So my PBX is bored and calls me at 4 AM...

Discussion in 'General' started by robclay, Apr 2, 2009.

  1. robclay

    Joined:
    Mar 25, 2009
    Messages:
    36
    Likes Received:
    0
    This is strange. I have been receiving calls this morning from my PBX. I still am getting random calls from the 'ol gal. (Meaning PBX, not an Ex-Girlfriend)

    I just did a look at Reports / CDR Reports and there are a few instances of something similar to this:

    2009-04-02 04:19:55 MeucciSolutions 4001 SIP/69.197.161.218-097e3428 Local/###NUM###@outbound-allroutes-30cd,1 ANSWERED 60

    4001 is my Cell Phone Extension.

    I opened up Port 22 yesterday so I could debug some things from home. Mistake?


    Thanks for any ideas,
    Robert
     
  2. ramoncio

    Joined:
    May 12, 2010
    Messages:
    1,663
    Likes Received:
    0
    It is strange, yes.
    It happened something similar to me with an Atcom pstn gateway until I updated to the last firmware. Suddenly all phones started ringing without a defined time pattern.
    Have a look at the asterisk logs in /var/log/asterisk/full
    Maybe you can find the reason there.
     
  3. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    Maybe you are using the agenda module. Perhaps a friend in the office wanted to play a joke on you?

    About port 22 is a good idea if you have a good password, but if you have a bad password then is a bad idea.

    Regards,

    Rafael
     
  4. robclay

    Joined:
    Mar 25, 2009
    Messages:
    36
    Likes Received:
    0
    Thanks for the suggestion!

    No one else should even know how to get into the system. But regardless, I just looked at the Agenda Tab and the calendar is completely blank. i.e. just the + / - for each day. (I am assuming that means it is empty.)

    What gets me is that "MeucciSolutions" in my log. Where did that come from?
     
  5. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
  6. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Is by any chance 4001 also used as a catchall inbound route, and you allow anonymous sip-calls?
    If so If so I suspect it is typical bevavior of a "hack attack"
     
  7. e.poulogiannis

    Joined:
    Oct 1, 2008
    Messages:
    19
    Likes Received:
    0
    Which version are you using?
     
  8. JohnyBeGood

    Joined:
    May 18, 2008
    Messages:
    134
    Likes Received:
    0
    I do not have 4001 but I do have enabled anonymous sip-calls.
    Here's the screenshot of my reports page, they are filled with "MeucciSolutions" as a source.
    Never had this until today, I guess its time to disable anonymous sip calls.
    Screenshot >> http://img204.imageshack.us/img204/3903/elastix.jpg
     
  9. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    the files /var/log/asterisk/full* will give you far more detail.

    As a stop gap I suggest you block 69.197.128.0/18 (Wholesale Internet, Inc. in Kansas City) at your firewall.

    and an email to abuse@wholesaleinternet.net and complaints@meucci-solutions.com with the detail of the calls and the host (although probably it will be ignored) would be appropriate.
     
  10. robclay

    Joined:
    Mar 25, 2009
    Messages:
    36
    Likes Received:
    0
    I am using v1.5 Stable.

    So in the Elastix Without Tears book, "Allow Anonymous Inbound SIP Calls? Yes (if this is set to
     
  11. robclay

    Joined:
    Mar 25, 2009
    Messages:
    36
    Likes Received:
    0
    Extensions:

    From "Elastix without Tears"

    It
     
  12. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    If you "register" your account with teliax for inbound calling, it will of course not be anonymous, and hence calls will not be rejected.
    Some VSP's allow inbound based on your ip address, that would technically be anonymous.

    if you allow inbound anonymous, I suggest that a "catchall" inbound sip call be routed through a context that explores the "SIP_HEADERS" (to from and via) before accepting the call (and thus responding) or you risk divulging details that are known to be crackable.

    IMHO the use of ENUM trunking needs a serious peer overview as to it's security, but at this point in time I have no useful code to contribute.
     
  13. robclay

    Joined:
    Mar 25, 2009
    Messages:
    36
    Likes Received:
    0
    Just an FYI.... this seems to have stopped. I don't think I did anything to stop it... it just stopped. (Or at least I hope so)

    Hmmm.
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
  15. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    I wanted to use ENUM and then I had to open anonymous call.
    However, to avoid extensions phishing, I only allow specific extensions (the ones with my e164 numbers) and they all go to a route with a time condition to avoid the 4 am calls.
    I commented out the include => from-did-direct (by copying the context in extensions_override_freepbx.conf) to avoid any direct connection to internal extension.
     
  16. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Patrick:
    Sounds like a plan!

    I have great hopes that 1.4.24.1 (deployed already) and fail2ban will stop all this crap (Time will tell).

    I believe that ultimately the "good guys" will always outmanoeuvre the "bad guys", it's not a matter of "cleverness" but simply because there are more of us . . .
     
  17. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0
    did you put
    alwaysauthreject=yes
    in your sip_general_custom.conf ?
     
  18. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Of course, I read the FM B) (apparently, non RFC but effective now in 1.4.24.1)


    (p.s. I threw this together for a debugging "catchall"


    [custom-sip-anon]
    exten => s,1,noop("got here")
    exten => s,n,Set(SIP_FROM=${SIP_HEADER(From)})
    exten => s,n,Set(SIP_TO=${SIP_HEADER(To)})
    exten => s,n,Set(SIP_VIA=${SIP_HEADER(Via)})
    exten => s,n,Set(SIP_UA=${SIP_HEADER(User-Agent)})
    exten => s,n,Set(SIP_SERVER=${SIP_HEADER(Server)})
    exten => s,n,Set(SIP_CONTACT=${SIP_HEADER(Contact)})
    exten => s,n,Set(SIP_CSEQ=${SIP_HEADER(CSeq)})
    exten => s,n,Set(SIP_DATE=${SIP_HEADER(Date)})
    exten => s,n,Set(SIP_ALLOW=${SIP_HEADER(Allow)})
    exten => s,n,Set(SIP_CONT_TYPE=${SIP_HEADER(Content-Type)})
    exten => s,n,Set(SIP_CONT_LENGTH=${SIP_HEADER(Content-Length)})
    exten => s,n,Set(SIP_FORWARDS=${SIP_HEADER(Max-Forwards)})
    exten => s,n,Set(PEERIP=${SIPCHANINFO(peerip)})
    exten => s,n,Set(RECV=${SIPCHANINFO(recvip)})
    exten => s,n,Set(FROM=${SIPCHANINFO(from)})
    exten => s,n,Set(URI=${SIPCHANINFO(uri)})
    exten => s,n,Set(USERAGENT=${SIPCHANINFO(useragent)})
    exten => s,n,Set(PERRNAME=${SIPCHANINFO(peername)})
    exten => s,n,Answer
    exten => s,n.Hangup()
     
  19. wiseoldowl

    Joined:
    Aug 19, 2008
    Messages:
    251
    Likes Received:
    0
     

Share This Page