Hello,
I’m hoping for a bit of help with regards to the Security of my PBX.
Question 1:
I found the following post by @dicko Am I being hacked?
There is another function of Asterisk which also greatly improves security (but little used) if you use UDP/5060 (the target of 99.99% of the bad guys) .For chan_sip , just add:
domain=your.dns.name
domain= 127.0.0.1 ;If you have t38modems or the like
I have this done for chan_SIP however we also use chan_pjsip for our extensions:
For chan_pjsip, I’m sure there is an equivalency in your AOR setup to reject any IP based URI’s
Does anyone know equlivant setting on how to achieve this for chan_PJSIP also?
Question 2:
We have remote chan_pjsip extensions which connect to our PBX from unknown random IP Addresses. Response firewall/fail2ban seem to do a great job at securing the PBX and keeping potential attackers away however recently we have seen PJSIP/Anonymous attempted calls which do not get blocked.
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] NoOp(“PJSIP/anonymous-00000001”, “Received incoming SIP connection from unknown peer to 48893076002”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000001”, “DID=48893076002”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:3] Goto(“PJSIP/anonymous-00000001”, “s,1”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (from-sip-external,s,1)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] GotoIf(“PJSIP/anonymous-00000001”, “1?setlanguage:checkanon”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (from-sip-external,s,2)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000001”, “CHANNEL(language)=en”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:3] GotoIf(“PJSIP/anonymous-00000001”, “0?noanonymous”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:4] Goto(“PJSIP/anonymous-00000001”, “from-trunk,48893076002,1”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (from-trunk,48893076002,1)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] Set(“PJSIP/anonymous-00000001”, “CHANNEL(accountcode)=48893076002”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] ExecIf(“PJSIP/anonymous-00000001”, “0 = 1?Set(CALLERID(num)=0)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:3] Set(“PJSIP/anonymous-00000001”, “__FROM_DID=48893076002”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:4] Goto(“PJSIP/anonymous-00000001”, “ext-did,s,1”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (ext-did,s,1)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] Set(“PJSIP/anonymous-00000001”, “__DIRECTION=INBOUND”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Gosub(“PJSIP/anonymous-00000001”, “sub-record-check,s,1(in,s,Array)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] GotoIf(“PJSIP/anonymous-00000001”, “0?initialized”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000001”, “__REC_STATUS=INITIALIZED”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:3] Set(“PJSIP/anonymous-00000001”, “NOW=1552676469”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:4] Set(“PJSIP/anonymous-00000001”, “__DAY=15”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:5] Set(“PJSIP/anonymous-00000001”, “__MONTH=03”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:6] Set(“PJSIP/anonymous-00000001”, “__YEAR=2019”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:7] Set(“PJSIP/anonymous-00000001”, “__TIMESTR=20190315-190109”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:8] Set(“PJSIP/anonymous-00000001”, “__FROMEXTEN=unknown”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:9] Set(“PJSIP/anonymous-00000001”, “__MON_FMT=wav”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:10] NoOp(“PJSIP/anonymous-00000001”, “Recordings initialized”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:11] ExecIf(“PJSIP/anonymous-00000001”, “0?Set(ARG3=dontcare)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:12] Set(“PJSIP/anonymous-00000001”, “REC_POLICY_MODE_SAVE=”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:13] ExecIf(“PJSIP/anonymous-00000001”, “0?Set(REC_STATUS=NO)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:14] GotoIf(“PJSIP/anonymous-00000001”, “2?checkaction”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (sub-record-check,s,17)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:17] GotoIf(“PJSIP/anonymous-00000001”, “1?sub-record-check,in,1”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx_builtins.c: Goto (sub-record-check,in,1)
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] NoOp(“PJSIP/anonymous-00000001”, “Inbound Recording Check to s”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000001”, “FROMEXTEN=unknown”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:3] ExecIf(“PJSIP/anonymous-00000001”, “8?Set(FROMEXTEN=Itribune)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:4] Gosub(“PJSIP/anonymous-00000001”, “recordcheck,1(Array,in,s)”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:1] NoOp(“PJSIP/anonymous-00000001”, “Starting recording check against Array”) in new stack
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Executing [[email protected]:2] Goto(“PJSIP/anonymous-00000001”, “Array”) in new stack
[2019-03-15 19:01:09] NOTICE[3843][C-00000003] pbx.c: No such label ‘Array’ in extension ‘recordcheck’ in context ‘sub-record-check’
[2019-03-15 19:01:09] WARNING[3843][C-00000003] pbx.c: Priority ‘Array’ must be a number > 0, or valid label
[2019-03-15 19:01:09] VERBOSE[3843][C-00000003] pbx.c: Spawn extension (sub-record-check, recordcheck, 2) exited non-zero on ‘PJSIP/anonymous-00000001’
Normally, the solution would be to disable Allow Anonymous Inbound SIP Calls in Asterisk SIP Settings however enabling this option is a requirement by our telephone provider and enabling prevent inbound calls. I have spoken with the provider and registering with them is not an option. Their advice is to block all IP address except their subnet however this would block our remote extensions. Ideally, I do not want to use a VPN as many of our endpoints do not support this.
Does anyone know of a way on how I can block these PJSIP/Anonymous calls without disabling the above setting?
I found this: http://www.dslreports.com/forum/remark,28937818 and created the following rules using the FreePBX Responsive Firewall Custom rules however they do not seem to apply (I think because the rule 1 is being applied first before my custom rules)
[[email protected] root]# iptables -L --line-numbers --numeric
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0
2 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 state RELATED,ESTABLISHED
3 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “REGISTER sip:my.pbx.com” ALGO name bm TO 65535
4 DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “REGISTER sip:” ALGO name bm TO 65535
5 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “OPTIONS sip:my.pbx.com” ALGO name bm TO 65535
6 DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “OPTIONS sip:” ALGO name bm TO 65535
7 ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “INVITE sip:my.pbx.com” ALGO name bm TO 65535
8 DROP udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “INVITE sip:” ALGO name bm TO 65535
All our endpoints and DIDs point to my.pbx.com. Anything received directly to the IP address would be a potential attacker.
Thanks,
Fraser