Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb:> Make sure you have solved the problem. You don't want to get hit with a > phone bill for calls from your location to Israel. Basically, they are > hoping that you are running the equivalent of a mail server open relay. > They are trying to use you to dial out to another number. You don't want > to pay for these calls.Of course, but how can I test, if I am an "open relay"?> The calls are being dumped into your default context. It's not matching on > your gotoif statements, so finally it is trying to execute this: > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R") in > new stack > > Not sure what trunk pbxluca is, but if that is an outbound trunk, then > this is very bad. The only reason it would fail then is if they have theThis is one of my outbound trunk...> outbound dial pattern wrong, which is a sure sign that you are open in the > future to having someone make this kind of call in a way that does work > and leaves you on the hook. Based on your email address, I am guessing you > are in Germany. Looks like they almost have the correct outbound pattern > for dialing from Germany to Israel. It should be 00972592603325 (notice > the one less zero in the front). Please tell me that pbxluca is not an > outbound dialing context? If it is, you need to fix this very quickly.How can I fix it? Of course, I need to be able to call any phone on this world... On a Mail-Server I'd restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I'm not sure anymore... How can I restrict it? Thanks Luca Bertoncello (lucabert at lucabert.de)
On Mon, 8 Jun 2015 22:24:33 +0200 Luca Bertoncello <lucabert at lucabert.de> wrote:> Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb: > > Basically, they are hoping that you are running the equivalent of a > > mail server open relay. They are trying to use you to dial out to > > another number. You don't want to pay for these calls. > > Of course, but how can I test, if I am an "open relay"?If you don't know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin.> > Not sure what trunk pbxluca is, but if that is an outbound trunk, > > then this is very bad. The only reason it would fail then is if > > they have the > > This is one of my outbound trunk...Very, very bad then.> On a Mail-Server I'd restrict outgoing calls to authenticated users. > I was sure, that Asterisk already do that, but I'm not sure anymore... > How can I restrict it?You need to make sure that only registered phones can connect to your outbound trunks. Read the docs or hire someone but don't wait. Shut down now, especially since this information is now on a public list. I am sure that most people here are just looking out for you but it only takes one black hat. -- D'Arcy J.M. Cain System Administrator, Vex.Net http://www.Vex.Net/ IM:darcy at Vex.Net VoIP: sip:darcy at Vex.Net
> > Make sure you have solved the problem. You don't want to get hit witha> > phone bill for calls from your location to Israel. Basically, they are> > hoping that you are running the equivalent of a mail server openrelay.> > They are trying to use you to dial out to another number. You don'twant> > to pay for these calls. > > Of course, but how can I test, if I am an "open relay"? > > > The calls are being dumped into your default context. It's notmatching on> > your gotoif statements, so finally it is trying to execute this: > > Dial("SIP/192.168.20.120-0000002a", "SIP/pbxluca/000972592603325,,R")in> > new stack > > > > Not sure what trunk pbxluca is, but if that is an outbound trunk, then> > this is very bad. The only reason it would fail then is if they havethe> > This is one of my outbound trunk... > > > outbound dial pattern wrong, which is a sure sign that you are open inthe> > future to having someone make this kind of call in a way that doeswork> > and leaves you on the hook. Based on your email address, I am guessingyou> > are in Germany. Looks like they almost have the correct outboundpattern> > for dialing from Germany to Israel. It should be 00972592603325(notice> > the one less zero in the front). Please tell me that pbxluca is not an> > outbound dialing context? If it is, you need to fix this very quickly. > > How can I fix it? Of course, I need to be able to call any phone on this > world... > On a Mail-Server I'd restrict outgoing calls to authenticated users. Iwas> sure, that Asterisk already do that, but I'm not sure anymore... > How can I restrict it?I am sure others can chime in, but first things first, you want inbound calls and outbound calls to be in different contexts. Don't let your default context reach an outbound line. Your registered phones will be in a context that can call out which should be different from the default. Also, make sure that your phones are registering with passwords (secret) that are different than the extension number. Makes it harder to guess. The big thing to keep in mind dialplan wise is to never let an inbound call have a path to loop back outbound. The two of the biggest vectors for fraud will be allowing a non-authenticated sip call to get outbound over your trunks and to have weak credentials that can be cracked that will let someone else impersonate your phones. And you can still wipe out most fraud by restricting the IP addresses you let in from the outside world. I prefer to have the most restrictive communications I can and then fix it if I discover that something doesn't work. Better to fail and fix than to permit and pay for it later. The providers I tend to like best not only give me what I need to restrict to their IP ranges, but also put in place restrictions on their end to only talk to my account from my external static IP address. That way someone could figure out my credentials, but if they can't spoof my ip address it still won't work. That is dependent on what the provider can do though. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/35347883/attachment.html>
As a practice, by default all the extensions you expose on the allowguest mode should lead inbound to your asterisk and should never pick any outbound trunk and dial out. Your best option is to remove all outbound extensions from the default context, move them to default2 and set default extensions as honeypot to play monkeys tts wave file or reject the call. Mitul Limbani On 09-Jun-2015 2:05 AM, "D'Arcy J.M. Cain" <darcy at vex.net> wrote:> On Mon, 8 Jun 2015 22:24:33 +0200 > Luca Bertoncello <lucabert at lucabert.de> wrote: > > Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb: > > > Basically, they are hoping that you are running the equivalent of a > > > mail server open relay. They are trying to use you to dial out to > > > another number. You don't want to pay for these calls. > > > > Of course, but how can I test, if I am an "open relay"? > > If you don't know how to do this I suggest that you shut down your > Asterisk server until you find out. Using your cell phone while you > get it straight could save you some serious coin. > > > > Not sure what trunk pbxluca is, but if that is an outbound trunk, > > > then this is very bad. The only reason it would fail then is if > > > they have the > > > > This is one of my outbound trunk... > > Very, very bad then. > > > On a Mail-Server I'd restrict outgoing calls to authenticated users. > > I was sure, that Asterisk already do that, but I'm not sure anymore... > > How can I restrict it? > > You need to make sure that only registered phones can connect to your > outbound trunks. Read the docs or hire someone but don't wait. Shut > down now, especially since this information is now on a public list. I > am sure that most people here are just looking out for you but it only > takes one black hat. > > -- > D'Arcy J.M. Cain > System Administrator, Vex.Net > http://www.Vex.Net/ IM:darcy at Vex.Net > VoIP: sip:darcy at Vex.Net > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > New to Asterisk? Join us for a live introductory webinar every Thurs: > http://www.asterisk.org/hello > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150609/bbab56cb/attachment.html>
On Mon, 8 Jun 2015, Kevin Larsen wrote:> Better to fail and fix than to permit and pay for it later.That would make a great T-shirt: Deny and Fix vs Permit and Pay -- Thanks in advance, ------------------------------------------------------------------------- Steve Edwards sedwards at sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000
2015-06-08 22:35 GMT+02:00 D'Arcy J.M. Cain <darcy at vex.net>:> On Mon, 8 Jun 2015 22:24:33 +0200 > Luca Bertoncello <lucabert at lucabert.de> wrote: > > Kevin Larsen <kevin.larsen at pioneerballoon.com> schrieb: > > > Basically, they are hoping that you are running the equivalent of a > > > mail server open relay. They are trying to use you to dial out to > > > another number. You don't want to pay for these calls. > > > > Of course, but how can I test, if I am an "open relay"? > > If you don't know how to do this I suggest that you shut down your > Asterisk server until you find out. Using your cell phone while you > get it straight could save you some serious coin. >+1 ! -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150610/8f0cee47/attachment.html>