Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325 at default:1] Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325 at default:2] Set("SIP/192.168.20.120-0000002a", "CHANNEL(musicclass)=default") in new stack -- Executing [000972592603325 at default:3] GotoIf("SIP/192.168.20.120-0000002a", "0?dialluca") in new stack -- Executing [000972592603325 at default:4] GotoIf("SIP/192.168.20.120-0000002a", "0?dialfax") in new stack -- Executing [000972592603325 at default:5] GotoIf("SIP/192.168.20.120-0000002a", "0?dialanika") in new stack -- Executing [000972592603325 at default:6] Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325 at default:7] Hangup("SIP/192.168.20.120-0000002a", "") in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-0000002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all "guest" access. How can I check if my Asterisk allows guest to originate calls? Thanks Luca Bertoncello (lucabert at lucabert.de)
> Very strange... > I ran the Asterisk CLI for other tasks, and suddenly I got this message: > > == Using SIP RTP CoS mark 5 > -- Executing [000972592603325 at default:1] Verbose("SIP/192.168. > 20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") innewstack> == PROXY Call from 0123456 to 000972592603325 > -- Executing [000972592603325 at default:2] Set("SIP/192.168.20. > 120-0000002a", "CHANNEL(musicclass)=default") in new stack > -- Executing [000972592603325 at default:3] GotoIf("SIP/192.168.20. > 120-0000002a", "0?dialluca") in new stack > -- Executing [000972592603325 at default:4] GotoIf("SIP/192.168.20. > 120-0000002a", "0?dialfax") in new stack > -- Executing [000972592603325 at default:5] GotoIf("SIP/192.168.20. > 120-0000002a", "0?dialanika") in new stack > -- Executing [000972592603325 at default:6] Dial("SIP/192.168.20. > 120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack > [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: > Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) > == Everyone is busy/congested at this time (1:0/0/1) > -- Executing [000972592603325 at default:7] Hangup("SIP/192.168.20. > 120-0000002a", "") in new stack > == Spawn extension (default, 000972592603325, 7) exited non-zero > on 'SIP/192.168.20.120-0000002a' > [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: > Retransmission timeout reached on transmission > 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See > https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions > Packet timed out after 32001ms with no response > > At the time no phone try to call... > On my Firewall I see a SIP packet coming from an IP in Palestine... > Am I cracked? I think I disabled all "guest" access. How can I check ifmy> Asterisk allows guest to originate calls?Based on SIP packets coming in from IP addresses you don't recognize, while you may not be hacked, you would seem to have people probing your system. One thing you can do at the firewall level is restrict inbound sip communications to only those from your external phone providers. Depending on their setup, they should be able to give you an IP, a range of IPs or a name that can be used (i.e. sip.myphoneprovider.com). If you restrict your inbound sip to that, it will be very helpful. Also, there are further steps you can take to harden your systems. An internet search will bring up many, but here are a couple of good ones: http://blogs.digium.com/2009/03/28/sip-security/ http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx http://nerdvittles.com/?p=580 -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/8f06dc72/attachment.html>
Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb:> Based on SIP packets coming in from IP addresses you don't recognize, > while you may not be hacked, you would seem to have people probing yourI think, too, it's someone probing my IP...> system. One thing you can do at the firewall level is restrict inbound sip > communications to only those from your external phone providers. Depending > on their setup, they should be able to give you an IP, a range of IPs or a > name that can be used (i.e. sip.myphoneprovider.com). If you restrict yourThis is not really possible, since I'll login on my Asterisk from many Providers...> inbound sip to that, it will be very helpful. Also, there are further > steps you can take to harden your systems. An internet search will bring > up many, but here are a couple of good ones: > > http://blogs.digium.com/2009/03/28/sip-security/ > http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx > http://nerdvittles.com/?p=580OK, I set alwaysauthreject = yes and I discovered a allowguest, which I set to "no", too. The PBX is behind a Firewall and I just allow UDP 5060 and 10000-10100. Now I log the SIP-pakets coming from Internet, too... Hopefully I solved my problem... Thanks Luca Bertoncello (lucabert at lucabert.de)
