2

We run asterisk on a freePBX distro.

The system is only up for one day.

When I logged in to asterisk from the terminal the system was generating a lot of unexpected messages just like the following.

 [2016-07-14 14:34:46] NOTICE[25546]: res_pjsip/pjsip_distributor.c:368      
log_unidentified_request: Request from '"90" <sip:90@xx.xx.xx.xx>' failed 
 for '91.236.74.186:5099' (callid: cd6919a5-58a4494-578ccc46@xx.xx.xx.xx) - 
No matching endpoint found

[2016-07-14 14:34:46] NOTICE[21748]: res_pjsip/pjsip_distributor.c:368    
log_unidentified_request: Request from '"90" <sip:90@xx.xx.xx.xx>' failed for 
'91.236.74.186:5099' (callid: cd6919a5-58a4494-578ccc46@xx.xx.xx.xx) - No 
matching endpoint found

[2016-07-14 14:34:46] NOTICE[25546]: res_pjsip/pjsip_distributor.c:368     
log_unidentified_request: Request from '"90" <sip:90@xx.xx.xx.xx>' failed 
for '91.236.74.186:5099' (callid: cd6919a5-58a4494-578ccc46@xx.xx.xx.xx) -   
No matching endpoint found

[2016-07-14 14:34:49] NOTICE[21748]: res_pjsip/pjsip_distributor.c:368 
log_unidentified_request: Request from '"66666" <sip:66666@xx.xx.xx.x>' 
failed for '91.236.74.186:5066' (callid: cd692628-58a449e-578ccc49@xx.xx.xx.xx) - 
No matching endpoint found

[2016-07-14 14:34:49] NOTICE[25546]: res_pjsip/pjsip_distributor.c:368 
log_unidentified_request: Request from '"66666" <sip:66666@xx.xx.xx.xx>' failed 
for '91.236.74.186:5066' (callid: cd692628-58a449e-578ccc49@xx.xx.xx.xx) - No 
matching endpoint found

[2016-07-14 14:34:49] NOTICE[21748]: res_pjsip/pjsip_distributor.c:368
log_unidentified_request: Request from '"66666" 
<sip:66666@xx.xx.xx.xx>' failed for '91.236.74.186:5066' 
(callid: cd692628-58a449e-578ccc49@xx.xx.xx.xx) - No matching endpoint found

[2016-07-14 14:34:49] NOTICE[25546]: res_pjsip/pjsip_distributor.c:368     
log_unidentified_request: Request from '"66666" <sip:66666@xx.xx.xx.xx>' 
failed for '91.236.74.186:5066' (callid: cd692628-58a449e-
578ccc49@xx.xx.xx.xx) - No matching endpoint found

[2016-07-14 14:34:49] NOTICE[21748]: res_pjsip/pjsip_distributor.c:368 
log_unidentified_request: Request from '"66666" <sip:66666@xx.xx.xx.xx>' 
failed for '91.236.74.186:5066' (callid: cd692628-58a449e-578ccc49@xx.xx.xx.xx) - 
No matching endpoint found

We have not set up any of these extensions so I do not understand how they are generating the request.

At first I blocked traffic from the IP address in the notice and the notices stopped for a short while. Then the notices began again but they included a different IP address in the body of the notice. I also blocked this IP but it has had no effect on the frequency of the message appearing.

I blocked the addresses using the Sangoma responsive firewall.

I would appreciate any help in trying to understand what is going on. Thank you.

