[asterisk-users] Intruder

Ruben Rögels ruben.roegels at jumping-frog.org
Fri Nov 16 10:50:07 CST 2012 

Hi Felix,

you have several things to check:

netstat -a -n --udp --tcp

will show you connections and connection attempts on network layer level.
You have to look for incoming connections to port 5060 and if the call 
has been established for connections on your rtp ports. (see rtp.conf).
If you can see connections not supposed to be there: thats your intruder ;-)

I suggest you disable guest calls and you configure a default context in 
which dialed extensions can't be routed to charged destinations.

sip.conf:
allowguests=no
defaultcontext=default

extensions.conf:
[default]
exten => _X.,1,Answer()
exten => _X.,n,PlayBack(silence/1)
exten => _X.,n,PlayBack(ss-noservice)
exten => _X.,n,PlayBack(silence/1)
exten => _X.,n,MusicOnHold(default,10)
exten => _X.,n,PlayBack(silence/1)
exten => _X.,n,PlayBack(vm-goodbye)
exten => _X.,n,HangUp()

The  next step would be using fail2ban or something similiar to check 
the asterisk log for intruders.
fail2ban recognized them and dynamically sets appropriate firewall rules.

Good luck.

best regards,
Ruben



Am 16.11.2012 17:20, schrieb Felix Vazquez:
>
> I am in the asterisk CLI and can see an unidentified caller trying the 
> make calls out of the asterisk system. How do I stop them? How do I 
> identify them and how can I see how the go in?
>
> This is an example of what I would see:
>
>                 NOTICE[4098]: chan_sip.c:20063 handle_request_invite: 
> Call *from '' *to extension '90111235551212' rejected because 
> extension not found.
>
> Felix
>
>
> ------------------------------------------------------------------------
>
> This electronic message contains information from BOSH Global Services 
> which may be company sensitive, proprietary, privileged or otherwise 
> protected from disclosure. The information is intended to be used 
> solely by the recipient(s) named above. If you are not an intended 
> recipient, be aware that any review, disclosure, copying, distribution 
> or use of this transmission or its contents is prohibited. If you have 
> received this transmission in error, please notify the sender immediately.
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                 http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20121116/adf0f123/attachment.htm>

More information about the asterisk-users mailing list