Strange behavior

iliaxxx · May 5, 2014, 10:39am

In my logs constantly prisudstvuet calls which I did not.
[color=]2014-05-05 14:33:44 “1003” <1003> 1003 s 0 sec
2014-05-05 14:33:44 “1003” <1003> 1003 s 0 sec
2014-05-05 14:33:43 “1003” <1003> 1003 s 0 sec
2014-05-05 14:33:43 “1003” <1003> 1003 s 0 sec
2014-05-05 14:32:13 “2009” <2009> 2009 s 0 sec
2014-05-05 14:32:13 “2009” <2009> 2009 s 0 sec
2014-05-05 14:29:00 “1000” <1000> 1000 s 0 sec
2014-05-05 14:29:00 “1000” <1000> 1000 s 0 sec
2014-05-05 14:28:59 “1000” <1000> 1000 s 0 sec
2014-05-05 14:28:59 “1000” <1000> 1000 s 0 sec
2014-05-05 14:28:59 “1000” <1000> 1000 s 0 sec
2014-05-05 14:28:59 “1000” <1000> 1000 s 0 sec
2014-05-05 14:25:28 “2009” <2009> 2009 s 0 sec
2014-05-05 14:25:28 “2009” <2009> 2009 s 0 sec
2014-05-05 14:24:23 “2060” <2060> 2060 s 0 sec [/color]
I can not understand where they come from.

alan · May 5, 2014, 11:21am

You system is probably exposed to the Internet and you are being scanned.

leemason · May 5, 2014, 12:59pm

Yes, lock down port 5060/UDP. This is classic port scanning. They are probing your system to see if they can access it.

iliaxxx · May 5, 2014, 7:13pm

It seems to help
/sbin/iptables -A INPUT -p udp --destination-port 5060 -j DROP

iliaxxx · May 5, 2014, 7:18pm

Yes server looks directly to the Internet, there are tips on protecting the server when it is on the Internet?

dicko · May 5, 2014, 7:22pm

Do you still get legitimate inbound calls after that?

dicko · May 5, 2014, 7:27pm

It just seems draconian, use a properly configured current fail2ban with allwaysauthreject=yes allowguest=no in sip*.conf and they will quickly stop.

dicko · May 5, 2014, 7:36pm

allwaysauthrect=yes

will trigger a request to authenticate which will then expose the IP of the attacker (originally your external IP address) which fail2ban will then catch in the SECURITY log, it will also ban your external IP address but that is not a bad thing because that would almost certainly be bogus traffic anyway (think about it )

iliaxxx · May 5, 2014, 7:43pm

Not only statistics now my calls

iliaxxx · May 5, 2014, 7:52pm

As I understood the line “allwaysauthreject = yes allowguest = no in sip *. Conf” should be added to /etc/fail2ban/fail2ban.conf?

dicko · May 5, 2014, 7:59pm

no, somewhere in your /etc/asterisk/sip*.conf files, it is propably already there but check with

grep allways /etc/asterisk/sip*

and

grep allowguest /etc/asterisk/sip*

and should be best done in the FreePBX gui

iliaxxx · May 5, 2014, 8:02pm

Clearly, thanks.

dicko · May 5, 2014, 8:09pm

A caveate, this will only work on a well setup Asterisk 11 or back-ported Asterisk 10, you can mitigate the flood of connections with CSF if installed by setting the CONNLIMIT appropriately.

iliaxxx · May 5, 2014, 8:21pm

We changed worth Asterisk (Ver. 12.2.0) + FreePBX 12.0.1alpha42

dicko · May 5, 2014, 8:36pm

Personally I would suggest that running alpha software on a production platform is “not a good idea” it would be implicitly your responsibility to test that scenario unless otherwise documented.

iliaxxx · May 6, 2014, 8:18am

I understand you, thanks for the advice.
There is another issue. When I check the statistics of calls on my list for some reason, repeated calls

2014-05-06 12:08:50 "Ershov Ilia" <100> 100 s 60 sec [Play] [Download] 2014-05-06 12:08:50 "Ershov Ilia" <100> 100 s 60 sec [Play] [Download]
And so with each ring