Please help a complete newb with SiPVicious

I have fail2ban running, changed my SSH port number but I still have phantom calls from EXT 1000 non stop.
Do I need to create an IPtable like sonething below? If so, how would I do that?

-A INPUT -p udp -m udp --dport 5060 -m string --string “friendly-scanner” --algo bm --to 500 -j DROP

Sip connections do not use your ssh port, do exactly what you did for ssh but for port 5060 (SIP)

“friendly scanner” is just one of a multitude of SIP exploits that will probe/eventually_penetrate/then_deplete_your_bank_account.

Of course firewalls can help , IDS also (Fail2Ban/rknunter/et_al) but each of these is open to the next vector that attacks your open port(s), be wary of all claims that what you have is absolutely impenetrable, sooner or later most such claims have been found to be eventually baseless.

The Moral of my story is as ever, just don’t expose obvious ports to the so called ‘knuckledraggers’ who are unfortunately a lot cleverer than you. me or probably anyone here, It is trivial to change.


To amplify:

  • If you do not have “outside” phones (outside your local area), do not open port 5060 (or any other SIP port) to the Internet. If you are running a server “in the cloud”, be sure to limit access to port 5060 to either your dedicated VPN to your local network or VPN your phones.
  • If you do have “outside” phones (either because you have rovers or because you are in the cloud) you need to be very protective of port 5060.
  • Review your firewall settings in all of the devices in your stream to make sure someone hasn’t added a “redirector” that can get around your port lock-down. For example, someone opening port 1234 on your router and redirecting that to internal port 5060 can cause problems like you are seeing.
  • Use the Integrated Firewall and lock the server down tight. If you are and people are still getting in, you’ve done it wrong.

There is no scenario where having people hammering away on your phone connections is a good idea. At best, it uses up your bandwidth (which is, based on physics, limited) and at worst can expose your system to unauthorized toll calling to places that charge dollars per minute for phone conversations. We’ve heard many horror stories in the past, with @dicko 's being the one that really opened a lot of eyes,

I should have mentioned that the phones experiencing this issue are remote phones.They are polycom VVX300’s. This client has their FreePBX here in our office.

Block access to port 5060 to everyone except the IP address of your client and your ITSP. If your FreePBX installation live on the Internet directly, you MUST turn on the Integrated Firewall and limit access on the 5060 port. Unless your client’s IP address block changes, just to everything you can to limit access to only known and trusted IP addresses. Block everything else. EVERYTHING.

The sooner you start kicking usurpers out of your network, the less likely you are to end up in the poor house.

How would I limit access to 5060 on the FreePBX firewall? Do I need to create a custom Firewall rule?
Currently, under Networks, I have the users ISP assigned to the local trusted traffic.

You identify the IP at the remote location as a “trusted” network. This allows traffic that you identify in the “ports” section as “local” to get into the network. In the “ports” section, you limit access to port 5060 and turn off the Adaptive Firewall (since you don’t need rovers any more). The returns control of who can access the Chan-SIP and PJ-SIP ports to you.

When you say ports section, is this found in the Firewall module?
The Remote locations IP (public) is set under Networks as trusted.
Where is the port section?

I suggested that you just don’t use 5060 then you won’t need to filter it. Just allow your chosen random port

Ok see and add the friendly scannner lines to your /etc/firewall-4.rules and enable custom firewall rules

as to the Polycoms you need to make sure your configs for teh phones have
<voIpProt.SIP.requestValidation voIpProt.SIP.requestValidation.1.method=“source” voIpProt.SIP.requestValidation.1.request=“INVITE” /> for details

we had issues with polycoms and phantom calls till this was addded to teh config


If my SIP carrier is starting to see SIP vicious packets does that mean my system has been compromised or just the lack of security on port 5060?

OPTIONS sip:[email protected] SIP/2.0…Via: SIP/2.0/UDP;branch=z9hG4bK-2838259820;rport…Content-Length: 0…From: “sipvicious”<sip:[email protected]>;tag=3663313431316335313363340133303130383034323531…Accept: application/sdp…User-Agent: friendly-scanner…To: " sipvicious "<sip:[email protected]>…Contact: sip:[email protected]:5071…CSeq: 1 OPTIONS…Call-ID: 775692225465362982571714…Max-Forwards: 70…

What do you mean by your SIP carrier is seeing SIP vicious packets?

Is that an options packet that you have received on your end?
If so, it means that your being probed for existing extensions on your system to be hacked ultimately and it would also mean that your security implementations are inadequate.

If you are NOT listening to udp/5060 I very much doubt you would ever see that again :slight_smile:

That is not entirely true. I’ve watched them send INVITEs over multiple ports and not standard SIP ports. The idea of “don’t listen on 5060 UDP” is not a real security measure. They are well aware people listen on non-standard ports as a security measure.

