HI,
I have installed FreePBX (RasPBX) and had this running for about a week. I initially had SIP ports open to the web, but have since removed them from the firewall and rebooted the router.
I have added 4 extensions, inbound and outbound routes.
Looking at my CDR logs I see :
Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
2016-11-13 20:33:18 1479069198.19 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:33:08 1479069188.18 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:56 1479069176.17 500 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:45 1479069165.16 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:34 1479069154.15 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:25 1479069143.14 400 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:12 1479069132.13 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:32:10 1479069130.12 1000 Congestion s [from-sip-external] ANSWERED 00:12
2016-11-13 20:32:00 1479069120.11 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:49 1479069109.10 2005 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:38 1479069098.9 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:26 1479069086.8 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:15 1479069075.7 2006 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:31:04 1479069064.6 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:53 1479069053.5 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:42 1479069042.4 admin Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:33 1479069031.3 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:20 1479069020.2 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:30:10 1479069010.1 1000 Congestion s [from-sip-external] ANSWERED 00:22
2016-11-13 20:30:09 1479069009.0 5550000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:28:08 1479068885.3932 1000 Congestion s [from-sip-external] ANSWERED 00:10
2016-11-13 20:28:01 1479068881.3931 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:50 1479068870.3930 3000 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:38 1479068858.3929 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:27 1479068847.3928 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:16 1479068836.3927 6001 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:27:05 1479068825.3926 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:54 1479068813.3925 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:42 1479068802.3924 27 Answer s [from-sip-external] ANSWERED 00:00
2016-11-13 20:26:33 1479068791.3923 208 Answer s [from-sip-external] ANSWERED 00:00
I removed the SIP ports from the router 2-3 days ago but this activity is constant every 2 minutes, as there are no connections able to come in via the router/SIP ports - what is generating all these calls?
Assuming something is running as extension numbers seem to be varied and trying to call, though I have no idea where this now goes?
Firewall Logs:
Time and date Message
01:43:46, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:43:27, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:43:26, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:43:13, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, header too small: PROTO 128 Fragment 0.0.0.0->4.57.246.88 offset: 12800 on ath00)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:41:17, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:39:37, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:39:11, 14 Nov. OUT: BLOCK [9] Packet invalid in connection (tcp reset attack is suspected: TCP [192.168.1.48]:54850->[151.101.16.133]:443 on ppp3)
01:39:11, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:37:13, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:37:06, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:36:23, 14 Nov. BLOCKED 1 more packets (because of Packet invalid in connection)
01:36:23, 14 Nov. IN: BLOCK [9] Packet invalid in connection (Invalid tcp flags for current tcp state: TCP [104.103.120.141]:80->[86.163.250.6]:50157 on ppp3)
01:35:05, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:35:03, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 192.168.1.254->224.0.0.22 on ptm0.101)
01:33:01, 14 Nov. IN: BLOCK [12] Spoofing protection (IGMP 86.163.250.6->224.0.0.22 on ppp3)
01:32:08, 14 Nov. OUT: BLOCK [53] Defragmentation failed (Fragmented packet, packet too big: PROTO 128 Fragment 0.0.0.0->4.57.246.88 offset: 12800 on ath00)
The asterisk logs stop at 20:33 at which point I used the console to stop core services…
Just restarted the services and within seconds:
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
– Executing [002011972599924158@from-sip-external:1] NoOp(“SIP/86.163.250.6-00000000”, “Received incoming SIP connection from unknown peer to 002011972599924158”) in new stack
– Executing [002011972599924158@from-sip-external:2] Set(“SIP/86.163.250.6-00000000”, “DID=002011972599924158”) in new stack
– Executing [002011972599924158@from-sip-external:3] Goto(“SIP/86.163.250.6-00000000”, “s,1”) in new stack
– Goto (from-sip-external,s,1)
– Executing [s@from-sip-external:1] GotoIf(“SIP/86.163.250.6-00000000”, “0?checklang:noanonymous”) in new stack
– Goto (from-sip-external,s,5)
– Executing [s@from-sip-external:5] Set(“SIP/86.163.250.6-00000000”, “TIMEOUT(absolute)=15”) in new stack
– Channel will hangup at 2016-11-14 02:05:04.420 GMT.
– Executing [s@from-sip-external:6] Log(“SIP/86.163.250.6-00000000”, "WARNING,“Rejecting unknown SIP connection from 91.121.73.154"”) in new stack
[2016-11-14 02:04:49] WARNING[8508][C-00000000]: Ext. s:6 @ from-sip-external: “Rejecting unknown SIP connection from 91.121.73.154”
– Executing [s@from-sip-external:7] Answer(“SIP/86.163.250.6-00000000”, “”) in new stack
– Executing [s@from-sip-external:8] Wait(“SIP/86.163.250.6-00000000”, “2”) in new stack
– Executing [s@from-sip-external:9] Playback(“SIP/86.163.250.6-00000000”, “ss-noservice”) in new stack
– <SIP/86.163.250.6-00000000> Playing ‘ss-noservice.ulaw’ (language ‘en’)
– Executing [s@from-sip-external:10] PlayTones(“SIP/86.163.250.6-00000000”, “congestion”) in new stack
– Executing [s@from-sip-external:11] Congestion(“SIP/86.163.250.6-00000000”, “5”) in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on ‘SIP/86.163.250.6-00000000’
– Executing [h@from-sip-external:1] Hangup(“SIP/86.163.250.6-00000000”, “”) in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/86.163.250.6-00000000’
[2016-11-14 02:05:21] WARNING[8472]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission b3192c4d9cf81f833431c76cd654e2a9 for seqno 1 (Critical Response) – See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
raspbx*CLI>
Any advice appreciated… though I suppose I should re-install clean again…?