[asterisk-users] Intruder

Markus Weiler markus_weiler at mailworks.org
Fri Nov 16 11:03:22 CST 2012 

Hi Felix,

ngrep -W byline port 5060|grep -B1 "INVITE sip"

Markus


Am 16.11.2012 17:50, schrieb Ruben Rögels:
> Hi Felix,
>
> you have several things to check:
>
> netstat -a -n --udp --tcp
>
> will show you connections and connection attempts on network layer level.
> You have to look for incoming connections to port 5060 and if the call 
> has been established for connections on your rtp ports. (see rtp.conf).
> If you can see connections not supposed to be there: thats your 
> intruder ;-)
>
> I suggest you disable guest calls and you configure a default context 
> in which dialed extensions can't be routed to charged destinations.
>
> sip.conf:
> allowguests=no
> defaultcontext=default
>
> extensions.conf:
> [default]
> exten => _X.,1,Answer()
> exten => _X.,n,PlayBack(silence/1)
> exten => _X.,n,PlayBack(ss-noservice)
> exten => _X.,n,PlayBack(silence/1)
> exten => _X.,n,MusicOnHold(default,10)
> exten => _X.,n,PlayBack(silence/1)
> exten => _X.,n,PlayBack(vm-goodbye)
> exten => _X.,n,HangUp()
>
> The  next step would be using fail2ban or something similiar to check 
> the asterisk log for intruders.
> fail2ban recognized them and dynamically sets appropriate firewall rules.
>
> Good luck.
>
> best regards,
> Ruben
>
>
>
> Am 16.11.2012 17:20, schrieb Felix Vazquez:
>>
>> I am in the asterisk CLI and can see an unidentified caller trying 
>> the make calls out of the asterisk system. How do I stop them? How do 
>> I identify them and how can I see how the go in?
>>
>> This is an example of what I would see:
>>
>>                 NOTICE[4098]: chan_sip.c:20063 handle_request_invite: 
>> Call *from '' *to extension '90111235551212' rejected because 
>> extension not found.
>>
>> Felix
>>
>>
>> ------------------------------------------------------------------------
>>
>> This electronic message contains information from BOSH Global 
>> Services which may be company sensitive, proprietary, privileged or 
>> otherwise protected from disclosure. The information is intended to 
>> be used solely by the recipient(s) named above. If you are not an 
>> intended recipient, be aware that any review, disclosure, copying, 
>> distribution or use of this transmission or its contents is 
>> prohibited. If you have received this transmission in error, please 
>> notify the sender immediately.
>>
>>
>> --
>> _____________________________________________________________________
>> -- Bandwidth and Colocation Provided byhttp://www.api-digital.com  --
>> New to Asterisk? Join us for a live introductory webinar every Thurs:
>>                 http://www.asterisk.org/hello
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>     http://lists.digium.com/mailman/listinfo/asterisk-users
>
>
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> New to Asterisk? Join us for a live introductory webinar every Thurs:
>                 http://www.asterisk.org/hello
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>     http://lists.digium.com/mailman/listinfo/asterisk-users

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20121116/4fb2a5e4/attachment.htm>

More information about the asterisk-users mailing list