SIP hacking

Get help with installing and running AsteriskNOW.

Moderators: Moderator, Support

SIP hacking

Postby mike_b » Mon Jun 29, 2015 4:16 pm

The other day I tried to call and got an "All channels busy" message. When I checked the FreePBX dashboard, I saw that between 50 an 80 channels were busy. I called my SIP provider, and they told me that they could only see one channel busy (the one we were talking on), yet me dashboard continued to show me many busy channels.
I started the Asterisk CLI and found a lot of activity there. It seems that there is at least one rogue party out there that is probing Asterisk setups for vulnerabilities. I have "anonymousguest" set to "No", and from what I got from the SIP provider, there is no real calling going on, but it is annoying to find out that someone is trying to break the system. Here is what I typically see:


-- Executing [971046406820677@from-sip-external:1] NoOp("SIP/myIP-00001aa9", "Received incoming SIP connection from unknown peer to 971046406820677") in new stack
-- Executing [971046406820677@from-sip-external:2] Set("SIP/myIP-00001aa9", "DID=971046406820677") in new stack
-- Executing [971046406820677@from-sip-external:3] Goto("SIP/myIP-00001aa9", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [s@from-sip-external:1] GotoIf("SIP/myIP-00001aa9", "0?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,5)
-- Executing [s@from-sip-external:5] Set("SIP/myIP-00001aa9", "TIMEOUT(absolute)=15") in new stack
Channel will hangup at 2015-06-29 16:10:59.841 MDT.
-- Executing [s@from-sip-external:6] Answer("SIP/myIP-00001aa9", "") in new stack
== Spawn extension (from-sip-external, s, 6) exited non-zero on 'SIP/myIP-00001aa9'
-- Executing [h@from-sip-external:1] Hangup("SIP/myIP-00001aa9", "") in new stack
== Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/myIP-00001aa9'

(replaced my IP address with "myIP").

Is there any danger here? Is there a way to stop this completely? As it is right now, I am getting one of these every couple of minutes or so.
mike_b
Newsterisk
 
Posts: 17
Joined: Fri Jul 29, 2011 8:28 pm

Re: SIP hacking

Postby david55 » Mon Jun 29, 2015 4:43 pm

For the details of your log, you want http://community.freepbx.org/ as we don't know the details of the FreePBX dialplan and anonymousguest doesn't seem to do what I would guess it does, which is to control the allowguest setting.

To stop them getting as far as Asterisk, you need to configure your network firewall not to let SIP get past it unless it is coming from your ITSP. Changing the Asterisk port number can help reduce the volume.

If the FreePBX people can give you a way of getting Asterisk to reject the calls early, you can use tools, like fail2ban, that dynamically add Linux firewall rules that block repeat attempts.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: SIP hacking

Postby mike_b » Mon Jun 29, 2015 10:04 pm

Thanks, David, I'll go over to the FreePBX guys and see if they can help me.

Mike
mike_b
Newsterisk
 
Posts: 17
Joined: Fri Jul 29, 2011 8:28 pm


Return to AsteriskNOW Support

Who is online

Users browsing this forum: No registered users and 1 guest