Note: in each case xx.xx.xx.xx was the same number, it was our IP address.

bloopiebloopie
  • 23
  • 5
  • Your PBX is facing directly the internet ? – yagmoth555 Jul 14 '16 at 14:10
  • @yagmoth555 It is behind a firewall but all traffic on port 5060 and 5061 is forwarded to the PBX. Dose this mean it is directly facing the internet? – bloopiebloopie Jul 14 '16 at 14:18
  • @bloopiebloopie It's not unusual for your PBX (or any service) to get probed by bots/hackers/whatever out there when you are internet facing... – Ryan Babchishin Jul 14 '16 at 14:19
  • @bloopiebloopie Yes it does – Ryan Babchishin Jul 14 '16 at 14:19
  • @Ryan Babchishin Why is the IP not blocked after several failed attempts to connect to the extension. Can you help me understand those notices? – bloopiebloopie Jul 14 '16 at 14:33
  • @bloopiebloopie I don't use res_pjsip but it sounds like your getting call attempts to destinations that don't exist. Look at your other logs, enable debugging, or enable debugging on the console to see what these requests are for if you want to know. As long as you're facing the Internet and allowing connections from anywhere you can expect to see things like this all the time. I personally was getting attempts to call Lebanon many times a day every day. I've also had people attempt to call every internal extension... So, if this bothers you, lock it down. Use SSL, restrict connections by IP. – Ryan Babchishin Jul 14 '16 at 14:44
  • @Ryan Babchishin Thank you for the perspective. I am very new to internet telephony and internet security. I thought that they had to successfully connect to the PBX using a valid extension and the corresponding password before being able to make outbound calls. Is this not the case. I will enable diagnostic tools and try again. – bloopiebloopie Jul 14 '16 at 14:50
  • Let us [continue this discussion in chat](http://chat.stackexchange.com/rooms/42492/discussion-between-bloopiebloopie-and-ryan-babchishin). – bloopiebloopie Jul 14 '16 at 14:54
  • FreePBX automatically routes these calls nowhere by default. You don't really need to worry about anything. – Michael Hampton Jul 17 '16 at 21:38

2 Answers2

5

Since I've been answering the question in the comments I figured it was more appropriate to put it here:

It's not unusual for your PBX (or any service) to get probed by bots/hackers/whatever out there when you are internet facing... This happens with web servers, SSH, SMTP, etc... all the time. As long as you are open to the Internet without restriction, you'll keep seeing stuff like this.

I don't use res_pjsip but it sounds like your getting call attempts to destinations that don't exist. Look at your other logs, enable debugging, or enable debugging on the console to see what these requests are for if you want to know.

At one point I personally was getting attempts to call Lebanon many times a day every day (that never went through). I've also had people attempt to call every internal extension (some went through!)...

So, if this bothers you, lock it down. Use SSL, restrict connections by IP, don't use numbers for your SIP accounts, maybe use a VPN. Whatever works. If you must leave it wide open to the Internet, make sure things are configured very securely and these attempts will go nowhere. Just like attempts to compromise servers via HTTP/SMTP go nowhere when the servers are configured securely.

As for your last question, I don't know why IPs aren't getting blocked after several failed attempts. Are they supposed to?

Ryan Babchishin
  • 6,160
  • 2
  • 16
  • 36
3

A lot of people think a firewall is a security system for a PBX. It's not. If you forward SIP and RTP into your PBX through your firewall, then your firewall is only acting as a router (from the perspective of VoIP). There is no checking of valid users, devices, geographic locations, dialing patterns, user behaviours, etc.

Setting up basic security for Asterisk is essential - there are weaknesses in Asterisk/SIP that get exploited, and even more in the configuration generators (Elastix/FreePBX/etc). For example, a weakness in the FreePBX GUI last year allowed attackers to rewrite dialplans allowing them to call anyone, anytime, etc. (and the corresponding $100k+ phone bills that you are responsible for). Again, a firewalls does nothing for you in this case. For fun, Google $400k Asterisk PBX fraudin one weekend and watch the video (an Astricon presentation)!

Take a look at Voip Info for a good intro to securing your PBX (These are facts - the reality of VoIP security - not an opinion/perspective).

If this is a small installation (which I suspect it is), install the free version of SecAst to secure your PBX.

TSG
  • 1,634
  • 6
  • 29
  • 51