Allow Anonymous Inbound SIP Calls

Discussion in 'General' started by tumbleweed, Feb 7, 2011.

  1. tumbleweed

    Joined:
    Jun 18, 2010
    Messages:
    79
    Likes Received:
    0
    Hi

    Currently I have Elastix "Allow Anonymous Inbound SIP Calls" is set to "Yes".
    I realise that this should be set to "No" for obvious reasons, but the problem is if I set this to "no" then Inbound (DDI's) stops working. Outbound still works.

    Any idea why?

    Thanks
     
  2. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    Yes, that is a risk, since you may receive unauthorized calls... And if you have an incorrect cuastom dial plan, it can be broken, and do calls that they shouldnt.
    I mean a dial plan such as:
    _.

    Paste the CLI output for an inbound call with it deactivated, and another with it activated.
     
  3. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    Are you running freepbx 2.6 or above , as this fixes the issue
     
  4. tumbleweed

    Joined:
    Jun 18, 2010
    Messages:
    79
    Likes Received:
    0
    Thanks for the tip, but Freepbx is was on 2.7, I upgraded to 2.8.1.3 and set "Allow Anonymous Inbound SIP Calls" to "no" and rebooted. Still the same proble. External calls to any DDI numbers get "The number you have dialled is not in service".

    Only affecting inbound. Outbound and extension to extension works.

    Also getting "Symlink error" on system status, sio I enaned the two retrieve files (found thread on the forum), but still no good and the Symlink error is still there, but not sure if this has anything to do with my problem. Hope somebody can help as our server was hacked on Friday.

    Thanks
     
  5. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
    The number you have dialled is not in service

    This sounds like an incorrect config with the trunk,check with your provider what DID is expected

    In A nutshell check your inbound route configuration and your trunk config
     
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    If you use a registration with your provider, you don't need anonymous inbound SIP, If the provider sends your calls to your IP, you will as the calls will be technically "anonymous", it's as easy as that . . .

    dicko
     
  7. tumbleweed

    Joined:
    Jun 18, 2010
    Messages:
    79
    Likes Received:
    0
    Thanks Dicko

    Our Voip provider sends calls to our IP, which explains it.
     
  8. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    then if you are on open internet you have a really serious security issue using that provider
     
  9. tumbleweed

    Joined:
    Jun 18, 2010
    Messages:
    79
    Likes Received:
    0
    Exactly! That´s why I now have a Firewall which blocks all IP´s except the providers.
     
  10. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Indeed, but many have "roaming" external extensions, this can be a problem in so identifying that address space, generally you can have your provider move your registration port from 5060 to a more anonymous place and so adjust your iptables, believe me, with the latest onslaught of kiddy scripts from apple I-Phone space you really have to watch the apple webkit logins, not in SIP but on your apache server, they are becoming relentless, and we all really need to lock down the web server as tightly as your SIP server because of this, look for logins by asteriskuser in the logs, that user can see all your underwear unless you do something about it. And for those in that position definitely have your catchall inbound route go straight to hangup.

    regards

    dicko
     
  11. franklin

    Joined:
    Oct 22, 2010
    Messages:
    254
    Likes Received:
    0
    dicko, are you still not touching 2.x for production?
     
  12. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    At this point in time that would be correct, but they generally have asterisk 1.4.40 (which seems to largely fix a few residual DTMF problems and an elusive agent/queue bug ) and FreePBX 2.8 and no freepbx-overidden contexts, the ones with dahdi hardware also at dahdi 2.4.1. I will probably go FreePBX 2.9 when it gets of beta which looks "very soon now" as their seems to be only three or four very minor bugs still open or new.
     
  13. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    Re: Re:Allow Anonymous Inbound SIP Calls

    dick freepbx 2.9 is in RC1 state as of today!!! as you know i made my first commit to that project adding tls and tcp functions for exetnsions....
     
  14. RustBoy

    Joined:
    Apr 13, 2011
    Messages:
    97
    Likes Received:
    0
    We are having this exact same problem and after reading this thread I am not any closer to understanding how to fix it. Our inbound callers are hearing: "The number that you are calling is not in service..."

    The message is coming from our Elastix system, so it's clear that the callers are reaching us but Elastix is not handling the call properly. If I turn on "Allow Anonymous Inbound SIP Calls" it corrects the problem but from reading this thread it sounds like this is dangerous.

    Can someone please explain why the "Allow Anonymous Inbound SIP Calls" corrects the problem and what vulnerabilities we are exposing ourselves to by having this option on?

    Our SIP provider has us registered with a static IP address. Our current trunk configuration looks like this:

    Code:
    host=ln05-10.fs.mysipprovider.net
    username=3104569877
    secret=
    type=peer
    dtmfmode=rfc2833
    allow=all
    canreinvite=no
    insecure=port,invite
    We are running: elastix-2.0.0-57 • asterisk-1.6.2.13-0 • freePBX-2.7.0-9
     
  15. jgutierrez

    Joined:
    Feb 28, 2008
    Messages:
    5,737
    Likes Received:
    0
    Add the following line on your trunk definition:
    context=from-pstn
    If you have any issue, paste the CLI output (asterisk -r) to see what is going on...
     
  16. RustBoy

    Joined:
    Apr 13, 2011
    Messages:
    97
    Likes Received:
    0
    Thanks. I will give that a try.
     
  17. RustBoy

    Joined:
    Apr 13, 2011
    Messages:
    97
    Likes Received:
    0
    Ugh, I really need to figure out how to resolve this problem. I added "context=from-pstn" to our trunk definition but that did not resolve the problem. Our callers still keep hearing a recording that says "the number that you are calling is not in service". Customers are emailing us to ask if we are still in business. It sounds like we did not pay our phone bill and our phones were disconnected. This is an incredibly bad situation.

    I have had "Allow Anonymous Inbound SIP Calls" turned on and it solves the out of service recording problem but I believe that it has led to security issues. Our outbound SIP traffic was just shut down by our SIP provider because they detected fraudulent calls being made.

    Currently our Elastix System keeps taking me back to the login page after every click that I make in the web browser.

    Any suggestions on how to resolve these issues would be greatly appreciated.
     
  18. DaveD

    Joined:
    Nov 12, 2007
    Messages:
    597
    Likes Received:
    0
  19. RustBoy

    Joined:
    Apr 13, 2011
    Messages:
    97
    Likes Received:
    0
    Thank you. I will give that a try.
     
  20. RustBoy

    Joined:
    Apr 13, 2011
    Messages:
    97
    Likes Received:
    0
    I followed the instructions and I have installed CSF.

    Code:
    If all that went smooth we need to now log into Webmin from your web browser
    https://your server ip:10000/
    I am at the step where I am supposed to log in to the admin web page but I keep getting an error that says that my browser can't establish a connection. I must have missed a step.
     

Share This Page