Register device from outside the network\ connect using mizudroid

I configured and installed mizudroid on my tables I am able to register a phone internaly but when I try to register externally using my external IP address or my hostname it does not register any Ideas? I have tried using my external ip address X.X.X.X:5060 and also my dns.net name and is the same I cannot register I know it can be access from the out side because I constantly see faulire from intruders [2019-01-29 22:05:55] NOTICE[2401] chan_sip.c: Registration from ‘112 sip:[email protected]’ failed for ‘80.93.217.133:39569’ - Wrong password
[2019-01-29 22:05:55] NOTICE[2401] chan_sip.c: Registration from ‘112 sip:[email protected]’ failed for ‘80.93.217.133:45233’ - Wrong password

seems pretty straight forward, your remote sip client has a bad password setting for it’s extension. If you have intrusion detection set up it will eventually block this client’s IP after a number of failed attempts

the example I provided there is not for my extension is for an intruder…when try to register my device I never see if hit the logs. but I am always seeing other trying to enter like the example provided

then check you intrusion detection to see if your IP is already blocked…

Is your extension pjsip or chan_sip? With default settings on a recent FreePBX, pjsip listens on port 5060 and chan_sip listens on port 5160. So, if it’s a chan_sip exension, you may be attempting to connect to the wrong port. If it’s a pjsip exension, you haven’t shown any evidence that port 5060 is accessible from outside.

If your issue is not the above or as suggested by @ashcortech , run tcpdump to capture traffic from a registration attempt. If nothing hits your PBX, you have an unrelated network problem. If it does hit your PBX but not pjsip or chan_sip, it’s a problem with security software on the PBX.

Stewart1 good point, it could be a pjsip port issue. I still think it’s an intrusion detection lockout as i’ve seen that before just as described. If it were some other network issue she wouldn’t see the “bad guys” attempts to login in the logs

OK looking into this further I tried it from a laptop on an external network using 3CX and I was able to successfully authenticate

[2019-01-30 10:57:23] VERBOSE[2401] chan_sip.c: Registered SIP ‘6001’ at 204.237.231.66:49437
[2019-01-30 10:57:23] NOTICE[2401] chan_sip.c: Received SIP subscribe for peer without mailbox: 6001

How ever if I go back to my phone using the same information I am not able to connect I don’t even see it even hitting. are you guys familiar with mizudodroid. Are there any special config I might be missing

The same external network? If not, there could be issues with e.g. SIP ALG, mobile operator blocking SIP, etc.

I know nothing about mizudroid but have had no trouble with Groundwire, CSipSimple or Grandstream Wave on Android devices.

If you are using Wi-Fi, your router may offer a way to capture traffic. Or, can you send logs to yourself instead of their support (see Mizutech Wiki > Android logs )?

Thanks. I got it working with Groundwire

on another note…regarding security is there a way to add to black list users that are trying to register

[2019-01-30 12:43:08] NOTICE[2401] chan_sip.c: Registration from ‘“4130” sip:[email protected]’ failed for ‘210.73.83.253:36556’ - Wrong password
[2019-01-30 12:43:08] NOTICE[2401] chan_sip.c: Registration from ‘“4130” sip:[email protected]’ failed for ‘210.73.83.253:36556’ - Wrong password
[2019-01-30 12:43:14] NOTICE[2401] chan_sip.c: Registration from ‘“1234” sip:[email protected]:5060’ failed for ‘121.199.1.19:5073’ - Wrong password
[2019-01-30 12:43:29] NOTICE[2401] chan_sip.c: Registration from ‘“4500” sip:[email protected]:5060’ failed for ‘45.127.98.162:5085’ - Wrong password

is there a way to add the IP address to block list automatically. What else can I do from a security stand point.

There are many tools. If your external extensions are on static IP addresses, set up your firewall to allow only those.

fail2ban is another popular alternative. If you are running the distro, there is a firewall built in. A simple mitigation is to use an obscure bind port rather than 5060. Of course, this requires changing all your extensions to match (trunks, too, if you’re not using registration).

I am using twilio and it connects via port 5060? what is this registration you speak of. Can I turn of port 5060 and still have my trunk work and my external phones register?

Twilio supports both registration and IP authentication. If you are using registration (pjsip trunk has Register set to Send or chan_sip trunk has a Register String), you can change the port(s) you are using and Twilio will detect what port you registered from and send your calls there automatically.

If using IP authentication, you can configure on the Twilio portal, the IP address and port where they should send your calls.

Of course, if you change Port to Listen On (pjsip) or Bind Port (chan_sip), then you must restart (not just reload) FreePBX, change all extension devices that register to your PBX to use the new ports, and make any needed adjustments to your external firewall.

how do I set trunk via registration? Sorry I am new on the IP\PBX\SIP world I am learning as I go

I’m not a Twilio customer so I don’t know the details. I hope that https://www.twilio.com/docs/voice/api/sip-registration has what you need.

Thanks.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.