I’m running the latest patch (1.8.1.4-2) on the freePBX distro have begun seeing in the CDR three hits daily coming from a couple of Ukrainian IP’s over the past four days-
Date Channel Source CID DST Disposition Duration
2011-06-15 07:03:37 SIP/91.223… asterisk “asterisk” s ANSWERED 00:13
2011-06-15 06:04:31 SIP/89.187… asterisk “asterisk” s ANSWERED 00:13
2011-06-14 20:55:04 SIP/91.223… asterisk “asterisk” s ANSWERED 00:13
It’s concerning that these external SIP calls are getting through, despite anonymous SIP calls disallowed in the general settings. Fail2ban is running, but I assume it’s not designed to catch this type of attack, or running below the threshold.
Aside from polluting my CDR, is any concern warranted on my part? And is this the normal operation for rejecting (disallowing anonymous inbound SIP) these types of attacks/probes? Below is a snippet of the log showing how these are being processed by the server:
NoOp(“SIP/91.223.89.78-000000a7”, “Received incoming SIP connection from unknown peer to 9011442073479999”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [9011442073479999@from-sip-external:2] Set(“SIP/91.223.89.78-000000a7”, “DID=9011442073479999”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [9011442073479999@from-sip-external:3] Goto(“SIP/91.223.89.78-000000a7”, “s,1”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Goto (from-sip-external,s,1)
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/91.223.89.78-000000a7”, “0?checklang:noanonymous”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Goto (from-sip-external,s,5)
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/91.223.89.78-000000a7”, “TIMEOUT(absolute)=15”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] func_timeout.c: Channel will hangup at 2011-06-15 07:03:52.137 CDT.
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/91.223.89.78-000000a7”, “”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:7] Wait(“SIP/91.223.89.78-000000a7”, “2”) in new stack
[2011-06-15 07:03:39] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:8] Playback(“SIP/91.223.89.78-000000a7”, “ss-noservice”) in new stack
[2011-06-15 07:03:39] VERBOSE[4378] file.c: – <SIP/91.223.89.78-000000a7> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2011-06-15 07:03:44] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:9] PlayTones(“SIP/91.223.89.78-000000a7”, “congestion”) in new stack
[2011-06-15 07:03:44] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:10] Congestion(“SIP/91.223.89.78-000000a7”, “5”) in new stack
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: == Spawn extension (from-sip-external, s, 10) exited non-zero on ‘SIP/91.223.89.78-000000a7’
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/91.223.89.78-000000a7”, “”) in new stack
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/91.223.89.78-000000a7’