Security - Getting probed

I’ve noticed in my call logs a lot of records like this:

25/01/11 12:46 SIP/ test “test” s ANSWERED 13

21/01/11 10:31 SIP/ asterisk “asterisk” s ANSWERED 13

There are many from that ip range, which resolves to somewhere in Moldova on a geoip lookup. There’s also one similar record from somewhere in Germany.

They’re all 13 seconds in duration, with the odd one at 12 seconds. This makes me suspect it’s some kind of automated system probing the internet for vulnerable asterisk systems.

From what I can see, they’re only calling internal extensions and not getting out via any of my trunks. Is this correct?

Basically what I want to know is should I be worried? What should I be doing to make sure my system is locked down?



Do you have a favorite VPN box that you would recommend? Would you recommend a VPN box for ALL asterisk servers or just those that are not behind any kind of router/firewall combination?

I do appreciate the advice. We pretty much are acting as a carrier, though, so we’ll just need to spend some time getting the system locked down.

I’m toying with the idea of deploying VPN appliances to client sites, but with the time and hassle it will take to manage all that hardware in the field, we might as well just harden our server.

Yeah, we are very lucky and had our ISP infrastructure before getting into VoIP.

We use Juniper IDS/SSG technology that keeps most of the malicious crap from every hitting the server. It developers signatures for the malicious traffic and has a very high accuracy level. Additionally it only opens up RTP ports associated with valid SIP sessions so only 5060 has to be exposed.

The downside is it is expensive and difficult to configure if you don’t work in the environment.

The workload of managing an Asterisk server directly on the Internet is quite high. Even with fail2ban you have to constantly check the logs and make sure the scripts are doing their job.

VPN’s are cheap and very simple to configure. They solve so many problems. That is why I am such a vocal proponent.

We also use Asterisk in a production open internet enviornment and it is annoying to typically see over 5000 requests per day to various ports on your box from DOS attacks to people trying brute force hacking attempts. I get a log daily of all thats happening, but no one has been successful yet.

VPN does sound like an option most should use, we do not use VPN for our servers, but we may be switching next week as we develop a solution.

Edited - Getting the hang of the threading system here.

FreePBX has nothing to do with authentication of the SIP channels, Asterisk does.

As far as any PBX on the Internet, keep something in mind to see my my side of the debate, the proprietary IP PBX vendors won’t even support a machine that is not secured properly.

Deploying Asterisk as a carrier grade switch on the public Internet is a much more complicated task then using it as a PBX. As you see can see the system will be probed constantly placing load on the system and effecting call quality.

I appreciate the advice. A VPN, however, isn’t going to be feasible. It also seems like overkill for the task.

Surely FreePBX can handle basic authentication of users? It would seem a very odd design decision to assume that it will always be deployed inside a completely trusted network.

Can anyone clarify whether this particular attack is something to worry about? I’m fairly sure it’s just an automated system listening to my IVR for 13 seconds and then hanging up, but it would be comforting to have this confirmed by someone who’s seen something similar in the past.



The phones should connect in with a VPN and you should at a minimum use access lists on your port 5060 and RTP translations so only traffic from your provider hits your box.

Placing a machine right on the Internet essentially makes you a carrier with all the attendant suffering from DoS and constant. Mitigating is very time consuming, sometimes fruitless process.

This may seem incredibly obvious, why do you have the system opened to the Internet.

Probably should explain that my deployment doesn’t seem to be typical.

The server needs to be internet accessible. My trunks are SIP services and my extensions connect in via the internet and need to be able to do so from any location. There are no locally connected phones.

The actual system is in a datacentre.