FreePBX | Register | Issues | Wiki | Portal | Support

SIP Invites coming from unknown IP addresses


(Avayax) #1

Our vendor has just put in a new firewall and I am now receiving SIP invites from unknown IP addresses.
Now looks like the firewall is not correctly configured cause that traffic should not be allowed.

Could anybody look through the Invite below and let me know what’s going on?
(I have obfuscated my external IP and replaced with mypublicIP )

I am also seeing plenty of Timeout on xxxxx on non-critical invite transaction errors on the Asterisk CLI.
“Allow guests” and “Allow Anonymous Inbound SIP Calls” are both set to “No”.
My PBX is sending a 401 Unauthorized back, and that’s the end of it.

Also, shouldn’t fail2ban be jumping in?
It’s probing on port 5070, I am on chansip port 5060.

10.13.66 Distro, Asterisk 13.

<— SIP read from UDP:104.216.108.146:5070 —>
INVITE sip:9011972592664947@mypublicIP SIP/2.0
To: 9011972592664947<sip:9011972592664947@mypublicIP >
From: 0123<sip:0123@mypublicIP >;tag=3b446bf3
Via: SIP/2.0/UDP 104.216.108.146:5070;branch=z9hG4bK-85999f59bf8dc112a07e7f705f29b89a;rport
Call-ID: 85999f59bf8dc112a07e7f705f29b89a
CSeq: 1 INVITE
Contact: sip:0123@104.216.108.146:5070
Max-Forwards: 70
Allow: INVITE, ACK, CANCEL, BYE
User-Agent: sipcli/v1.8
Content-Type: application/sdp
Content-Length: 287

v=0
o=sipcli-Session 1181773323 2010834441 IN IP4 104.216.108.146
s=sipcli
c=IN IP4 104.216.108.146
t=0 0
m=audio 5072 RTP/AVP 18 0 8 101
a=fmtp:101 0-15
a=rtpmap:18 G729/8000
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:101 telephone-event/8000
a=ptime:20
a=sendrecv
<------------->
— (12 headers 13 lines) —
Sending to 104.216.108.146:5070 (NAT)
Sending to 104.216.108.146:5070 (NAT)
Using INVITE request as basis request - 85999f59bf8dc112a07e7f705f29b89a
No matching peer for ‘0123’ from ‘104.216.108.146:5070’


(Marbled) #2

Hi!

maybe?

Re: Some cr@ppy firewalls don’t check where the traffic is coming from once the port is opened and forwarded to the PBX. They accept traffic from IPs you have not established connections to.

What firewall did they install and I assume you are not using the FreePBX firewall, right?

Have a nice day!

Nick


(Avayax) #3

Thanks for the tip.
I am not using the FreePBX firewall but a Cisco Meraki firewall.


#4

Looks like someone from 104.216.108.146 is trying to connect. It appears that IP belongs to a datacenter in California. I’d have your IT person check the firewall settings to ensure that they aren’t opening any unnecessary ports. Maybe they just googled “voip ports” and forwarded them all to your FreePBX, not understand what they are doing.

It’s good that the attempts are blocked with a 401, but it would be much better if the attempts never reach your FreePBX at all.