GO HERE How to protect against ip attacks

bobh080850

Member
Joined
Aug 5, 2013
Messages
103
Reaction score
2
I have Fail-2-ban installed but when I enter the Asterisk cli I see that I am being bombarded by constantly changing ip addresses. I have udp ports forwarded of 10000-20000 and 5060. Should I be concerned or is there something more that I should be doing? Here is a sample for about 20 seconds:

== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
-- Executing [[email protected]:1] NoOp("SIP/192.168.50.191-0000386e", "Received incoming SIP connection from unknown peer to 4444430301148221634267") in new stack
-- Executing [[email protected]:2] Set("SIP/192.168.50.191-0000386e", "DID=4444430301148221634267") in new stack
-- Executing [[email protected]:3] Goto("SIP/192.168.50.191-0000386e", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [[email protected]:1] GotoIf("SIP/192.168.50.191-0000386e", "0?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,5)
-- Executing [[email protected]:5] Set("SIP/192.168.50.191-0000386e", "TIMEOUT(absolute)=15") in new stack
-- Channel will hangup at 2017-02-14 08:35:53.483 CST.
-- Executing [[email protected]:6] Log("SIP/192.168.50.191-0000386e", "WARNING,"Rejecting unknown SIP connection from 217.79.182.225"") in new stack
[2017-02-14 08:35:38] WARNING[14630][C-0000386e]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 217.79.182.225"
-- Executing [[email protected]:7] Answer("SIP/192.168.50.191-0000386e", "") in new stack
-- Executing [[email protected]:8] Wait("SIP/192.168.50.191-0000386e", "2") in new stack
-- Executing [[email protected]:9] Playback("SIP/192.168.50.191-0000386e", "ss-noservice") in new stack
-- <SIP/192.168.50.191-0000386e> Playing 'ss-noservice.ulaw' (language 'en')
-- Executing [[email protected]:10] PlayTones("SIP/192.168.50.191-0000386e", "congestion") in new stack
-- Executing [[email protected]:11] Congestion("SIP/192.168.50.191-0000386e", "5") in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/192.168.50.191-0000386e'
-- Executing [[email protected]:1] Hangup("SIP/192.168.50.191-0000386e", "") in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/192.168.50.191-0000386e'
[2017-02-14 08:36:10] WARNING[1977]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission b0cd96811fe388efde5de6800acaef3f for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
-- Executing [[email protected]:1] NoOp("SIP/192.168.50.191-0000386f", "Received incoming SIP connection from unknown peer to 3330301148221634267") in new stack
-- Executing [[email protected]:2] Set("SIP/192.168.50.191-0000386f", "DID=3330301148221634267") in new stack
-- Executing [[email protected]:3] Goto("SIP/192.168.50.191-0000386f", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [[email protected]:1] GotoIf("SIP/192.168.50.191-0000386f", "0?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,5)
-- Executing [[email protected]:5] Set("SIP/192.168.50.191-0000386f", "TIMEOUT(absolute)=15") in new stack
-- Channel will hangup at 2017-02-14 08:36:50.568 CST.
-- Executing [[email protected]:6] Log("SIP/192.168.50.191-0000386f", "WARNING,"Rejecting unknown SIP connection from 217.79.182.225"") in new stack
[2017-02-14 08:36:35] WARNING[14640][C-0000386f]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 217.79.182.225"
-- Executing [[email protected]:7] Answer("SIP/192.168.50.191-0000386f", "") in new stack
-- Executing [[email protected]:8] Wait("SIP/192.168.50.191-0000386f", "2") in new stack
-- Executing [[email protected]:9] Playback("SIP/192.168.50.191-0000386f", "ss-noservice") in new stack
-- <SIP/192.168.50.191-0000386f> Playing 'ss-noservice.ulaw' (language 'en')
-- Executing [[email protected]:10] PlayTones("SIP/192.168.50.191-0000386f", "congestion") in new stack
-- Executing [[email protected]:11] Congestion("SIP/192.168.50.191-0000386f", "5") in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/192.168.50.191-0000386f'
-- Executing [[email protected]:1] Hangup("SIP/192.168.50.191-0000386f", "") in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/192.168.50.191-0000386f'
[2017-02-14 08:37:07] WARNING[1977]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission 641ae206bf953c9cc3499c4de711bc67 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
634
Reaction score
71
So what @ostridge didn't do is explain what you are seeing there.

You obviously are not using the firewall, or it is not configured properly. You are allowing port 5060 from anywhere, and you are also allowing unknown SIP connections. What is happening is your dialplan is routing them to a "no service" voice file (this is a good thing), but, it is putting a load on the server while it is doing that. You need to lock that thing down a bit more. I assume you have it open to the world on purpose though.
(You don't mention which of the 20+ flavors of PIAF there may be now, so I will assume some iteration of FreePBX)

At a minimum, do this:
Settings, Asterisk SIP Settings, Allow Anonymous Inbound SIP Calls: Set to NO
Settings, Asterisk SIP Settings, Chan SIP, Allow SIP Guests: Set to NO

If you are using PJSIP, you will need to adapt what I wrote above to match there instead.

Setting those to no should stop the calls hitting the dialplan, next I'd work on getting fail2ban working (if it isn't already), and after that I'd close 5060 to the world if you have no need to use it that way.
 
  • Like
Reactions: ostridge

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,371
Messages
137,414
Members
14,576
Latest member
emmonks