Lots of unrecognised calls showing in User Panel / Call Monitor

I am trying out a new sip trunk service to replace ISDN on my freepbx setup. The trunk provider asked me for the public facing IP of the pbx server and told me to open the following ports inbound and outbound. They said that it’s needed so that they know where to send my incoming calls and where to allow my calls from.

5060 (UDP)
5060-5061 (TCP)
9000-10999 (UDP)

Problem is that, as soon as I enable the firewall rule to open these ports, the User Panel starts reporting unusual activity. Literally every few seconds there is a log that shows:

Caller ID as random numbers mostly 4 characters long , Source is same as caller ID and destination all show as “s”

As soon as I disable the firewall rule then these logs stop popping up.

Can anyone kindly tell me what is going on? This doesn’t seem normal what is the “s” destination and what exactly is happening?

You probably have ‘Allow Guests’ enabled in Asterisk SIP Settings. With that param enabled, and with the firewall change, you’re bombarding your system with malicious SIP invites. The PBX processes each call, plays a recording and then drops it, and records a CDR record in the process.

Disabling allow sip guests will quiet the CDR, but if you’re going to leave signaling ports open to untrusted traffic, ensure that you have something in place (fail2ban, responsive firewall, apiban, whatever) to ensure that abusers get blocked.

Yes just noticed that Allow Guests is enabled.

Picture of sample log below. Other than disabling the guest mode, what other methods do I have to prevent this? possibly on the firewall? right now the firewall is set to allow any external traffic on those ports. ideally I would like to restrict it to the IP adddress of the SIP trunk provider but they say they dont recommend that because they may add new IP’s and this may cause issues in the long run.

I still feel like a lot of junk is coming in and disabling guest mode will still require freepbx to do a lot of filtering and log files may become big.

Advice and suggestion would be much appreciated. Thanks.

What exactly is happening in the example below? Unknown sip device trying to call where ? What is S? And what is freepbx giving back?

You don’t need to provide the log; this is just an inevitable consequence of opening 5060. You should only open 5060 to address ranges controlled by your ITSP. There are large numbers of people intent on getting you to dial premium rate numbers that they own.

That is not something they can tell you, and it is wrong for a default installation of FreePBX. You need to open the port range configured in FreePBX.

Also, are you registering with them? If so, you should be able to choose a different port from 5060, and should choose one that isn’t guessable.

s (lower case) is a placeholder virtual extension number used when the caller only specifies an IP address.

This is their website link that publishes their IP addresses but it also mentions they advice not to limit to just those IP’s although i feel like it feels safer

https://my.gradwell.com/s/article/what-ip-addresses-may-gradwell-send-voip-traffic-from

So I don’t need to open 9000-10999 (UDP) ? only what is configured in freePBX? where do I find what is the configured range for this in freePBX?

There is no registration string in the SIP trunk, i’m still trying to figure out how to add them. They’ve got a few guides on this link but i’m struggling to make sense of how to add them: https://my.gradwell.com/s/global-search/Asterisk

Specifying a different port to 5060 would be a good option, but i’m assuming this only works when registering?

By default the port range is in /etc/asterisk/rtp.conf and it’s includes, FreePBX incorrectly uses 10000-20000, that should be 10000-19999 or statistically one in 2500 calls will ‘not be good’ (it’s a math thing :wink: )

You may convey my dissatisfaction with this policy should you find yourself in a position to do so. The linked page makes no effort to separate signaling and media hosts, and stating they can’t guarantee service without unrestricted inbound access to signaling ports is shocking. There are many competing providers, it might be wise to consider voting with your dollars here.

This is a useful page for you: Ports used on your PBX - PBX Platforms - Documentation

1 Like

I will contact them insisting that I restrict inbound traffic only to their IP addresses as I’m not comfortable leaving it open to all.

If Allow Guest creates this much chaos, what exactly is the use of this guest feature?

I’m still trying to understand how this company sip trunks work because they don’t have any sort of registration username or password. They just ask for the IP address of my PBX and I’m assuming it will automatically accept connections from my IP

On the older channel driver, it wasn’t possible to list large numbers of possible sources addresses.

Although almost everyone uses SIP in hierarchical networks, with calls going up and then back down again, SIP was actually designed for direct “connections” to the destination site (as was internet mail).

Asterisk defaulted to allow guest = yes in sample configurations to remove obstacles to people wanting to quickly try it out.

So I turned off allow guest and as soon as I turned it off those calls were not getting through. In the intrusion protection, freepbx had blacklisted some IP’s. I created a Alias on my firewall containing all the IP ranges for the sip provider “Gradwell” from their list provided in the link previously. Now it’s so much better :slight_smile:

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.