I'm guessing this is a small/home system? I suggest you install SecAst from this site: www.telium.ca It's free for small office / home office and will deal with these types of attacks and more. It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing patterns, etc. If you still have allow guest enabled, then you should also follow the 'securing asterisk' steps from this site: http://www.voip-info.org/wiki/view/Asterisk+security You're definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill.. ________________________________________ From: asterisk-users-bounces at lists.digium.com <asterisk-users-bounces at lists.digium.com> on behalf of Luca Bertoncello <lucabert at lucabert.de> Sent: Monday, June 8, 2015 3:46 PM To: Asterisk Users List Subject: [asterisk-users] Am I cracked? Hi list! Very strange... I ran the Asterisk CLI for other tasks, and suddenly I got this message: == Using SIP RTP CoS mark 5 -- Executing [000972592603325 at default:1] Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") in new stack == PROXY Call from 0123456 to 000972592603325 -- Executing [000972592603325 at default:2] Set("SIP/192.168.20.120-0000002a", "CHANNEL(musicclass)=default") in new stack -- Executing [000972592603325 at default:3] GotoIf("SIP/192.168.20.120-0000002a", "0?dialluca") in new stack -- Executing [000972592603325 at default:4] GotoIf("SIP/192.168.20.120-0000002a", "0?dialfax") in new stack -- Executing [000972592603325 at default:5] GotoIf("SIP/192.168.20.120-0000002a", "0?dialanika") in new stack -- Executing [000972592603325 at default:6] Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable to create channel of type 'SIP' (cause 20 - Subscriber absent) == Everyone is busy/congested at this time (1:0/0/1) -- Executing [000972592603325 at default:7] Hangup("SIP/192.168.20.120-0000002a", "") in new stack == Spawn extension (default, 000972592603325, 7) exited non-zero on 'SIP/192.168.20.120-0000002a' [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: Retransmission timeout reached on transmission 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions Packet timed out after 32001ms with no response At the time no phone try to call... On my Firewall I see a SIP packet coming from an IP in Palestine... Am I cracked? I think I disabled all "guest" access. How can I check if my Asterisk allows guest to originate calls? Thanks Luca Bertoncello (lucabert at lucabert.de) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
On Mon, 8 Jun 2015, Michelle Dupuis wrote:> You're definitely under attack (based on the 0123456 ID) so be sure to > take preventative steps to avoid a $50k phone bill..Don't enable 'auto-replenish' in your provider account and don't keep a balance you can't afford to lose. -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
For such cases i created a dialplan in the default dialplan which blocks the ip of the hacker with iptables. On Monday, June 8, 2015, Luca Bertoncello <lucabert at lucabert.de> wrote:> Hi list! > > Very strange... > I ran the Asterisk CLI for other tasks, and suddenly I got this message: > > == Using SIP RTP CoS mark 5 > -- Executing [000972592603325 at default:1] > Verbose("SIP/192.168.20.120-0000002a", "2,PROXY Call from 0123456 to > 000972592603325") in new stack > == PROXY Call from 0123456 to 000972592603325 > -- Executing [000972592603325 at default:2] > Set("SIP/192.168.20.120-0000002a", "CHANNEL(musicclass)=default") in new > stack > -- Executing [000972592603325 at default:3] > GotoIf("SIP/192.168.20.120-0000002a", "0?dialluca") in new stack > -- Executing [000972592603325 at default:4] > GotoIf("SIP/192.168.20.120-0000002a", "0?dialfax") in new stack > -- Executing [000972592603325 at default:5] > GotoIf("SIP/192.168.20.120-0000002a", "0?dialanika") in new stack > -- Executing [000972592603325 at default:6] > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in > new stack > [Jun 8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: Unable > to create channel of type 'SIP' (cause 20 - Subscriber absent) > == Everyone is busy/congested at this time (1:0/0/1) > -- Executing [000972592603325 at default:7] > Hangup("SIP/192.168.20.120-0000002a", "") in new stack > == Spawn extension (default, 000972592603325, 7) exited non-zero on > 'SIP/192.168.20.120-0000002a' > [Jun 8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: > Retransmission timeout reached on transmission > 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See > https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions > Packet timed out after 32001ms with no response > > At the time no phone try to call... > On my Firewall I see a SIP packet coming from an IP in Palestine... > Am I cracked? I think I disabled all "guest" access. How can I check if my > Asterisk allows guest to originate calls? > > Thanks > Luca Bertoncello > (lucabert at lucabert.de <javascript:;>) > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150610/7e3079c0/attachment.html>
Zitat von Dereck D <dereck.s at gmail.com>:> For such cases i created a dialplan in the default dialplan which blocks > the ip of the hacker with iptables.That's interesting... Could you explain me how do you did it? Thanks Luca Bertoncello (lucabert at lucabert.de)