So just because you’re not listening on 5060 for SIP doesn’t mean you won’t see SIP attacks again.

Pragmatically, you can expand your exclusions to 5000 to 5099, that will cover 99.99% of the scripts out there, just sharing a few years of experience, but way better to be totally exclusive and choose “your port” between an arbitrary port between 20001 and 60000 (whatever) (only one port needed)

Also stop using udp, tcp works fine without any angst for almost every SIP phone physical or virtual.

If you care to. move to tls, it takes a little work and RTFM but guess what ?, no more sh*t connections

You are forgetting a key part of the equation here with these suggestions, the provider. If your PBX is open to the Internet and your endpoints are remote, using TCP or TLS is fine for them. The snag to “only use TCP or TLS” logic is that you immediately limit your options to what providers you can use for your voice service. While there are a limited few that offer either TCP and/or TLS connections that is a very small percentage to the average provider which will be doing things over UDP.

There’s no TLS on the PSTN so the majority of providers opt not to even bother wasting resources decrypting/encrypting 10’s of thousands of calls. Along those lines they also are not wasting resources on the same amount of stateful connections in their switches.

While all this steps of changing ports or moving to TCP or TLS are great, has anyone asked the basic question: Was “Allows SIP Guests” set to “Yes” because that is generally what I see as the “default” setting when the PBX is first setup. It was meant as a way for the user to ensure they were getting requests from endpoints, etc while the system was being setup.

The other measure would be to move to PJSIP as PJSIP does not have the concept of “anonymous users”. If there isn’t an endpoint/user to match PJSIP automatically rejects the call. It stops a lot of these SIP scans from doing anything as well.

This was always one of Chan_SIPs bigger flaws.

I respectfully reject everything you say here I was talking about local extensions either in the LAN or the WAN. but thank you for your opinion.

Of course you were and of course you do.

And whether it works or not is open to actually doing it, (pragmatism) then testing it and hopefully eventually approving it , did you ever try that recipe?

Seriously, if you are just not listening to the standard penetrations, yet allowing the pin-holes for your providers . . . .

(Some might ask why you are so angry with everything, insult everyone and assume you are always right, are you that confident in yourself? )

1 Like

Angry?! I’m not angry all the time, I’m not even angry now as I make this reply. Do not conflate anger with a lower tolerance for complacency, banality or mediocrity. There are differences. So yeah, when I see SIP/VoIP/Asterisk support being given from the “How to VoIP circa 2005” playbook in 2018 I have a low trigger level of annoyance.

I’m also unaware where I have insulted you. I’m not going to say I haven’t insulted people but 99% of the time I am doing it intentionally. In regards to you, however, I have no recollection of insulting you in anyway. Now if you have felt insulted because I have disagreed with you or corrected something you have said then there is nothing I can do about that. While we have had our fair share of disagreements at the same time I have agreed with you quite often on various items.

If you feel like I’m going out of my why to “correct you and make you look stupid”, I’m not. I have this thing where if I see wrong information being presented to be as fact I want to correct it. I will be the first to say that has bit me on the ass in the past and I’ll probably be nipped again in the future but there have been cases where I corrected someone then I was corrected myself. Either because my correction was not completely accurate or because my correction was erroneous and it needed correction itself.

So do I assume I’m always right? No, I do not. There are times I am wrong and I have no problem being called out on it and even owning I was wrong. You know what happens though, I learn so the next time I am right.

And yeah, I am that confident in myself. If I wasn’t I wouldn’t have made it as far as I have and would have been eaten up and spit out years ago. I have spent my fair share of being corrected, really insulted, chewed out and had my ass handed to me by more experienced people over the past 2 decades. Not over the Internet but in person, in front of people I had to face everyday. You either learn from it, get tougher and solider on or you can go home and cry naked in the fetal position in the shower. The choice is yours.

I think part of our little “It’s complicated” relationship here is that we are from two completely subsets of this industry (as far as I can tell). You belong to that subset that deals directly with the customer and gets them what they need be it a PBX, phones, networking, Internet, SIP Trunking, etc. If they go down or have issues, you’re the one dealing with it and working with the provider to solve it. I belong to that subset that your subset calls to get those services such as Internet and SIP Trunking, etc. Which means my approach and methods to Telephony and SIP come from a completely different point of view.

The one thing I can say is though, it is between the handful of ITSPs/LECs I’ve been at and dealing with the other LECs (ATT, CenturyLink, Qwest, etc) there are common practices,philosophies and methods shared by them all. I am 100% guilty of adopting those.