TIPS Yealink Security Concern

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
PBX in a Flash Incredible PBX 11-12 with Incredible GUI (Centos 6.6) @ RentPBX

One of my Yealink T48G phones has randomly started receiving calls from ext. 1000, which I do not even have set up.

This happened to me on a previous install, same setup at RentPBX, and it spooked me so much I started over and did a new install. In the previous install, it happened on the phone I was personally testing. This time around, it hasn't happened on my phone or extension, but is happening on a different one. My system is not in production yet.

I have done my best to harden up the security of my system, I am just worried there's something I may have missed. I have TM4 running. I have not noticed anything suspicious when looking at transactions with my providers. As a matter of fact, the only trunk I have enabled is Flowroute where I am using IP-based authentication and only have USA and Canada white-listed for calls.

Have any of you ran into anything like this? Is this a security issue? How do I trouble shoot and figure out why this is happening?

I appreciate any help or guidance.

Jake
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
Both TG48G's that have had this issue are located at my home office. I have them behind a Netgear router, but as I think about it, there's no real security there other than basic type of home router security. For my home office, I have setup a FQDN to white list my dynamic IP, and I have white-listed my office IP address.

Thanks for the help.
Jake
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Anybody with a PBX can spoof their CallerID number. If you have a DID registered, that means they can call that number and appear to be calling from extension 1000. /var/log/asterisk/full will tell you if someone is really trying to break into your server.
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
wardmundy I just pulled that file and am going through it now. What sort of entries am I looking for that would raise a red flag? Sorry to be so ignorant about it, but maybe this would help others out too. If you want me to post portions of the log file, I can do that too.

Thanks,
Jake
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
So here's what I got from that. I am only pasting yesterday's error's. Is there anything here that I should be concerned about?


