Server slowly being probed by unknown IP's?

jehowe · June 15, 2011, 3:08pm

I’m running the latest patch (1.8.1.4-2) on the freePBX distro have begun seeing in the CDR three hits daily coming from a couple of Ukrainian IP’s over the past four days-

Date Channel Source CID DST Disposition Duration
2011-06-15 07:03:37 SIP/91.223… asterisk “asterisk” s ANSWERED 00:13
2011-06-15 06:04:31 SIP/89.187… asterisk “asterisk” s ANSWERED 00:13
2011-06-14 20:55:04 SIP/91.223… asterisk “asterisk” s ANSWERED 00:13

It’s concerning that these external SIP calls are getting through, despite anonymous SIP calls disallowed in the general settings. Fail2ban is running, but I assume it’s not designed to catch this type of attack, or running below the threshold.

Aside from polluting my CDR, is any concern warranted on my part? And is this the normal operation for rejecting (disallowing anonymous inbound SIP) these types of attacks/probes? Below is a snippet of the log showing how these are being processed by the server:

NoOp(“SIP/91.223.89.78-000000a7”, “Received incoming SIP connection from unknown peer to 9011442073479999”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [9011442073479999@from-sip-external:2] Set(“SIP/91.223.89.78-000000a7”, “DID=9011442073479999”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [9011442073479999@from-sip-external:3] Goto(“SIP/91.223.89.78-000000a7”, “s,1”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Goto (from-sip-external,s,1)
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/91.223.89.78-000000a7”, “0?checklang:noanonymous”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Goto (from-sip-external,s,5)
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/91.223.89.78-000000a7”, “TIMEOUT(absolute)=15”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] func_timeout.c: Channel will hangup at 2011-06-15 07:03:52.137 CDT.
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/91.223.89.78-000000a7”, “”) in new stack
[2011-06-15 07:03:37] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:7] Wait(“SIP/91.223.89.78-000000a7”, “2”) in new stack
[2011-06-15 07:03:39] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:8] Playback(“SIP/91.223.89.78-000000a7”, “ss-noservice”) in new stack
[2011-06-15 07:03:39] VERBOSE[4378] file.c: – <SIP/91.223.89.78-000000a7> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2011-06-15 07:03:44] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:9] PlayTones(“SIP/91.223.89.78-000000a7”, “congestion”) in new stack
[2011-06-15 07:03:44] VERBOSE[4378] pbx.c: – Executing [s@from-sip-external:10] Congestion(“SIP/91.223.89.78-000000a7”, “5”) in new stack
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: == Spawn extension (from-sip-external, s, 10) exited non-zero on ‘SIP/91.223.89.78-000000a7’
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/91.223.89.78-000000a7”, “”) in new stack
[2011-06-15 07:03:50] VERBOSE[4378] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/91.223.89.78-000000a7’

obelisk · June 16, 2011, 4:54pm

Do one of the following:

set allowguest to no
stop exposing your sip port to the outside world.

jehowe · June 17, 2011, 1:20pm

I hadn’t used (or noticed) the allowguest switch until now, thanks. What I ended up doing was change the firewall to block inbound SIP except from primary & secondary providers. No issues so far.

Taffman · October 3, 2013, 10:39am

I have also just had similar attacks and yes my allowguest switch was set to yes (now set to no). I was forwarding my SIP ports on my broadband router to my FreePBX box. I have now blocked inbound SIP ports (removed the port forwarding) but calls from my SIP provider still work, my question is how are inbound SIP requests from my VoIP provider finding their way to my PBX if the SIP ports are not forwarded and effectively blocked at the router?

Not really a problem, just trying to understand how this is happening?

jimgb17 · October 3, 2013, 6:39pm

I have had this also
what I done was used iptabes to only allow traffic to my ip…
This way your sip/port is not showing to public
Fail2ban doesn’t do much for asterisk…
If you are using Linux then I would say the best safe Action is iptables

jimgb17 · October 3, 2013, 6:52pm

It depends on your router if its a newer router there is sometimes no need for forwarding for UDP ports known as UPnP however this can cause problems after sometime!
I would add your ip and your sip/trunk providers ip to your rules if you can if you cant do this in your router you can with Linux iptabes that will block any request’s that are not from your Ip/address just forward the ports on your router! to your Pbx… And please remember! if you use SSH change the port!

Or at least ad this to your iptables or router rules to only allow your local ip also!!! if you like to access your ssh from outside lan!!!

SkykingOH · October 3, 2013, 11:04pm

Asterisk doesn’t support UPnP That protocol is 10 years old. Mostly used my game and desktop apps. It’s how Skype and other softphone work where Asterisk won’t.

Taffman · October 4, 2013, 8:26am

Thanks guys. Still puzzled as to how SIP is getting to my PBX without forwarding port 5060, but I’ll take your advise and forward the ports anyway and block all addresses except my Voip provider in iptables.

As FYI my router is a Sagem 2504n (Sky Hub).