thr3ads.net - asterisk users - [asterisk-users] getting invites to rtp ports ?? [Aug 2018]

If this information is useful, please help other people find it:
Share via:

sean darcy

2018-Aug-29 14:46 UTC

[asterisk-users] getting invites to rtp ports ??

On 08/29/2018 09:42 AM, Carlos Rojas wrote:> Hi
> 
> Probably somebody is trying to hack your system, you should block that 
> ip on your firewall.
> 
> Regards
> 
> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com 
> <mailto:seandarcy2 at gmail.com>> wrote:
> 
>     I'm getting invites to very high ports every 30 seconds from a
>     particular ip address:
> 
>     Retransmitting #10 (NAT) to 5.199.133.128:52734
>     <http://5.199.133.128:52734>:
>     SIP/2.0 401 Unauthorized
>     Via: SIP/2.0/UDP
>    
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>     From: <sip:37120116780191250 at 67.80.191.250
>     <mailto:sip%3A37120116780191250 at
67.80.191.250>>;tag=1872048972
>     To: <sip:3712011972592181418 at 67.80.191.250
>     <mailto:sip%3A3712011972592181418 at
67.80.191.250>>;tag=as3a52e748
>     Call-ID: 1504207870-295758084-609228182
>     CSeq: 1 INVITE
>     .......
>     WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>     1504207870-295758084-609228182...
> 
>     I thought invites had to go to port 5060 or so. I don't understand
>     why somebody (let's assume a bad guy) is trying ports above 50000.
> 
>     sean
> 
> 
Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to 
show the source ip:

ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

With that in the log, I'm now blocking the ip addresses.

Thanks,
sean

Telium Support Group

2018-Aug-29 15:59 UTC

head link

[asterisk-users] getting invites to rtp ports ??

Block a single IP is the wrong approach (whack-a-mole).  You should consider a
more comprehensive approach to securing your VoIP environment.  Have a look at
this wiki:

https://www.voip-info.org/asterisk-security/



-----Original Message-----
From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On
Behalf Of sean darcy
Sent: Wednesday, August 29, 2018 10:46 AM
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] getting invites to rtp ports ??

On 08/29/2018 09:42 AM, Carlos Rojas wrote:> Hi
> 
> Probably somebody is trying to hack your system, you should block that 
> ip on your firewall.
> 
> Regards
> 
> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com 
> <mailto:seandarcy2 at gmail.com>> wrote:
> 
>     I'm getting invites to very high ports every 30 seconds from a
>     particular ip address:
> 
>     Retransmitting #10 (NAT) to 5.199.133.128:52734
>     <http://5.199.133.128:52734>:
>     SIP/2.0 401 Unauthorized
>     Via: SIP/2.0/UDP
>    
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>     From: <sip:37120116780191250 at 67.80.191.250
>     <mailto:sip%3A37120116780191250 at
67.80.191.250>>;tag=1872048972
>     To: <sip:3712011972592181418 at 67.80.191.250
>     <mailto:sip%3A3712011972592181418 at
67.80.191.250>>;tag=as3a52e748
>     Call-ID: 1504207870-295758084-609228182
>     CSeq: 1 INVITE
>     .......
>     WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>     1504207870-295758084-609228182...
> 
>     I thought invites had to go to port 5060 or so. I don't understand
>     why somebody (let's assume a bad guy) is trying ports above 50000.
> 
>     sean
> 
> 
Ok, so the high port is not the destination port but the source port.

So I hacked the log warning in chan_sip.c on non-critical invites to show the
source ip:

ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));

With that in the log, I'm now blocking the ip addresses.

Thanks,
sean


--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --

Astricon is coming up October 9-11!  Signup is available at:
https://www.asterisk.org/community/astricon-user-conference

Check out the new Asterisk community forum at: https://community.asterisk.org/

New to Asterisk? Start here:
      https://wiki.asterisk.org/wiki/display/AST/Getting+Started

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

sean darcy

2018-Aug-29 22:33 UTC

head link

[asterisk-users] getting invites to rtp ports ??

On 08/29/2018 11:59 AM, Telium Support Group wrote:> Block a single IP is the wrong approach (whack-a-mole).  You should
consider a more comprehensive approach to securing your VoIP environment.  Have
a look at this wiki:
> 
> https://www.voip-info.org/asterisk-security/
> 
> 
> 
> -----Original Message-----
> From: asterisk-users [mailto:asterisk-users-bounces at lists.digium.com] On
Behalf Of sean darcy
> Sent: Wednesday, August 29, 2018 10:46 AM
> To: asterisk-users at lists.digium.com
> Subject: Re: [asterisk-users] getting invites to rtp ports ??
> 
> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>> Hi
>>
>> Probably somebody is trying to hack your system, you should block that
>> ip on your firewall.
>>
>> Regards
>>
>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
>> <mailto:seandarcy2 at gmail.com>> wrote:
>>
>>      I'm getting invites to very high ports every 30 seconds from a
>>      particular ip address:
>>
>>      Retransmitting #10 (NAT) to 5.199.133.128:52734
>>      <http://5.199.133.128:52734>:
>>      SIP/2.0 401 Unauthorized
>>      Via: SIP/2.0/UDP
>>     
0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>>      From: <sip:37120116780191250 at 67.80.191.250
>>      <mailto:sip%3A37120116780191250 at
67.80.191.250>>;tag=1872048972
>>      To: <sip:3712011972592181418 at 67.80.191.250
>>      <mailto:sip%3A3712011972592181418 at
67.80.191.250>>;tag=as3a52e748
>>      Call-ID: 1504207870-295758084-609228182
>>      CSeq: 1 INVITE
>>      .......
>>      WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>>      1504207870-295758084-609228182...
>>
>>      I thought invites had to go to port 5060 or so. I don't
understand
>>      why somebody (let's assume a bad guy) is trying ports above
50000.
>>
>>      sean
>>
>>
> 
> Ok, so the high port is not the destination port but the source port.
> 
> So I hacked the log warning in chan_sip.c on non-critical invites to show
the source ip:
> 
> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
%s.\n",
>
pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
> 
> With that in the log, I'm now blocking the ip addresses.
> 
> Thanks,
> sean
> 
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at:
https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at:
https://community.asterisk.org/
> 
I agree. That's why I hacked chan_sip.c to get the addresses in the log.

I'm surprised they're not in the log by default. I must be the only 
person who gets these "non-critical invites".

sean

asterisk users - Aug 2018 - getting invites to rtp ports ??

[asterisk-users] getting invites to rtp ports ??

[asterisk-users] getting invites to rtp ports ??

[asterisk-users] getting invites to rtp ports ??