Users randomly get calls from system

Discussion in 'General' started by suran, Jan 6, 2011.

  1. suran

    Joined:
    Jan 6, 2011
    Messages:
    2
    Likes Received:
    0
    Greetings,

    I have an Elastix platform in the field with about 200 phones connected to it. They're a mixture of Grandstream, CALIX, Polycoms, Linksys ATAs, etc.

    I have an issue where every night (and it seems to be just on the CALIX phones), a couple users get a phone call at like 2AM. The time isn't consistent, nor is the user receiving the call.

    The CID that the user's phone displays is 'ASTERISK', and it will ring until they answer, even if there is VM on the extension. When they do answer, there is no party on the other line. When they report the call to me, it doesn't show up in the CDR.

    The ATAs aren't behind NATs or firewalls. They're connected to a FTTH network with the PBX at the core, so latency is on the order of 1-5ms.

    What could be causing this? The few people this is happening to are ready to light me on fire if they lose much more sleep - and I can't say I blame them. :)
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I suggest that they are attempts to compromise your system.

    I would install Fail2ban and a firewall immediately.

    only allow udp/5060 through the firewall from "trusted IP's". In each extension "disallow all" IP's and allow only your Asterisk server, if the calls still happen then they are probably straight to your ATA's and Asterisk is not involved. (hence the need for a firewall). You should also consider changing the SIP port from 5060 on your affected phones also.

    dicko
     
  3. diablorick

    Joined:
    Mar 30, 2010
    Messages:
    4
    Likes Received:
    0
    I have this exact same problem with some Grandstream ATA's and I don't think it's an attack. I have everything firewalled and the calls are being sent directly from the elastix server (no incoming call just server to extension). This only happens on the ATA's, not any other extensions.
     
  4. voya

    Joined:
    Apr 6, 2009
    Messages:
    15
    Likes Received:
    0
    look your log
    its in the /var/log/asterisk/full

    good luck!
     
  5. suran

    Joined:
    Jan 6, 2011
    Messages:
    2
    Likes Received:
    0
    udp 5060 is nullrouted at our border router except to/from our term/orig/e911 providers. Fail2ban has been installed, and there have been no indications of compromise or even increased attack levels.

    Sadly, I've already tried that. I have pored endlessly over the logs for a dozen reports of this issue, and there's simply nothing in them. I have ATAs that are ringing with a CID of ASTERISK, and seemingly, they are single channel calls (there's no 'bridging' of the call occurring).
     
  6. voya

    Joined:
    Apr 6, 2009
    Messages:
    15
    Likes Received:
    0
    do you have any DID configured on your ata???
     
  7. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    I'm pretty sure that if:

    grep ASTERISK /var/log/full*

    and

    cat ASTERISK /var/log/asterisk/cdr-csv/Master.csv

    doesn't come back with anything then it's not your asterisk box, (provided your log level is at least three). If that is the case, then I suggest you look elsewhere.

    On a personal level, my suggestion is to throw the Grandstreams away.
     

Share This Page