Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




3380 posts

Uber Geek
+1 received by user: 386

Trusted

Topic # 54575 18-Dec-2009 12:49
Send private message

Hey Guys,
Have a very wierd thing happening today. Basically one of our call groups keeps ringing, however no one is on the other end and Trixbox isn't reporting any external calls. In the callerid on the phones it says "asterisk".

Looking at the server I'm seeing the following:

[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Received incoming SIP connection from unknown peer to 900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:2] Set("SIP/113.105.152.104-09d5d9d0", "DID=900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:3] Goto("SIP/113.105.152.104-09d5d9d0", "s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-sip-external,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/113.105.152.104-09d5d9d0", "1?from-trunk|900033182880295|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-trunk,900033182880295,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Catch-All DID Match - Found 900033182880295 - You probably want a DID for this.") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:2] Goto("SIP/113.105.152.104-09d5d9d0", "ext-did|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-did,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:1] Set("SIP/113.105.152.104-09d5d9d0", "__FROM_DID=s") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/113.105.152.104-09d5d9d0", "app-blacklist-check|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/113.105.152.104-09d5d9d0", "0?blacklisted") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/113.105.152.104-09d5d9d0", "0 |Set|CALLERID(name)=asterisk") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:4] Set("SIP/113.105.152.104-09d5d9d0", "__CALLINGPRES_SV=allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:5] SetCallerPres("SIP/113.105.152.104-09d5d9d0", "allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:6] Goto("SIP/113.105.152.104-09d5d9d0", "ext-group|600|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-group,600,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [600@ext-group:1] Macro("SIP/113.105.152.104-09d5d9d0", "user-callerid|") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/113.105.152.104-09d5d9d0", "AMPUSER=asterisk") in new stack

The IP address is pretty random. I traced it and it went back to Korea. One thing that I could think of is that they are conencting via SIP directly to the system and trying to make a call out through it? When I was setting up with DVX they suggested I:

"Allow Anonymous Inbound SIP Calls?"

Could this be related?





Create new topic
197 posts

Master Geek
+1 received by user: 2

Subscriber

  Reply # 283928 19-Dec-2009 00:18
Send private message

You need anonymous inbound SIP calls turned on.

It's a good idea to firewall your Asterisk server so only SIP traffic from 58.28.20.150 (on VFX or DVX) can reach it. If you do expose your SIP server to the world, then you need to be certain your SIP secrets for all your phones are of adequate strength, and that you don't have an open dial plan anywhere, e.g. the ability to dial extensions on your IVR without checking what's being dialled - malicious users can make use of this to dial external numbers from your system.

25673 posts

Uber Geek
+1 received by user: 5418

Moderator
Trusted
Biddle Corp
Subscriber

  Reply # 283943 19-Dec-2009 07:56
Send private message

If you are running Asterisk and have no external SIP extensions you should have your firewall tied down to only allow traffic from WxC. Having your box open to the world is very, very risky.

If you are not doing this you should not have your box open to the world without running APF and/or BFD to detect inbound intrusions.

There is also no need to have anonymous inbound SIP calls turned on. This creates significant security issues if you don't understand what it's doing. It you don't understand the implications then turn it off - it non authenticated SIP calls to enter your system which opens up a whole can of worms unless you're very sure your box is protected, and if you're not running APF/BFD or something else to detect intrusions or dictionary attacks on SIP extensions it isn't.

Some people turn this on to allow inbound SIP URI calling. If you want inbound URI calling this can be allowed in far safer ways with it's own incoming context.

Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

UAV Traffic Management Trial launching today in New Zealand
Posted 12-Dec-2017 16:06


UFB connections pass 460,000
Posted 11-Dec-2017 11:26


The Warehouse Group to adopt IBM Cloud to support digital transformation
Posted 11-Dec-2017 11:22


Dimension Data peeks into digital business 2018
Posted 11-Dec-2017 10:55


2018 Cyber Security Predictions
Posted 7-Dec-2017 14:55


Global Govtech Accelerator to drive public sector innovation in Wellington
Posted 7-Dec-2017 11:21


Stuff Pix media strategy a new direction
Posted 7-Dec-2017 09:37


Digital transformation is dead
Posted 7-Dec-2017 09:31


Fake news and cyber security
Posted 7-Dec-2017 09:27


Dimension Data New Zealand strengthens cybersecurity practice
Posted 5-Dec-2017 20:27


Epson NZ launches new Expression Premium Photo range
Posted 5-Dec-2017 20:26


Eventbrite and Twickets launch integration partnership in Australia and New Zealand
Posted 5-Dec-2017 20:23


New Fujifilm macro lens lands in New Zealand
Posted 5-Dec-2017 20:16


Cyber security not being taken seriously enough
Posted 5-Dec-2017 20:13


Sony commences Android 8.0 Oreo rollout in New Zealand
Posted 5-Dec-2017 20:08



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.