Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




3531 posts

Uber Geek

Trusted

#54575 18-Dec-2009 12:49
Send private message

Hey Guys,
Have a very wierd thing happening today. Basically one of our call groups keeps ringing, however no one is on the other end and Trixbox isn't reporting any external calls. In the callerid on the phones it says "asterisk".

Looking at the server I'm seeing the following:

[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Received incoming SIP connection from unknown peer to 900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:2] Set("SIP/113.105.152.104-09d5d9d0", "DID=900033182880295") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-sip-external:3] Goto("SIP/113.105.152.104-09d5d9d0", "s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-sip-external,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/113.105.152.104-09d5d9d0", "1?from-trunk|900033182880295|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (from-trunk,900033182880295,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:1] NoOp("SIP/113.105.152.104-09d5d9d0", "Catch-All DID Match - Found 900033182880295 - You probably want a DID for this.") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [900033182880295@from-trunk:2] Goto("SIP/113.105.152.104-09d5d9d0", "ext-did|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-did,s,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:1] Set("SIP/113.105.152.104-09d5d9d0", "__FROM_DID=s") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:2] Gosub("SIP/113.105.152.104-09d5d9d0", "app-blacklist-check|s|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:1] LookupBlacklist("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:2] GotoIf("SIP/113.105.152.104-09d5d9d0", "0?blacklisted") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@app-blacklist-check:3] Return("SIP/113.105.152.104-09d5d9d0", "") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:3] ExecIf("SIP/113.105.152.104-09d5d9d0", "0 |Set|CALLERID(name)=asterisk") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:4] Set("SIP/113.105.152.104-09d5d9d0", "__CALLINGPRES_SV=allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:5] SetCallerPres("SIP/113.105.152.104-09d5d9d0", "allowed_not_screened") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@ext-did:6] Goto("SIP/113.105.152.104-09d5d9d0", "ext-group|600|1") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Goto (ext-group,600,1)
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [600@ext-group:1] Macro("SIP/113.105.152.104-09d5d9d0", "user-callerid|") in new stack
[Dec 18 10:46:39] VERBOSE[32057] logger.c:     -- Executing [s@macro-user-callerid:1] Set("SIP/113.105.152.104-09d5d9d0", "AMPUSER=asterisk") in new stack

The IP address is pretty random. I traced it and it went back to Korea. One thing that I could think of is that they are conencting via SIP directly to the system and trying to make a call out through it? When I was setting up with DVX they suggested I:

"Allow Anonymous Inbound SIP Calls?"

Could this be related?




Speedtest 2019-10-14


Create new topic
203 posts

Master Geek

Subscriber

  #283928 19-Dec-2009 00:18
Send private message

You need anonymous inbound SIP calls turned on.

It's a good idea to firewall your Asterisk server so only SIP traffic from 58.28.20.150 (on VFX or DVX) can reach it. If you do expose your SIP server to the world, then you need to be certain your SIP secrets for all your phones are of adequate strength, and that you don't have an open dial plan anywhere, e.g. the ability to dial extensions on your IVR without checking what's being dialled - malicious users can make use of this to dial external numbers from your system.

28699 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  #283943 19-Dec-2009 07:56
Send private message

If you are running Asterisk and have no external SIP extensions you should have your firewall tied down to only allow traffic from WxC. Having your box open to the world is very, very risky.

If you are not doing this you should not have your box open to the world without running APF and/or BFD to detect inbound intrusions.

There is also no need to have anonymous inbound SIP calls turned on. This creates significant security issues if you don't understand what it's doing. It you don't understand the implications then turn it off - it non authenticated SIP calls to enter your system which opens up a whole can of worms unless you're very sure your box is protected, and if you're not running APF/BFD or something else to detect intrusions or dictionary attacks on SIP extensions it isn't.

Some people turn this on to allow inbound SIP URI calling. If you want inbound URI calling this can be allowed in far safer ways with it's own incoming context.

Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

New Vodafone mobile data plans with unlimited data
Posted 26-Feb-2020 06:55


Vodafone launches innovation initiatives to help businesses use 5G
Posted 26-Feb-2020 05:00


Ultimate Ears HYPERBOOM brings massive sound and extreme bass
Posted 25-Feb-2020 09:00


Withings launches three new devices to help monitor heart health from home
Posted 13-Feb-2020 20:05


Auckland start-up Yourcar matches new car buyers with dealerships
Posted 13-Feb-2020 18:05


School gardens go high tech to teach kids the importance of technology
Posted 13-Feb-2020 11:10


Malwarebytes finds Mac threats outpace Windows for the first time
Posted 13-Feb-2020 08:01


Amazon launches Echo Show 8 in Australia and New Zealand
Posted 8-Feb-2020 20:36


Vodafone New Zealand starts two year partnership with LetsPlay.Live
Posted 28-Jan-2020 11:24


Ring launches indoor-only security camera
Posted 23-Jan-2020 17:26


New report findings will help schools implement the digital technologies curriculum content
Posted 23-Jan-2020 17:25


N4L to upgrade & support wireless internet inside schools
Posted 23-Jan-2020 17:22


Netflix releases 21 Studio Ghibli works
Posted 22-Jan-2020 11:42


Vodafone integrates eSIM into device and wearable roadmap
Posted 17-Jan-2020 09:45


Do you need this camera app? Group investigates privacy implications
Posted 16-Jan-2020 03:30



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.