Asterisk flooded by incoming SIP connection from unknown peer

Question

Hello i just installed an new asterisk configuration with freepbx and signed for a SIP account.

I setup the SIP trunk with my provider data, launched the console with the asterisk -vvvr command to debug then i noticed that the logs are flooded by entries like this:

== Using SIP RTP CoS mark 5
-- Executing [00088884600972595117946@from-sip-external:1] NoOp("SIP/XXX.XXX.58.107-00000355", "Received incoming SIP connection from unknown peer to 00088884600972595117946") in new stack
-- Executing [00088884600972595117946@from-sip-external:2] Set("SIP/XXX.XXX.58.107-00000355", "DID=00088884600972595117946") in new stack
-- Executing [00088884600972595117946@from-sip-external:3] Goto("SIP/XXX.XXX.58.107-00000355", "s,1") in new stack
-- Goto (from-sip-external,s,1)
-- Executing [s@from-sip-external:1] GotoIf("SIP/XXX.XXX.58.107-00000355", "1?checklang:noanonymous") in new stack
-- Goto (from-sip-external,s,2)
-- Executing [s@from-sip-external:2] GotoIf("SIP/XXX.XXX.58.107-00000355", "0?setlanguage:from-trunk,00088884600972595117946,1") in new stack
-- Goto (from-trunk,00088884600972595117946,1)
-- Executing [00088884600972595117946@from-trunk:1] Set("SIP/XXX.XXX.58.107-00000355", "__FROM_DID=00088884600972595117946") in new stack
-- Executing [00088884600972595117946@from-trunk:2] NoOp("SIP/XXX.XXX.58.107-00000355", "Received an unknown call with DID set to 00088884600972595117946") in new stack
-- Executing [00088884600972595117946@from-trunk:3] Goto("SIP/XXX.XXX.58.107-00000355", "s,a2") in new stack
-- Goto (from-trunk,s,2)
-- Executing [s@from-trunk:2] Answer("SIP/XXX.XXX.58.107-00000355", "") in new stack
-- <SIP/XXX.XXX.58.107-00000352> Playing 'digits/8.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-00000351> Playing 'digits/9.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-0000034f> Playing 'digits/6.ulaw' (language 'en')
-- Executing [s@from-trunk:5] SayAlpha("SIP/XXX.XXX.58.107-00000353", "00088884400972595117946") in new stack
-- <SIP/XXX.XXX.58.107-00000353> Playing 'digits/0.ulaw' (language 'en')
-- Executing [s@from-trunk:3] Wait("SIP/XXX.XXX.58.107-00000355", "2") in new stack
-- <SIP/XXX.XXX.58.107-00000350> Playing 'digits/1.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-00000352> Playing 'digits/8.ulaw' (language 'en')
-- Executing [s@from-trunk:6] Hangup("SIP/XXX.XXX.58.107-0000034f", "") in new stack
== Spawn extension (from-trunk, s, 6) exited non-zero on 'SIP/XXX.XXX.58.107-0000034f'
-- Executing [h@from-trunk:1] Macro("SIP/XXX.XXX.58.107-0000034f", "hangupcall,") in new stack
-- Executing [s@macro-hangupcall:1] GotoIf("SIP/XXX.XXX.58.107-0000034f", "1?theend") in new stack
-- Goto (macro-hangupcall,s,3)
-- Executing [s@macro-hangupcall:3] ExecIf("SIP/XXX.XXX.58.107-0000034f", "0?Set(CDR(recordingfile)=)") in new stack
-- Executing [s@macro-hangupcall:4] Hangup("SIP/XXX.XXX.58.107-0000034f", "") in new stack
== Spawn extension (macro-hangupcall, s, 4) exited non-zero on 'SIP/XXX.XXX.58.107-0000034f' in macro 'hangupcall'
== Spawn extension (from-trunk, h, 1) exited non-zero on 'SIP/XXX.XXX.58.107-0000034f'
-- <SIP/XXX.XXX.58.107-00000351> Playing 'digits/7.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-00000350> Playing 'digits/1.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-00000353> Playing 'digits/0.ulaw' (language 'en')
-- <SIP/XXX.XXX.58.107-00000352> Playing 'digits/4.ulaw' (language 'en')

I just can't debug my trunk because of thoses pesky connections from unknown peers, what are these calls, how can i track their origins, could it be a malfunctioning test tool from my provider?

TSG · Answer 1 · 2015-03-10T01:40:23.273

3

Even with GUEST turned off, your Asterisk server is still going to be hit with SIP hacking attempts. You should install something more to monitor and manage the attacks. Have a look at Asterisk Security for suggestions and even the basics of how to secure your Asterisk server. (Guest off is NOT enough)

edited Mar 10 '15 at 01:40

answered Mar 09 '15 at 16:36

TSG

1,634
6
29
51

Well, i see i'm not the only one who became paranoid with web servers :), i already setup an iptables and fail2ban with dedicated rules for asterisk. Thanks for the link, it gives me some nice pointers to increase the server security ever more. – DoesNotCompute Mar 09 '15 at 16:48

score 1 · Answer 2 · answered Feb 26 '15 at 09:59

I guess it all depends - I am assuming you are running Asterisk on some sort of Linux? I have done this on several occasions and it can be a bit tricky here and there. But - when it comes to debugging, there are a number of tools that can help.

Unknown clients can be blocked using IPTables for example. If you know where your calls are supposed to come from, you can set up firewall rules to block anything other than that. That is what I have done - ensuring that only my very own clients plus any upstream PBX systems can talk.
To figure out who the unknown clients really are, you might use tools like Wireshark to filter connections according to type and such. This usually makes for a clean picture of what is going on.

These are just pointers. You may want to elaborate a little on your setup - then I might be able to be more specific.

score 1 · Accepted Answer · answered Mar 02 '15 at 08:32

1

Well, i found out i was allowing SIP guests. Seems like many bots are looking for unsecured servers to spam or relay.

So i just disabled this option, and my logs are now back to a normal state.

answered Mar 02 '15 at 08:32

DoesNotCompute

89
2
8

score 0 · Answer 4 · edited Jun 28 '19 at 14:04

0

From memory, this can be disabled in Trixbox servers through PBX > Config File Editor > sip_general_additional.conf

Add to the bottom line:

allowguest=no

click update.

then goto system > system maintenance > reset now.

All done.

edited Jun 28 '19 at 14:04

Jenny D

27,358
21
74
110

answered May 16 '18 at 17:00

Mr Soto

1

Asterisk flooded by incoming SIP connection from unknown peer

4 Answers4