Suspicious activity

(Communication Technologies) #41

What kind of trunk (pjsip or chan sip) for your carrier? Is port 5060 on your box ties to pjsip or chan sip?


In Reports->Asterisk Info, does Peers show the trunk as online? If using registration, does Registries show it as registered? If not, fix those things first. pjsip logger should show REGISTER and OPTIONS requests and any responses.

If the trunk is online, pjsip logger should show an outgoing INVITE for a call attempt and any responses.

(United States) #43

Let me say, thanks for your patience and assistance.
All is working and each of the issues that have been raised in this thread addressed.

In reviewing security settings Flowroute documentation suggested to disable SIP Credentials if using a static IP host as I am. Doing this now appears to have what disabled outbound calling. Enabling SIP Credentials restored outbound calls. Great.

But we lost inbound calls. (Really!?) As I said, I had changed the SIP port but changed it in both: CONNECTIVITY-TRUNKS - SIP SERVER PORT and

and change the port at Flowroute. I realized this was wrong and changed it back,

Though I had changed the SIP Port back to 5060 in CONNECTIVITY-TRUNKS - SIP SERVER PORT and in Inbound Routes at Flowroute, it was still using the modified port number. Deleting and recreating the Inbound Route at Flowroute fixed that.

So, to address Suspicious Activity we have:

  1. Changed all passwords for users and device secret words.
  2. Made all device secret words longer and unique, had been all the same and 8 chars.
  3. Changed provisioning to http rather than tftp.
  4. Verified all IP addresses in whitelist
  5. Verified Firewall enabled
  6. Verified Responsive Firewall was enabled for SIP.
  7. Enabled IP Authorization for connection to SIP provider.
  8. Verified all open ports and confirmed standard ports not used for http and ssh.

Best guess as to how the attacker got access was promiscuous TFTP provisioning.
What I need to learn yet is how to read log files and SIP traffic.


This won’t do you any good unless either it’s password protected (the phone or other device must supply a password to retrieve its provisioning info) or it’s firewalled (only authorized IP addresses can access provisioning data).

Using an obscure port is a big help if you do it from the start; the bad guys can’t afford to scan every port on the internet. But once your machine has been compromised, unless you have changed your IP address, they will scan every port on your IP in an attempt to regain access.

(United States) #45

Each phone has a unique password for provisioning. Obscuring the provisioning port is a good idea, thanks. I have to assume someone has my ip.

(Communication Technologies) #46

Switch to using a domain and change the IP, if possible.

HTTPS provisioning will encrypt the registration.

(United States) #47

That is in the PRO version of Admin.

(Tom Ray) #48

So you’re saying after being pwned and having traffic pumps twice in a week period that $25 is too much for your security measures?

(Communication Technologies) #49

Understood resources may be constrained, but for what it is worth, this is one of the best modules offered, price to features provided.

We do almost everything custom and in dialplan/AGI these days, but we still make it a point to buy this module for every box. It saves time and is very helpful in making sure we have the basic security needed in place. It also gives back to the people you are counting on to continue support (you’ve been receiving support from employees via your forum posts too) and patching. The final consideration is the one-time $25 is much less than you would pay if the box was compromised due to something the module could help you avoid.

Time Saved + Security Provided + Funds The Project At Reasonable Price = WIN :slight_smile:

I strongly recommend you purchase this module.

(system) closed #50

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.