QUESTION Hacks?

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
Can anyone give me some insight as to what may be happening. I have travelingman2 and fail2ban on, so I am a little confused on how this may be happening. But it appears I am getting some suspicious activity hitting my system. Please see attached screen shot. This is one group of the occurrence, but various extension both three and four digits are appearing as the source in my call records. Thanks in advance. Screen Shot 2014-07-23 at 5.27.38 PM.png
 

Attachments

  • Screen Shot 2014-07-23 at 5.31.42 PM.png
    Screen Shot 2014-07-23 at 5.31.42 PM.png
    53.3 KB · Views: 29

jeffmac

Guru
Joined
Jan 16, 2008
Messages
230
Reaction score
9
you need to be looking at your asterisk log files. look in /var/log/asterisk - the current day log is named "full". previous days have a date in the name. look through them for some occurrence and put a snippet of the log in this thread.
I'd be doubting that your iptables is really working correctly, but I'd guess that you have "allow anonymous SIP" set to "NO". If the log says something about a call from an unknown peer then you'll get this kind of log entry. But it means someone DID get through to your box and is trying to make calls.

Jeff
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
jeffmac - here is a snippet of the log file. FYI, the ip address is not the actual one shown in the log file. Thanks in advance for your help.

Also Allow Anonymous Inbound SIP Calls = No

[2014-07-24 21:00:48] VERBOSE[12900] netsock2.c: == Using SIP RTP TOS bits 184
[2014-07-24 21:00:48] VERBOSE[12900] netsock2.c: == Using SIP RTP CoS mark 5
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [5011972592863739@from-sip-external:1] NoOp("SIP/87.432.456.22-0000090a", "Received incoming SIP connection from unknown peer to 5011972592863739") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [5011972592863739@from-sip-external:2] Set("SIP/87.432.456.22-0000090a", "DID=5011972592863739") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [5011972592863739@from-sip-external:3] Goto("SIP/87.432.456.22-0000090a", "s,1") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Goto (from-sip-external,s,1)
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/87.432.456.22-0000090a", "0?from-trunk,5011972592863739,1") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:2] Set("SIP/87.432.456.22-0000090a", "TIMEOUT(absolute)=15") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] func_timeout.c: Channel will hangup at 2014-07-24 21:01:03.452 EDT.
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:3] Answer("SIP/87.432.456.22-0000090a", "") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: == Spawn extension (from-sip-external, s, 3) exited non-zero on 'SIP/87.432.456.22-0000090a'
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [h@from-sip-external:1] NoOp("SIP/87.432.456.22-0000090a", "Hangup") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [h@from-sip-external:2] Set("SIP/87.432.456.22-0000090a", "DID=s") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [h@from-sip-external:3] Goto("SIP/87.432.456.22-0000090a", "s,1") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Goto (from-sip-external,s,1)
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/87.432.456.22-0000090a", "0?from-trunk,s,1") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:2] Set("SIP/87.432.456.22-0000090a", "TIMEOUT(absolute)=15") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] func_timeout.c: Channel will hangup at 2014-07-24 21:01:03.633 EDT.
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: -- Executing [s@from-sip-external:3] Answer("SIP/87.432.456.22-0000090a", "") in new stack
[2014-07-24 21:00:48] VERBOSE[13667] pbx.c: == Spawn extension (from-sip-external, s, 3) exited non-zero on 'SIP/87.432.456.22-0000090a'
[2014-07-24 21:01:03] VERBOSE[13690] manager.c: == Manager 'aastra-xml' logged on from 127.0.0.1
 

jeffmac

Guru
Joined
Jan 16, 2008
Messages
230
Reaction score
9
As I suspected, "incoming SIP connection from an unknown peer" - you are being "hacked". Do you have any extensions outside your firewall that you need to forward 5060 to your PIAF box? Its obvious that you're not blocking inbound SIP. If you want to stop having these people hit your box you're going to have to spend some time in your router and/or iptables.
If you're not using a "whitelist" (have only IP addresses that you expect SIP calls from in iptables) then you need to switch to that method. Ward will tell you that almost no other strategy will keep the bad guys out of your box. They WILL keep trying until they find a weakness they can exploit - and you'll be paying for some expensive calls to some place you never want to go.

Jeff
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
Thanks for the reply Jeff. Yes, I do have extension outside my firewall. How can I find the ip address range the hacks are coming from? Also what about Fail2ban. Shouldn't that block them after 3 failed attempts?
 

jeffmac

Guru
Joined
Jan 16, 2008
Messages
230
Reaction score
9
Like I said earlier - you really need to move to a "whitelist" method. You can't block every range that gets through on 5060. You need to know the ranges of your extensions and only allow THEM through. If you really want to find out the source of the "bad guys", its right in the log there...
"NoOp("SIP/87.432.456.22-0000090a", "Received incoming SIP connection from unknown peer to 5011972592863739") in new stack"
the source IP address is the address you modified before posting.

Fail2ban wont help unless they try to log on as an extension or as a user - these guys are simply trying to get you system to accept an outbound call from them. There's no logon "failure" for Fail2ban to track. AND since Fail2ban is a log tracker, an awful lot of awfully bad things can happen by the time Fail2ban can react to the log files.

Since you have extensions outside, and you HAVE to have 5060 open for them, the only way you will stop this activity is to only allow "good guys" (ip addresses you already know) through iptables. Search on this site for "whitelist" for information on how to get it going. I can assure, if I take iptables down for ANY period of time, I start seeing this kind of activity. You have 5060 open - ergo - you need to protect yourself.

Jeff
 

kmcdaniel

Member
Joined
Jan 23, 2008
Messages
416
Reaction score
19
Thanks Jeff! I'll get the whitelist implemented. The only wierd thing is that the ip address I changed was actually my ip address. That is the only reason I changed it for the forum post. Hmm...
 

jeff.h

Guru
Joined
Dec 1, 2010
Messages
502
Reaction score
71
What I do to prevent stuff like this is use TM3 and add only the IPs/FQDNs of my specific carriers, remote phones and machines that I might need for remote access. I also set Allow Anonymous Inbound SIP Calls to no in the asterisk SIP settings. To take it one stop further I set fail2ban to ban anything that fails after 2 attempts for 86400 seconds (24 hours)
 

islandtech

Wassamassaw
Joined
Jan 11, 2009
Messages
677
Reaction score
137
I let my router/firewall do all the dirty work. With openvpn running on the router, allows remote phones to connect to the pbx. Also I have vpn access to the router and all devices behind it.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top