Code:
[2015-08-17 10:50:37] ERROR[17410][C-00001604] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 10:50:37] ERROR[17410][C-00001604] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 10:59:18] ERROR[18242][C-0000160e] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 10:59:18] ERROR[18242][C-0000160e] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:14:33] ERROR[19709] netsock2.c: getaddrinfo("atlanta.voip.ms (oneof our multiple servers, you can choose the one closer to your location)", "(null)", ...): Name or service not known
[2015-08-17 11:14:33] ERROR[19709] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:18:59] ERROR[20179] netsock2.c: getaddrinfo("atlanta.voip.ms (oneof our multiple servers, you can choose the one closer to your location)", "(null)", ...): Name or service not known
[2015-08-17 11:18:59] ERROR[20179] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:21:00] ERROR[20502] netsock2.c: getaddrinfo("atlanta.voip.ms (oneof our multiple servers, you can choose the one closer to your location)", "(null)", ...): Name or service not known
[2015-08-17 11:21:01] ERROR[20502] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:21:53] ERROR[20690] netsock2.c: getaddrinfo("atlanta.voip.ms (oneof our multiple servers, you can choose the one closer to your location)", "(null)", ...): Name or service not known
[2015-08-17 11:21:53] ERROR[20690] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:24:55] ERROR[21057] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:25:16] ERROR[21169][C-0000162b] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:25:16] ERROR[21169][C-0000162b] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:26:40] ERROR[21333] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:27:22] ERROR[21538] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:29:38] ERROR[21835] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:32:21] ERROR[22247] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:32:47] ERROR[22390] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:33:02] ERROR[22509] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:33:17] ERROR[22641] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:33:56] ERROR[22917] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:34:05] ERROR[23025][C-00001637] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:34:05] ERROR[23025][C-00001637] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:34:47] ERROR[23119][C-00001638] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:34:47] ERROR[23119][C-00001638] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:35:54] ERROR[23271] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:37:23] ERROR[23541] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:38:19] ERROR[23765] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:38:27] ERROR[23871][C-00001640] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:38:27] ERROR[23871][C-00001640] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:39:54] ERROR[24066] res_config_ldap.c: No directory URL or host found.
[2015-08-17 11:40:53] ERROR[24259][C-00001644] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:40:53] ERROR[24259][C-00001644] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:42:14] ERROR[24419][C-00001647] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:42:14] ERROR[24419][C-00001647] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:44:29] ERROR[24544][C-0000164b] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:44:29] ERROR[24544][C-0000164b] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 11:50:05] ERROR[25147] res_config_ldap.c: No directory URL or host found.
[2015-08-17 13:44:23] ERROR[6087][C-000016c4] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:44:23] ERROR[6087][C-000016c4] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:45:21] ERROR[6114][C-000016c6] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:45:21] ERROR[6114][C-000016c6] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:46:59] ERROR[6276][C-000016ca] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:46:59] ERROR[6276][C-000016ca] pbx.c: Function PJSIP_HEADER not registered
[2015-08-17 13:51:00] ERROR[6750] res_config_ldap.c: No directory URL or host found.
[2015-08-17 13:59:38] ERROR[8249] res_config_pgsql.c: PostgreSQL RealTime: Failed to connect database asterisk on 127.0.0.1:
[2015-08-17 13:59:38] ERROR[8249] res_config_ldap.c: No directory URL or host found.
[2015-08-17 13:59:38] ERROR[8249] res_config_ldap.c: Cannot load LDAP RealTime driver.
[2015-08-17 13:59:39] ERROR[8249] chan_mobile.c: No Bluetooth devices found. Notloading module.
[2015-08-17 13:59:39] ERROR[8249] res_corosync.c: Failed to initialize cfg (6)
[2015-08-17 14:51:52] ERROR[13330][C-00000034] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 14:51:52] ERROR[13330][C-00000034] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 14:52:52] ERROR[13420][C-00000036] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 14:52:52] ERROR[13420][C-00000036] pbx.c: Function PJSIP_HEADER notregistered
[2015-08-17 14:55:51] ERROR[13732] res_config_ldap.c: No directory URL or host found.
[2015-08-17 16:48:28] ERROR[23230] res_config_pgsql.c: PostgreSQL RealTime: Failed to connect database asterisk on 127.0.0.1:
[2015-08-17 16:48:28] ERROR[23230] res_config_ldap.c: No directory URL or host found.
[2015-08-17 16:48:28] ERROR[23230] res_config_ldap.c: Cannot load LDAP RealTimedriver.
[2015-08-17 16:48:29] ERROR[23230] chan_mobile.c: No Bluetooth devices found. Not loading module.
[2015-08-17 16:48:29] ERROR[23230] res_corosync.c: Failed to initialize cfg (6)
[2015-08-18 09:42:30] ERROR[4358][C-000003fc] pbx.c: Function PJSIP_HEADER not registered
[2015-08-18 09:42:30] ERROR[4358][C-000003fc] pbx.c: Function PJSIP_HEADER not registered
[2015-08-18 10:08:46] ERROR[6613][C-00000417] pbx.c: Function PJSIP_HEADER not registered
[2015-08-18 10:08:46] ERROR[6613][C-00000417] pbx.c: Function PJSIP_HEADER not registered
[2015-08-18 10:42:51] ERROR[9231][C-0000043a] pbx.c: Function PJSIP_HEADER not registered
[2015-08-18 10:42:51] ERROR[9231][C-0000043a] pbx.c: Function PJSIP_HEADER not registered
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

In inbound routes, have you specifically set your DID, or got a catch-all, i.e. left your DID number blank, or entered _. If so, I would advise that you ensure that you have each DID entered separately, as it is delivered from your carrier, so that you only get calls where someone knows your number.

Keep the catch-all inbound route, but send it directly to hangup, so as to stop random calls.

Joe
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
jroper thanks for the tip. I just verified and all inbound routes are set to a DID.
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
After researching as much stuff as I can get my hands on, it feel like the two things I need to do are 1) change the default ports 2) close down ports like 80, for example. If these random calls to extension 1000 are some sort of hacking probe, it just baffles how quickly it was sniffed out. I mean, I am not even in production yet, have TM4 installed, etc.

Thanks for all the help everyone has offered so far.
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

I do a lot of installations on public IP addresses, it does not take more than a few minutes before the probing starts.

Calls should not get through to internal extensions, unless you have an inbound route pointing to the one that rang. If you don't then you have a wider problem.

Also, if only you need access to the web pages for administration, and your users don't, then Google SSH tunnels, as one of the easiest ways of creating a secure connection.

Joe
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
jroper thanks for the help and you have given me a lot to think about. All of my DID's point/pointed to either 1) ring group 2) TM4 3) Avantfax. I doubled checked and there are not any catch all inbound routes and there are not any inbound routes that do not have a specific DID associated with them.

