[asterisk-users] Am I cracked?

Kevin Larsen kevin.larsen at pioneerballoon.com
Mon Jun 8 14:58:52 CDT 2015 

> Very strange...
> I ran the Asterisk CLI for other tasks, and suddenly I got this message:
> 
>   == Using SIP RTP CoS mark 5
>     -- Executing [000972592603325 at default:1] Verbose("SIP/192.168.
> 20.120-0000002a", "2,PROXY Call from 0123456 to 000972592603325") innew 
stack
>   == PROXY Call from 0123456 to 000972592603325
>     -- Executing [000972592603325 at default:2] Set("SIP/192.168.20.
> 120-0000002a", "CHANNEL(musicclass)=default") in new stack
>     -- Executing [000972592603325 at default:3] GotoIf("SIP/192.168.20.
> 120-0000002a", "0?dialluca") in new stack
>     -- Executing [000972592603325 at default:4] GotoIf("SIP/192.168.20.
> 120-0000002a", "0?dialfax") in new stack
>     -- Executing [000972592603325 at default:5] GotoIf("SIP/192.168.20.
> 120-0000002a", "0?dialanika") in new stack
>     -- Executing [000972592603325 at default:6] Dial("SIP/192.168.20.
> 120-0000002a", "SIP/pbxluca/000972592603325,,R") in new stack
> [Jun  8 21:42:50] WARNING[18981]: app_dial.c:2345 dial_exec_full: 
> Unable to create channel of type 'SIP' (cause 20 - Subscriber absent)
>   == Everyone is busy/congested at this time (1:0/0/1)
>     -- Executing [000972592603325 at default:7] Hangup("SIP/192.168.20.
> 120-0000002a", "") in new stack
>   == Spawn extension (default, 000972592603325, 7) exited non-zero 
> on 'SIP/192.168.20.120-0000002a'
> [Jun  8 21:43:22] WARNING[16633]: chan_sip.c:3830 retrans_pkt: 
> Retransmission timeout reached on transmission 
> 8dc31ca4e660a0408450715638784d86 for seqno 1 (Critical Response) -- See 
> https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
> Packet timed out after 32001ms with no response
> 
> At the time no phone try to call...
> On my Firewall I see a SIP packet coming from an IP in Palestine...
> Am I cracked? I think I disabled all "guest" access. How can I check if 
my
> Asterisk allows guest to originate calls?

Based on SIP packets coming in from IP addresses you don't recognize, 
while you may not be hacked, you would seem to have people probing your 
system. One thing you can do at the firewall level is restrict inbound sip 
communications to only those from your external phone providers. Depending 
on their setup, they should be able to give you an IP, a range of IPs or a 
name that can be used (i.e. sip.myphoneprovider.com). If you restrict your 
inbound sip to that, it will be very helpful. Also, there are further 
steps you can take to harden your systems. An internet search will bring 
up many, but here are a couple of good ones:

http://blogs.digium.com/2009/03/28/sip-security/
http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx
http://nerdvittles.com/?p=580
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20150608/8f06dc72/attachment.html>

More information about the asterisk-users mailing list