[asterisk-users] getting invites to rtp ports ??

asterisk at a-domani.nl asterisk at a-domani.nl
Thu Aug 30 06:20:51 CDT 2018 

Hi Norbert,

Yes, you're correct. one can make SIP-calls directly without a provider 
(or even asterisk) in between.
Had to do that long time ago on Asterisk-course.
But why would you want to do that? Playing with technique? Great, but 
then you are at home/lab.

And a company with multiple branches, could have PBX forwarding their 
calls, not the individual users setting them up towards a remote PBX.

In case of road-warriers (not knowing their current and ever changing 
IP-address)...
I presume they ought to use a VPN for connecting to their office (thus 
becoming an internal and trusted network-entity).

Hans

On 2018-08-30 11:51, norbert wrote:
> Hello Hans,
> 
> maybe I don't rember SIP & Asterisk well, but I THINK it's absolutely
> possible to place a call from one Asterisk Server to another one
> without at SIP Provider in between.
> 
> Imagine a (big) company with branches running a server at every site.
> 
> But maybe I'm wrong....
> 
> But for other setups you're right. For example, on my asterisk machine
> firewall is closed except the (few) IP adresses my SIP provider told
> me
> 
> Norbert
> 
> -------- Ursprüngliche Nachricht --------
> Von: asterisk at a-domani.nl
> Datum: 30.08.18 12:04 (GMT+02:00)
> An: Asterisk Users Mailing List - Non-Commercial Discussion
> <asterisk-users at lists.digium.com>
> Betreff: Re: [asterisk-users] getting invites to rtp ports ??
> 
> Regarding this thread,
> I was wondering, why would anybody opens his firewall (for incoming
> traffic), for anybody else, besides his own SIP-provider?
> 
> Isn't that the proper way for having your firewall configured: always,
> 
> by default closed, unless explicitly required.
> (but perhaps I'm missing a legitimate use-case)
> 
> Hans
> 
> On 2018-08-30 04:52, Matthew Jordan wrote:
>> On Wed, Aug 29, 2018 at 6:20 PM Telium Support Group
>> <support at telium.ca> wrote:
>> 
>>> Depending on log trolling (Asterisk security log) misses a lot, and
>>> also depends on the SIP/PJSIP folks to not change message structure
>>> (which has already happened numerous time).  If  you are
> comfortable
>>> hacking chan_sip.c you may prefer to get the same messages from the
>>> AMI.  It still misses a lot but that approach is better than
>>> nothing.
>>> 
>>> Digium warns not to use fail2ban / log trolling as a security
>>> system: http://forums.asterisk.org/viewtopic.php?p=159984
>> 
>> That's some pretty old advice.
>> 
>> The rationale for *not* using general log messages with fail2ban
> still
>> stands: the general WARNING/NOTICE/etc. log messages are subject to
>> change between versions, and no one wants that to impact someone's
>> security. So you should not use those messages as input into
> fail2ban.
>> 
>> That rationale did lead to the 'security' event type in log
> messages.
>> Security Event Logging - as it is called - got added into Asterisk
>> quite some time ago. So long ago I'm really not sure which version.
> At
>> a minimum, Asterisk 11, but I'm pretty sure it was in 10 as well.
>> 
>> Documentation for it can be found here:
>> 
>> 
> https://wiki.asterisk.org/wiki/display/AST/Asterisk+Security+Event+Logger
>> 
>> And here:
>> 
>> https://wiki.asterisk.org/wiki/display/AST/Logging+Configuration
>> 
>> Note that this also fires off AMI events (and ARI events, IIRC).
>> 
>> If, for whatever reason, you do not get a SECURITY log message or a
>> corresponding event when something 'bad' happens, that would be
> worth
>> some additional discussion. If anything, the events can be a bit
>> chatty...
>> 
>>> -----Original Message-----
>>> From: asterisk-users
>>> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of sean
>>> darcy
>>> Sent: Wednesday, August 29, 2018 6:33 PM
>>> To: asterisk-users at lists.digium.com
>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>>> 
>>> On 08/29/2018 11:59 AM, Telium Support Group wrote:
>>>> Block a single IP is the wrong approach (whack-a-mole).  You
>>> should consider a more comprehensive approach to securing your VoIP
>>> environment.  Have a look at this wiki:
>>>> 
>>>> https://www.voip-info.org/asterisk-security/
>>>> 
>>>> 
>>>> 
>>>> -----Original Message-----
>>>> From: asterisk-users
