We have been receiving 'ghost' calls from non-existent extensions. I've run into this before on asterisk systems and usually just configured the sip profile to disable guest/anon calling. However, this is Freeswitch system which uses F2B as it's primary means of security. I'm currently in the process of updating the iptables, but I'm curious as to how these calls are being allowed in the first place. The instance uses the domain security included in Freeswitch, and I can see in the logs where the call is killed by the domain acl, but the new channel is being initiated first.
Any assistance would be greatly appreciated. Log entries are below; let me know if you need additional as I'm still a little fresh to sofia.
[WARNING] sofia_reg.c:1663 SIP auth challenge (REGISTER) on sofia profile 'internal' for [ghost_ext@server_ip] from ip foreign_ip
[NOTICE] switch_channel.c:1053 New Channel sofia/internal/ghost_ext@server_ip
[WARNING] switch_core_state_machine.c:570 sofia/internal/ghost_ext@server_ip Abandoned
[NOTICE] switch_core_state_machine.c:573 Hangup sofia/internal/ghost_ext@server_ip [CS_NEW] [WRONG_CALL_STATE]
[NOTICE] switch_core_session.c:1632 Session 68960 (sofia/internal/ghost_ext@server_ip) Ended
[NOTICE] switch_core_session.c:1636 Close Channel sofia/internal/ghost_ext@server_ip [CS_DESTROY]
I see later in the logs entries where registration attempts fail due to domain policy, but still don't know how the calls are occurring if registration should be denied in the first place:
[WARNING] sofia_reg.c:2748 Can't find user [ghost_ext@domain] from foreign_ip#012You must define a domain called 'domain' in your directory and add a user with the id="ghost_ext" attribute#012and you must configure your device to use the proper domain in it's authentication credentials.
[WARNING] sofia_reg.c:1608 SIP auth failure (REGISTER) on sofia profile 'internal' for [ghost_ext@server_ip] from ip foreign_ip
Found strange entries in logs which I think may be the culprit:
[NOTICE] switch_channel.c:1053 New Channel sofia/external/'+'@server_ip [b9af496c-4a10-11e9-b560-0da9874b2984]
Those correlate with a slew of anon calls in CDR.