] Answer("SIP/81.82.253.38-00000074", "") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/81.82.253.38-00000074'
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/81.82.253.38-00000074", "") in new stack
[2013-09-06 23:41:40] VERBOSE[3461][C-00000074] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/81.82.253.38-00000074'
[2013-09-06 23:41:44] VERBOSE[2988][C-00000075] netsock2.c: == Using SIP VIDEO TOS bits 136
[2013-09-06 23:41:44] VERBOSE[2988][C-00000075] netsock2.c: == Using SIP VIDEO CoS mark 6
[2013-09-06 23:41:44] VERBOSE[2988][C-00000075] netsock2.c: == Using SIP RTP TOS bits 184
[2013-09-06 23:41:44] VERBOSE[2988][C-00000075] netsock2.c: == Using SIP RTP CoS mark 5
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [222200972595660432@from-sip-external:1] NoOp("SIP/81.82.253.38-00000075", "Received incoming SIP connection from unknown peer to 222200972595660432") in new stack
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [222200972595660432@from-sip-external:2] Set("SIP/81.82.253.38-00000075", "DID=222200972595660432") in new stack
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [222200972595660432@from-sip-external:3] Goto("SIP/81.82.253.38-00000075", "s,1") in new stack
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Goto (from-sip-external,s,1)
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/81.82.253.38-00000075", "0?checklang:noanonymous") in new stack
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Goto (from-sip-external,s,5)
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [s@from-sip-external:5] Set("SIP/81.82.253.38-00000075", "TIMEOUT(absolute)=15") in new stack
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] func_timeout.c: -- Channel will hangup at 2013-09-06 23:41:59.924 CEST.
[2013-09-06 23:41:44] VERBOSE[3462][C-00000075] pbx.c: -- Executing [s@from-sip-external:6] Answer("SIP/81.82.253.38-00000075", "") in new stack
[2013-09-06 23:41:45] VERBOSE[3462][C-00000075] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/81.82.253.38-00000075'
[2013-09-06 23:41:45] VERBOSE[3462][C-00000075] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/81.82.253.38-00000075", "") in new stack
[2013-09-06 23:41:45] VERBOSE[3462][C-00000075] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/81.82.253.38-00000075'
[2013-09-06 23:41:48] VERBOSE[2988][C-00000076] netsock2.c: == Using SIP VIDEO TOS bits 136
[2013-09-06 23:41:48] VERBOSE[2988][C-00000076] netsock2.c: == Using SIP VIDEO CoS mark 6
[2013-09-06 23:41:48] VERBOSE[2988][C-00000076] netsock2.c: == Using SIP RTP TOS bits 184
[2013-09-06 23:41:48] VERBOSE[2988][C-00000076] netsock2.c: == Using SIP RTP CoS mark 5

Beone · September 6, 2013, 10:16pm

PS Those calls only last a few seconds mostly.

alan · September 7, 2013, 8:39am

Usually this is an indication that you have exposed your server to the Internet and someone is probing your system.

SkykingOH · September 7, 2013, 1:19pm

VPN is the best bet. If they are using soft phones a simple SSL client will work.

Several phones such as Yealink and SNOM have OpenVPN clients built in.

I buy Juniper 5xl VPN appliances for $10 on eBay, they work great.

Beone · September 7, 2013, 11:13am

Hi,

Yes it is exposed as we have helpdesk operators at remote sites.
I was wondering if there was something I could do on the pbx itself to avoid this as much as possible? I was for example thinking about blocking callerid’s that don’t match a certain format? Make some kind of nullrouting inbound route or how can I do this?

Many thx

Beone · September 7, 2013, 11:51am

Else, I could setup vpn’n for remote agents, which immediatelly closes it all to the outside of course.