>>> [mailto:asterisk-users-bounces at lists.digium.com]
>>>> On Behalf Of sean darcy
>>>> Sent: Wednesday, August 29, 2018 10:46 AM
>>>> To: asterisk-users at lists.digium.com
>>>> Subject: Re: [asterisk-users] getting invites to rtp ports ??
>>>> 
>>>> On 08/29/2018 09:42 AM, Carlos Rojas wrote:
>>>>> Hi
>>>>> 
>>>>> Probably somebody is trying to hack your system, you should block
>>> 
>>>>> that ip on your firewall.
>>>>> 
>>>>> Regards
>>>>> 
>>>>> On Wed, Aug 29, 2018 at 9:34 AM, sean darcy <seandarcy2 at gmail.com
>>> 
>>>>> <mailto:seandarcy2 at gmail.com>> wrote:
>>>>> 
>>>>> I'm getting invites to very high ports every 30 seconds from
>>> a
>>>>> particular ip address:
>>>>> 
>>>>> Retransmitting #10 (NAT) to 5.199.133.128:52734 [1]
>>>>> <http://5.199.133.128:52734>:
>>>>> SIP/2.0 401 Unauthorized
>>>>> Via: SIP/2.0/UDP
>>>>> 
>>> 
>> 
> 0.0.0.0:52734;branch=z9hG4bK1207255353;received=5.199.133.128;rport=52734
>>>>> From: <sip:37120116780191250 at 67.80.191.250
>>>>> 
>>> <mailto:sip%3A37120116780191250 at 67.80.191.250>>;tag=1872048972
>>>>> To: <sip:3712011972592181418 at 67.80.191.250
>>>>> 
>>> <mailto:sip%3A3712011972592181418 at 67.80.191.250>>;tag=as3a52e748
>>>>> Call-ID: 1504207870-295758084-609228182
>>>>> CSeq: 1 INVITE
>>>>> .......
>>>>> WARNING[150318]: chan_sip.c:4127 retrans_pkt: Timeout on
>>>>> 1504207870-295758084-609228182...
>>>>> 
>>>>> I thought invites had to go to port 5060 or so. I don't
>>> understand
>>>>> why somebody (let's assume a bad guy) is trying ports above
>>> 50000.
>>>>> 
>>>>> sean
>>>>> 
>>>>> 
>>>> 
>>>> Ok, so the high port is not the destination port but the source
>>> port.
>>>> 
>>>> So I hacked the log warning in chan_sip.c on non-critical invites
>>> to show the source ip:
>>>> 
>>>> ast_log(LOG_WARNING, "Timeout on %s non-critic invite trans from
>>>> %s.\n",
>>>> 
>>> 
>> 
> pkt->owner->callid,ast_sockaddr_stringify(sip_real_dst(pkt->owner)));
>>>> 
>>>> With that in the log, I'm now blocking the ip addresses.
>>>> 
>>>> Thanks,
>>>> sean
>>>> 
>>>> 
>>>> --
>>>> 
>>> 
>> 
> _____________________________________________________________________
>>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>> --
>>>> 
>>>> Astricon is coming up October 9-11!  Signup is available at:
>>>> https://www.asterisk.org/community/astricon-user-conference
>>>> 
>>>> Check out the new Asterisk community forum at:
>>>> https://community.asterisk.org/
>>>> 
>>> 
>>> I agree. That's why I hacked chan_sip.c to get the addresses in the
>>> log.
>>> 
>>> I'm surprised they're not in the log by default. I must be the only
>>> person who gets these "non-critical invites".
>>> 
>>> sean
>>> 
>>> --
>>> 
>> 
> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>> --
>>> 
>>> Astricon is coming up October 9-11!  Signup is available at:
>>> https://www.asterisk.org/community/astricon-user-conference
>>> 
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>> 
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>> 
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>>> 
>>> --
>>> 
>> 
> _____________________________________________________________________
>>> -- Bandwidth and Colocation Provided by http://www.api-digital.com
>>> --
>>> 
>>> Astricon is coming up October 9-11!  Signup is available at:
>>> https://www.asterisk.org/community/astricon-user-conference
>>> 
>>> Check out the new Asterisk community forum at:
>>> https://community.asterisk.org/
>>> 
>>> New to Asterisk? Start here:
>>> https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>>> 
>>> asterisk-users mailing list
>>> To UNSUBSCRIBE or update options visit:
>>> http://lists.digium.com/mailman/listinfo/asterisk-users
>> 
>> --
>> Matthew Jordan
>> Digium, Inc. | CTO
>> 445 Jan Davis Drive NW - Huntsville, AL 35806 - USA
>> Check us out at: http://digium.com & http://asterisk.org
>> 
>> Links:
>> ------
>> [1] http://5.199.133.128:52734
> 
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
> 
> Astricon is coming up October 9-11!  Signup is available at:
> https://www.asterisk.org/community/astricon-user-conference
> 
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
> 
> New to Asterisk? Start here:
>       https://wiki.asterisk.org/wiki/display/AST/Getting+Started
> 
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list