0

We have been receiving 'ghost' calls from non-existent extensions. I've run into this before on asterisk systems and usually just configured the sip profile to disable guest/anon calling. However, this is Freeswitch system which uses F2B as it's primary means of security. I'm currently in the process of updating the iptables, but I'm curious as to how these calls are being allowed in the first place. The instance uses the domain security included in Freeswitch, and I can see in the logs where the call is killed by the domain acl, but the new channel is being initiated first.

Any assistance would be greatly appreciated. Log entries are below; let me know if you need additional as I'm still a little fresh to sofia.

[WARNING] sofia_reg.c:1663 SIP auth challenge (REGISTER) on sofia profile 'internal' for [ghost_ext@server_ip] from ip foreign_ip

[NOTICE] switch_channel.c:1053 New Channel sofia/internal/ghost_ext@server_ip

[WARNING] switch_core_state_machine.c:570 sofia/internal/ghost_ext@server_ip Abandoned

[NOTICE] switch_core_state_machine.c:573 Hangup sofia/internal/ghost_ext@server_ip [CS_NEW] [WRONG_CALL_STATE]

[NOTICE] switch_core_session.c:1632 Session 68960 (sofia/internal/ghost_ext@server_ip) Ended

[NOTICE] switch_core_session.c:1636 Close Channel sofia/internal/ghost_ext@server_ip [CS_DESTROY]

I see later in the logs entries where registration attempts fail due to domain policy, but still don't know how the calls are occurring if registration should be denied in the first place:

[WARNING] sofia_reg.c:2748 Can't find user [ghost_ext@domain] from foreign_ip#012You must define a domain called 'domain' in your directory and add a user with the id="ghost_ext" attribute#012and you must configure your device to use the proper domain in it's authentication credentials.

[WARNING] sofia_reg.c:1608 SIP auth failure (REGISTER) on sofia profile 'internal' for [ghost_ext@server_ip] from ip foreign_ip

Found strange entries in logs which I think may be the culprit:

[NOTICE] switch_channel.c:1053 New Channel sofia/external/'+'@server_ip [b9af496c-4a10-11e9-b560-0da9874b2984]

Those correlate with a slew of anon calls in CDR.

Community
  • 1
merz1v
  • 71
  • 8
  • Hmm. It looks like you haven't firewalled port 5060. Did you mean to have it open to the world? If your extensions are at random places on the Internet then maybe you need to do this, but usually that's not the case. Either way, this is a SIP authentication attempt (which failed). – Michael Hampton Mar 14 '19 at 00:43
  • I inherited the system from a previous admin. I actually just deployed IP white listing at the box and it's seemed to have cleared up the issue. It also looks like they gutted the f2b rules so it's only really flagging batch attempts within 30s windows and there's no repeat-offender config for challenges. That said, I was curious as to how the device managed to make a call to an internal user even when the auth failed? – merz1v Mar 19 '19 at 14:03
  • Did you actually receive a call? I don't see in these log entries that a call went anywhere. – Michael Hampton Mar 19 '19 at 14:50
  • Yeah, I'm looking for representations in the logs. Isn't 'New Channel' notice followed by 'Hangup sofia...[CALL REJECTED]' instance of a call initiating and then being terminated? Or is active call denoted by 'Transfer sofia' entry? (Sorry, as I stated I'm a little green when it comes to sofia). – merz1v Mar 19 '19 at 15:51
  • You have to open a channel to make a call, but this didn't appear to go anywhere. There's no destination number or extension, just the caller being rejected. – Michael Hampton Mar 19 '19 at 16:16
  • Right, there is no transfer to internal endpoints. They are reporting the calls are hitting their phones in batches. I am seeing in their CDR a lot of failed local <-> local call failures so wondering if maybe there's a configuration error in their dialplan that is messing with their forwarding or something. I'm going to start a trace just to be sure. – merz1v Mar 19 '19 at 17:14
  • So, someone's extension is actually ringing? That's different. I don't see anything about it logged there. – Michael Hampton Mar 19 '19 at 17:28
  • Let us [continue this discussion in chat](https://chat.stackexchange.com/rooms/91263/discussion-between-mlxs-and-michael-hampton). – merz1v Mar 19 '19 at 17:50
  • Did notice this strange entry in logs: > [INFO] mod_dialplan_xml.c:558 Processing '+' <'+'>->46855766801 in context public Matches a bunch of CDR entries with blank CID and SOURCE values. I'm checking external profile now, – merz1v Mar 19 '19 at 18:17

0 Answers0