In my office, we have 4 Yealink T38G phones. I have a public/static IP address for my office, and everything is behind a cisco router. At my home office, I have two Yealink T48G phones that sit behind a Netgear router and these are the ones that received the random extension calls. One of them received the ext 1000 calls for a couple of days until I blacklisted it on the phone. The other one has not received these calls from extension 1000, nor do I think the ones in the actual office have either.

I will take your advice and look into tunnels.

Thanks again,

Jason
 

jroper

Guru
Joined
Oct 20, 2007
Messages
3,832
Reaction score
71
Hi

bucasia does raise an interesting point here - and may well explain the random call. For the second time on this forum, I link to this - http://www.linux-magazine.com/Issues/2014/161/Security-and-SOHO-Routers.

This further goes to show the importance of built-in security on PiaF, or any VoIP system, even if you think you have it safely tucked behind a separate firewall, as presumably, the flaw described not just applies to remote phones, but PBX systems as well.

Joe
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
Jeez...now I do not even know where to start. For one, thanks for the info/help/guidance. I ran the SIP Scanner referenced by bucasia and found my extension, which scares the heck out me! I read the article jroper recommended as well. While I understood the premise, it left me asking what I need to do now? I blacklisted the extension on the phone that was receiving the calls and we have not received any more, but I am pretty sure that's not really a solution. I have done just about every recommended tip and precaution my skill set will allow me to do. Some of them are a little over my head to be honest which brings up an interesting point.

I am not sure what the profile of PIAF users is, but I would guess there's a fairly decent cross segment of gurus to folks with very little technical know how. I am a small business owner who typically stumbles around trying to figure things out...most of the time I do, sometimes I don't and have to bring in the big guns to help me. For years I've been lurking around Nerdvittles and the PIAF forum, wanting to give this thing a go, but most of the time thinking it was over my head.

One of wardmundy 's recent articles pushed me over the edge and gave me confidence that I could do this. Although I have made some mistakes a long the way, I am almost there, but this last mile is a tough one. Security is something that Ward and the rest of you really preach the importance of, but really shoring it up isn't for the faint of heart and I would imagine doing it the right way takes folks like me out of the equation. Changing and closing ports, SSH tunneling to the web gui, etc. are all things I know that should be done, but this has proved a little too technical to do for me.

For those running PIAF with a public IP address, I would simply issue a precaution that unless you are familiar with networking and LINUX, you are going to need some help or might want to change courses of action. Please don't reply back telling me how easy it should be to make the necessary changes. If you do, you are either a) much smarter than I am (which isn't saying much), or b) much more familiar with LINUX and advanced networking.

Thanks for all the help guys, I do appreciate it. I am thinking the real issue, at least for now, is the vulnerability of my extensions inside my SOHO router. Any suggestions? Is a VPN the solution?
 

jake372

Member
Joined
Jun 29, 2015
Messages
94
Reaction score
5
I took a depth breath, and now am going to dive back into this. I am confident I will work it out. :)
 

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
760
Reaction score
199

bucasia

Guru
Joined
Sep 26, 2008
Messages
98
Reaction score
1
I would check if there is a firmware update for your DSL/cable router.

If the router is opening inbound port 5060 (SIP) from ANY IP address because there is an outbound connection from port 5060 to your Asterisk server then that's wrong. Certainly the BT router fixed the issue in later firmware. If your router/firewall hasn't fixed that issue I would replace it.

A VPN would prevent that particular thing happening (as there would be no outbound connections from port 5060 that your router would be opening inbound ports for).
 

jeff.h

Guru
Joined
Dec 1, 2010
Messages
502
Reaction score
71
My experience has been less than stellar with Netgear routers and SIP. They seem to have SIP ALG embedded in them to such a point that even when you chose to turn if off in the menu it's not truly off.

They also seem to have an issue with NAT and SIP ports. I know this is somewhat different than your setup, but all of my users are remote from a hosted PBX and Netgear routers can never seem to get the ports right. They always want to NAT them to random high ports rather than the true SIP ports the phones are trying to register on.

Here is a screen shot of one of my sites that showcases the issue. The first two extensions are from one site behind a Netgear firewall and should be registering on 5061 and 5062. The third extension is from a test phone that I keep at my house and it is behind an Asus router.

My point being that I have never had good luck with Netgear routers and SIP. I have never had an issue with Asus routers and use them for all my SOHO sites.

Screen Shot 2015-09-19 at 8.50.33 AM.png
 

Members online

No members online now.

Forum statistics

Threads
25,782
Messages
167,509
Members
19,202
Latest member
pbxnewguy
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top