FYI False alarm ?

stmcknig

New Member
Joined
Dec 9, 2009
Messages
22
Reaction score
0
So I'm running the latest release on Pi behind a firewall and noticed this in the CDR logs -

2014-08-21_16-53-38.jpeg

checking the logs gives this:


Code:
[2014-08-21 08:09:34] VERBOSE[28691][C-00000037] pbx.c: -- Executing [s@from-sip-external:7] Answer("SIP/70.114.150.186-00000033", "") in new stack
[2014-08-21 08:09:35] VERBOSE[28691][C-00000037] pbx.c: == Spawn extension (from-sip-external, s, 7) exited non-zero on 'SIP/70.114.150.186-00000033'
[2014-08-21 08:09:35] VERBOSE[28691][C-00000037] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/70.114.150.186-00000033", "") in new stack
[2014-08-21 08:09:35] VERBOSE[28691][C-00000037] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/70.114.150.186-00000033'
[2014-08-21 08:09:35] VERBOSE[3103][C-00000038] netsock2.c: == Using SIP RTP CoS mark 5
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [9011441651214361@from-sip-external:1] NoOp("SIP/70.114.150.186-00000034", "Received incoming SIP connection from unknown peer to 9011441651214361") in new stack
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [9011441651214361@from-sip-external:2] Set("SIP/70.114.150.186-00000034", "DID=9011441651214361") in new stack
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [9011441651214361@from-sip-external:3] Goto("SIP/70.114.150.186-00000034", "s,1") in new stack
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Goto (from-sip-external,s,1)
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [s@from-sip-external:1] GotoIf("SIP/70.114.150.186-00000034", "0?checklang:noanonymous") in new stack
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Goto (from-sip-external,s,5)
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [s@from-sip-external:5] Set("SIP/70.114.150.186-00000034", "TIMEOUT(absolute)=15") in new stack
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] func_timeout.c: -- Channel will hangup at 2014-08-21 08:09:50.620 CDT.
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [s@from-sip-external:6] Log("SIP/70.114.150.186-00000034", "WARNING,"Rejecting unknown SIP connection from 37.8.35.147"") in new stack
[2014-08-21 08:09:35] WARNING[28692][C-00000038] Ext. s: "Rejecting unknown SIP connection from 37.8.35.147"
[2014-08-21 08:09:35] WARNING[28692][C-00000038] Ext. s: "Rejecting unknown SIP connection from 37.8.35.147"
[2014-08-21 08:09:35] VERBOSE[28692][C-00000038] pbx.c: -- Executing [s@from-sip-external:7] Answer("SIP/70.114.150.186-00000034", "") in new stack
[2014-08-21 08:09:36] VERBOSE[28692][C-00000038] pbx.c: == Spawn extension (from-sip-external, s, 7) exited non-zero on 'SIP/70.114.150.186-00000034'
[2014-08-21 08:09:36] VERBOSE[28692][C-00000038] pbx.c: -- Executing [h@from-sip-external:1] Hangup("SIP/70.114.150.186-00000034", "") in new stack
[2014-08-21 08:09:36] VERBOSE[28692][C-00000038] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/70.114.150.186-00000034'

Does this mean I am "safe" or I missed something somewhere ? I have "allow Guest" enabled but "allow anonymous" disabled in the SIP settings.

-- Stuart
 

randy7376

Defnyddiwr Gweithredol
Joined
Sep 29, 2010
Messages
864
Reaction score
144
stmcknig

If you turn off SIP Guests, it should stop this behaviour.

You should white-list anything you wish to communicate with and black-list everything else. Also, look into Travelin' Man on Nerd Vittles or here on the forums for more information in case white-/black-listing isn't something you can do.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
stmcknig: When you say you're running the latest release on the RasPi, what specifically are you using: the RasPBX build or the latest Incredible PBX for the Raspberry Pi B+??
 

stmcknig

New Member
Joined
Dec 9, 2009
Messages
22
Reaction score
0
Sorry Ward, I meant Incredible PBX for Pi....

As it happens, I bought the Quad Core Cubox on NewEgg when it was $109 on their deal page. I've just installed the image and it flies compared to the Pi version. I shouldn't cross the streams but it appears to already have Lenny loaded which was a lot of tweaking on the Pi to get it working for me. How easy is it to transfer the configuration across - will a backup / restore work reasonably well across the platforms (I have a number of home extensions and trunks) or am I at ground zero and starting over ?

When you see this thing in the plastic, you really have to shake your head at what they packed in. I call mine TARDIS - bigger on the inside ;-)
 

hbonath

Guru
Joined
Jan 24, 2012
Messages
150
Reaction score
40
As mentioned before, SIP guest needs to be disabled, plus firewalling to allow from only known IP addresses.
However sometimes this is not always possible, there are a few tricks I've implemented before.

Fail2ban running on the asterisk security log: http://www.tutorials.makkugasho.com/2014/02/21/asterisk-11-5-fail2ban/
This article assumes vanilla asterisk, as you will need to edit the "custom" logger.conf files.

Another is layer 7 firewalling if your firewall supports it. Certain firewalls can be configured to inspect the sip packets and look for strings. Typically sip probes like this are done with User Agents like "friendly-scanner" or "sipcli"
And simply configuring your firewall to dig deep into the application layer and block packets matching those strings will knock out 95% of the attacks.

All of these are workarounds and the only method of true security is to not expose your SIP ports to the public internet ever.
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top