Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


3415 posts

Uber Geek
+1 received by user: 405

Trusted

Topic # 54575 18-Dec-2009 12:49
Send private message

Hey Guys,
Have a very wierd thing happening today. Basically one of our call groups keeps ringing, however no one is on the other end and Trixbox isn't reporting any external calls. In the callerid on the phones it says "asterisk".

Looking at the server I'm seeing the following:

[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Received incoming SIP connection from unknown peer to 900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:2] Set("SIP/113.105.152.104-09d5d9d0", "DID=900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:3] Goto("SIP/113.105.152.104-09d5d9d0", "s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-sip-external,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/113.105.152.104-09d5d9d0", "1?from-trunk|900033182880295|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-trunk,900033182880295,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Catch-All DID Match - Found 900033182880295 - You probably want a DID for this.") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:2] Goto("SIP/113.105.152.104-09d5d9d0", "ext-did|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-did,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:1] Set("SIP/113.105.152.104-09d5d9d0", "__FROM_DID=s") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/113.105.152.104-09d5d9d0", "app-blacklist-check|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/113.105.152.104-09d5d9d0", "0?blacklisted") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/113.105.152.104-09d5d9d0", "0 |Set|CALLERID(name)=asterisk") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:4] Set("SIP/113.105.152.104-09d5d9d0", "__CALLINGPRES_SV=allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:5] SetCallerPres("SIP/113.105.152.104-09d5d9d0", "allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:6] Goto("SIP/113.105.152.104-09d5d9d0", "ext-group|600|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-group,600,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [600@ext-group:1] Macro("SIP/113.105.152.104-09d5d9d0", "user-callerid|") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/113.105.152.104-09d5d9d0", "AMPUSER=asterisk") in new stack

The IP address is pretty random. I traced it and it went back to Korea. One thing that I could think of is that they are conencting via SIP directly to the system and trying to make a call out through it? When I was setting up with DVX they suggested I:

"Allow Anonymous Inbound SIP Calls?"

Could this be related?





Create new topic
199 posts

Master Geek
+1 received by user: 7

Subscriber

  Reply # 283928 19-Dec-2009 00:18
Send private message

You need anonymous inbound SIP calls turned on.

It's a good idea to firewall your Asterisk server so only SIP traffic from 58.28.20.150 (on VFX or DVX) can reach it. If you do expose your SIP server to the world, then you need to be certain your SIP secrets for all your phones are of adequate strength, and that you don't have an open dial plan anywhere, e.g. the ability to dial extensions on your IVR without checking what's being dialled - malicious users can make use of this to dial external numbers from your system.

27146 posts

Uber Geek
+1 received by user: 6579

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 283943 19-Dec-2009 07:56
Send private message

If you are running Asterisk and have no external SIP extensions you should have your firewall tied down to only allow traffic from WxC. Having your box open to the world is very, very risky.

If you are not doing this you should not have your box open to the world without running APF and/or BFD to detect inbound intrusions.

There is also no need to have anonymous inbound SIP calls turned on. This creates significant security issues if you don't understand what it's doing. It you don't understand the implications then turn it off - it non authenticated SIP calls to enter your system which opens up a whole can of worms unless you're very sure your box is protected, and if you're not running APF/BFD or something else to detect intrusions or dictionary attacks on SIP extensions it isn't.

Some people turn this on to allow inbound SIP URI calling. If you want inbound URI calling this can be allowed in far safer ways with it's own incoming context.

Create new topic

Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.