So my PBX is bored and calls me at 4 AM...

robclay

Joined
Mar 25, 2009
Messages
36
Likes
0
Points
0
#1
This is strange. I have been receiving calls this morning from my PBX. I still am getting random calls from the 'ol gal. (Meaning PBX, not an Ex-Girlfriend)

I just did a look at Reports / CDR Reports and there are a few instances of something similar to this:

2009-04-02 04:19:55 MeucciSolutions 4001 SIP/69.197.161.218-097e3428 Local/###NUM###@outbound-allroutes-30cd,1 ANSWERED 60

4001 is my Cell Phone Extension.

I opened up Port 22 yesterday so I could debug some things from home. Mistake?


Thanks for any ideas,
Robert
 

ramoncio

Joined
May 12, 2010
Messages
1,663
Likes
0
Points
0
#2
It is strange, yes.
It happened something similar to me with an Atcom pstn gateway until I updated to the last firmware. Suddenly all phones started ringing without a defined time pattern.
Have a look at the asterisk logs in /var/log/asterisk/full
Maybe you can find the reason there.
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#3
Maybe you are using the agenda module. Perhaps a friend in the office wanted to play a joke on you?

About port 22 is a good idea if you have a good password, but if you have a bad password then is a bad idea.

Regards,

Rafael
 

robclay

Joined
Mar 25, 2009
Messages
36
Likes
0
Points
0
#4
Thanks for the suggestion!

No one else should even know how to get into the system. But regardless, I just looked at the Agenda Tab and the calendar is completely blank. i.e. just the + / - for each day. (I am assuming that means it is empty.)

What gets me is that "MeucciSolutions" in my log. Where did that come from?
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#5

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#6
Is by any chance 4001 also used as a catchall inbound route, and you allow anonymous sip-calls?
If so If so I suspect it is typical bevavior of a "hack attack"
 

e.poulogiannis

Joined
Oct 1, 2008
Messages
19
Likes
0
Points
0
#7
Which version are you using?
 

JohnyBeGood

Joined
May 18, 2008
Messages
134
Likes
0
Points
0
#8
I do not have 4001 but I do have enabled anonymous sip-calls.
Here's the screenshot of my reports page, they are filled with "MeucciSolutions" as a source.
Never had this until today, I guess its time to disable anonymous sip calls.
Screenshot >> http://img204.imageshack.us/img204/3903/elastix.jpg
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#9
the files /var/log/asterisk/full* will give you far more detail.

As a stop gap I suggest you block 69.197.128.0/18 (Wholesale Internet, Inc. in Kansas City) at your firewall.

and an email to abuse@wholesaleinternet.net and complaints@meucci-solutions.com with the detail of the calls and the host (although probably it will be ignored) would be appropriate.
 

robclay

Joined
Mar 25, 2009
Messages
36
Likes
0
Points
0
#10
I am using v1.5 Stable.

So in the Elastix Without Tears book, "Allow Anonymous Inbound SIP Calls? Yes (if this is set to
 

robclay

Joined
Mar 25, 2009
Messages
36
Likes
0
Points
0
#11
Extensions:

From "Elastix without Tears"

It
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#12
If you "register" your account with teliax for inbound calling, it will of course not be anonymous, and hence calls will not be rejected.
Some VSP's allow inbound based on your ip address, that would technically be anonymous.

if you allow inbound anonymous, I suggest that a "catchall" inbound sip call be routed through a context that explores the "SIP_HEADERS" (to from and via) before accepting the call (and thus responding) or you risk divulging details that are known to be crackable.

IMHO the use of ENUM trunking needs a serious peer overview as to it's security, but at this point in time I have no useful code to contribute.
 

robclay

Joined
Mar 25, 2009
Messages
36
Likes
0
Points
0
#13
Just an FYI.... this seems to have stopped. I don't think I did anything to stop it... it just stopped. (Or at least I hope so)

Hmmm.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#14

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#15
dicko said:
If you "register" your account with teliax for inbound calling, it will of course not be anonymous, and hence calls will not be rejected.
Some VSP's allow inbound based on your ip address, that would technically be anonymous.

if you allow inbound anonymous, I suggest that a "catchall" inbound sip call be routed through a context that explores the "SIP_HEADERS" (to from and via) before accepting the call (and thus responding) or you risk divulging details that are known to be crackable.

IMHO the use of ENUM trunking needs a serious peer overview as to it's security, but at this point in time I have no useful code to contribute.
I wanted to use ENUM and then I had to open anonymous call.
However, to avoid extensions phishing, I only allow specific extensions (the ones with my e164 numbers) and they all go to a route with a time condition to avoid the 4 am calls.
I commented out the include => from-did-direct (by copying the context in extensions_override_freepbx.conf) to avoid any direct connection to internal extension.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#16
Patrick:
Sounds like a plan!

I have great hopes that 1.4.24.1 (deployed already) and fail2ban will stop all this crap (Time will tell).

I believe that ultimately the "good guys" will always outmanoeuvre the "bad guys", it's not a matter of "cleverness" but simply because there are more of us . . .
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#17
did you put
alwaysauthreject=yes
in your sip_general_custom.conf ?
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#18
Of course, I read the FM B) (apparently, non RFC but effective now in 1.4.24.1)


(p.s. I threw this together for a debugging "catchall"


[custom-sip-anon]
exten => s,1,noop("got here")
exten => s,n,Set(SIP_FROM=${SIP_HEADER(From)})
exten => s,n,Set(SIP_TO=${SIP_HEADER(To)})
exten => s,n,Set(SIP_VIA=${SIP_HEADER(Via)})
exten => s,n,Set(SIP_UA=${SIP_HEADER(User-Agent)})
exten => s,n,Set(SIP_SERVER=${SIP_HEADER(Server)})
exten => s,n,Set(SIP_CONTACT=${SIP_HEADER(Contact)})
exten => s,n,Set(SIP_CSEQ=${SIP_HEADER(CSeq)})
exten => s,n,Set(SIP_DATE=${SIP_HEADER(Date)})
exten => s,n,Set(SIP_ALLOW=${SIP_HEADER(Allow)})
exten => s,n,Set(SIP_CONT_TYPE=${SIP_HEADER(Content-Type)})
exten => s,n,Set(SIP_CONT_LENGTH=${SIP_HEADER(Content-Length)})
exten => s,n,Set(SIP_FORWARDS=${SIP_HEADER(Max-Forwards)})
exten => s,n,Set(PEERIP=${SIPCHANINFO(peerip)})
exten => s,n,Set(RECV=${SIPCHANINFO(recvip)})
exten => s,n,Set(FROM=${SIPCHANINFO(from)})
exten => s,n,Set(URI=${SIPCHANINFO(uri)})
exten => s,n,Set(USERAGENT=${SIPCHANINFO(useragent)})
exten => s,n,Set(PERRNAME=${SIPCHANINFO(peername)})
exten => s,n,Answer
exten => s,n.Hangup()
 

wiseoldowl

Joined
Aug 19, 2008
Messages
251
Likes
0
Points
0
#19

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,966
Messages
131,025
Members
17,676
Latest member
Ruddy
Top