GO HERE How to protect against ip attacks

bobh080850

Member
Joined
Aug 5, 2013
Messages
103
Reaction score
2
I have Fail-2-ban installed but when I enter the Asterisk cli I see that I am being bombarded by constantly changing ip addresses. I have udp ports forwarded of 10000-20000 and 5060. Should I be concerned or is there something more that I should be doing? Here is a sample for about 20 seconds:

== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
-- Executing [4444430301148221634267@from-sip-external:1] NoOp("SIP/192.168.50.191-0000386e", "Received incoming SIP connection from unknown peer to 4444430301148221634267") in new stack
-- Executing [4444430301148221634267@from-sip-external:2] Set("SIP/192.168.50.191-0000386e", "DID=4444430301148221634267") in new stack
-- Executing [4444430301148221634267@from-sip-external:3] Goto("SIP/192.168.50.191-0000386e", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [s@from-sip-external:1] GotoIf("SIP/192.168.50.191-0000386e", "0?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,5)
-- Executing [s@from-sip-external:5] Set("SIP/192.168.50.191-0000386e", "TIMEOUT(absolute)=15") in new stack
-- Channel will hangup at 2017-02-14 08:35:53.483 CST.
-- Executing [s@from-sip-external:6] Log("SIP/192.168.50.191-0000386e", "WARNING,"Rejecting unknown SIP connection from 217.79.182.225"") in new stack
[2017-02-14 08:35:38] WARNING[14630][C-0000386e]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 217.79.182.225"
-- Executing [s@from-sip-external:7] Answer("SIP/192.168.50.191-0000386e", "") in new stack
-- Executing [s@from-sip-external:8] Wait("SIP/192.168.50.191-0000386e", "2") in new stack
-- Executing [s@from-sip-external:9] Playback("SIP/192.168.50.191-0000386e", "ss-noservice") in new stack
-- <SIP/192.168.50.191-0000386e> Playing 'ss-noservice.ulaw' (language 'en')
-- Executing [s@from-sip-external:10] PlayTones("SIP/192.168.50.191-0000386e", "congestion") in new stack
-- Executing [s@from-sip-external:11] Congestion("SIP/192.168.50.191-0000386e", "5") in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/192.168.50.191-0000386e'
-- Executing [h@from-sip-external:1] Hangup("SIP/192.168.50.191-0000386e", "") in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/192.168.50.191-0000386e'
[2017-02-14 08:36:10] WARNING[1977]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission b0cd96811fe388efde5de6800acaef3f for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
== Using SIP RTP TOS bits 184
== Using SIP RTP CoS mark 5
-- Executing [3330301148221634267@from-sip-external:1] NoOp("SIP/192.168.50.191-0000386f", "Received incoming SIP connection from unknown peer to 3330301148221634267") in new stack
-- Executing [3330301148221634267@from-sip-external:2] Set("SIP/192.168.50.191-0000386f", "DID=3330301148221634267") in new stack
-- Executing [3330301148221634267@from-sip-external:3] Goto("SIP/192.168.50.191-0000386f", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [s@from-sip-external:1] GotoIf("SIP/192.168.50.191-0000386f", "0?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,5)
-- Executing [s@from-sip-external:5] Set("SIP/192.168.50.191-0000386f", "TIMEOUT(absolute)=15") in new stack
-- Channel will hangup at 2017-02-14 08:36:50.568 CST.
-- Executing [s@from-sip-external:6] Log("SIP/192.168.50.191-0000386f", "WARNING,"Rejecting unknown SIP connection from 217.79.182.225"") in new stack
[2017-02-14 08:36:35] WARNING[14640][C-0000386f]: Ext. s:6 @ from-sip-external: "Rejecting unknown SIP connection from 217.79.182.225"
-- Executing [s@from-sip-external:7] Answer("SIP/192.168.50.191-0000386f", "") in new stack
-- Executing [s@from-sip-external:8] Wait("SIP/192.168.50.191-0000386f", "2") in new stack
-- Executing [s@from-sip-external:9] Playback("SIP/192.168.50.191-0000386f", "ss-noservice") in new stack
-- <SIP/192.168.50.191-0000386f> Playing 'ss-noservice.ulaw' (language 'en')
-- Executing [s@from-sip-external:10] PlayTones("SIP/192.168.50.191-0000386f", "congestion") in new stack
-- Executing [s@from-sip-external:11] Congestion("SIP/192.168.50.191-0000386f", "5") in new stack
== Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/192.168.50.191-0000386f'
-- Executing [h@from-sip-external:1] Hangup("SIP/192.168.50.191-0000386f", "") in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/192.168.50.191-0000386f'
[2017-02-14 08:37:07] WARNING[1977]: chan_sip.c:4061 retrans_pkt: Retransmission timeout reached on transmission 641ae206bf953c9cc3499c4de711bc67 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32001ms with no response
 

tbrummell

Guru
Joined
Jan 8, 2011
Messages
1,275
Reaction score
339
So what @ostridge didn't do is explain what you are seeing there.

You obviously are not using the firewall, or it is not configured properly. You are allowing port 5060 from anywhere, and you are also allowing unknown SIP connections. What is happening is your dialplan is routing them to a "no service" voice file (this is a good thing), but, it is putting a load on the server while it is doing that. You need to lock that thing down a bit more. I assume you have it open to the world on purpose though.
(You don't mention which of the 20+ flavors of PIAF there may be now, so I will assume some iteration of FreePBX)

At a minimum, do this:
Settings, Asterisk SIP Settings, Allow Anonymous Inbound SIP Calls: Set to NO
Settings, Asterisk SIP Settings, Chan SIP, Allow SIP Guests: Set to NO

If you are using PJSIP, you will need to adapt what I wrote above to match there instead.

Setting those to no should stop the calls hitting the dialplan, next I'd work on getting fail2ban working (if it isn't already), and after that I'd close 5060 to the world if you have no need to use it that way.
 

Members online

No members online now.

Forum statistics

Threads
25,780
Messages
167,506
Members
19,199
Latest member
leocipriano
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top