Reviews:
 ·AT&T Midwest
1 edit | reply to StillLearn
Re: Receiving calls from name/number 100 that don't get logged said by StillLearn:said by grand total:Yes, if you do not forward ports to your device you are protected from port scanners. Thanks. That's a relief. And thanks for the other info too. It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures. |
|
|
|
| said by StillLearn:It turns out that being behind a NAT router without port forwarding or DMZ is not sufficient to stop the probe from ringing your box. I have just implemented one of the other measures.
Yes, I recently learnt that's true for some routers. Sorry for my misleading answer.
--
DPC3825 (bridge mode) - WRT610N + Tomato - Panasonic KX-TGP500 - Asterisk 1.8.10.1 on a Virtual Server
Anveo - FreePhoneLine - Voxbeam - Numbergroup - Callcentric - VoIP.ms - Localphone - UKDDI |
|
Mangowww.toao.net
join:2008-12-25
Alberta
kudos:11 | StillLearn's router must use Full-cone NAT, correct?
Is there an easy way to test what type of NAT a router uses? |
|
| reply to idbit
I wonder how they found out my IP was feeding a SIP phone? ... Plus if there is anything they can really do?
there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.
to answer your second question: strong firewall or other equivalent countermeasure that actively deflects such intrusions.
--
".. the sofa has just vanished." ".. well, that's one mystery less." |
|
garys_2kPremium
join:2004-05-07
Farmington, MI Reviews:
 ·callwithus
·Callcentric
| reply to idbit
Most any router with no ports forwarded should be able to deflect an outside attack, as was found here: »El Cheapo Router Challenge
A technical "win" was declared, but it wasn't simple and no real threat occurred, »First winner - El Cheapo Router Challenge
If outsiders are still getting in I'd say it's not from scans, it's from their having recorded your IP as a good one, found back when you were forwarding ports. In any case, though, if you've closed the doors the router ought to keep them out. |
|
| reply to Mango
said by Mango:StillLearn's router must use Full-cone NAT, correct?
Is there an easy way to test what type of NAT a router uses?
I would try to run sipsak against the router from another box on the intarwebs, and see if I got an answer; here's an example against atlanta.voip.ms:
$ sipsak -v -v -s sip:atlanta.voip.ms
No SRV record: _sip._tcp.atlanta.voip.ms
No SRV record: _sip._udp.atlanta.voip.ms
using A record: atlanta.voip.ms
warning: need raw socket (root privileges) to receive all ICMP errors
message received:
SIP/2.0 200 OK
Via: SIP/2.0/UDP 127.0.1.1:46822;branch=z9hG4bK.1995f7ee;alias;received=**.***.**.**;rport=46398
From: sip:sipsak@127.0.1.1:46822;tag=62628a27
To: sip:atlanta.voip.ms;tag=as0c4c7c7c
Call-ID: 1650625063@127.0.1.1
CSeq: 1 OPTIONS
User-Agent: VoIPMS/SERAST
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO
Supported: replaces
Contact:
Accept: application/sdp
Content-Length: 0
** reply received after 42.774 ms **
SIP/2.0 200 OK
final received
|
|
1 edit | reply to Mango
said by Mango:Is there an easy way to test what type of NAT a router uses?
Here are a few that I know about.
* NAT tester at »nattest.net.in.tum.de
Requires Java, unfortunately. I've found that the final test (UDP Reverse Traceroute) can hang. If it does, then you can abandon it and still see the results of the other tests by clicking on the "permanent link for your results" link. It also tests for the presence of SIP and FTP ALGs. For my router, it reports the correct results for the things that I know about by other means.
* On Mac OS X, launch the Messages application. Skip the setup if you're not a chatter. From the menu bar, go to Video > Connection Doctor. Choose "Network Status". "Router Type" should show the NAT type. I've found that sometimes it fails to detect the type the first time; toggling to "Statistics" and back to "Router Type" seems to fix this. It reports the correct NAT type for my router.
* I no longer have one of these ATAs, but I've used this before with success. Sipura/Linksys ATAs have a "STUN Test Enable" option (with the other "NAT Support" options) which, when set "on" and with STUN configured, will report the detected NAT type in the debug log on a coldstart of the device. |
|
idbit
join:2008-12-04
Florida | reply to idbit
said by Stewart:I believe that Accounts --> advanced --> Local SIP Port is the setting to change on a Yealink. That is right. I finally did change the Local SIP Port there. At first, I wanted to see if I would get any more of these calls. I finally did two nights ago. This one was more persistent than ever. I couldn't make it stop ringing - even if I hit Reject, or answered it, or hung up. When I did answer it, I would hang back up and the phone would just continue ringing. I forgot what combination eventually got it to stop ringing. I just started pressing buttons - Hold, Transfer, until finally, it stopped ringing. So that was all it took for me at that point. I changed the Local SIP Port.
said by horacebork:there are people out there that scan for ip addresses in numerical sequence. thus *any* ip address active on the internet is accessible. when they get a hit on such an ip address, they start scanning for ports. when they have a 'live one', they then start exploiting that opening for any possible weakness.
By a 'live one', do you mean an open port? Or does open/closed really even matter? |
|
| sorry, i'm a bit slangy. yes, a 'live one' would be an open port.
if an ip address has an open port, the potential to exploit it exists.
if there is no open port (no software listening on the other end) there is no exploit available (that i know of).
think of it as an actual wall (brick, steel whatever). if there isn't an opening (port) of some kind, you have to cut you way through.
(making your own way through would be outside the scope of the discussion, i suppose).
--
".. the sofa has just vanished." ".. well, that's one mystery less." |
|
MZB
join:2010-11-25
Dunrobin, ON | reply to grand total
said by grand total:You can't. But, I suppose, if enough people stop using 5060 then the scanners will start looking for other ports.
After I moved my ATA from 5060/1 to 5064/5 it took 2 years before I noticed another hack attempt. Needless to say, I've moved it now to a completely random port number which is quiet (according to the SANS Internet Storm Centre »isc.sans.edu/port.html?port=5060 ). |
|
 JEDI
join:2005-04-11
Longueuil
kudos:1
·ELECTRONICBOX
 ·Videotron
| reply to idbit
I also had that problem at first. I simply changed my port instead of the default one and added the list of IPs that are allowed to connect to my ATA. I have an Obi100, in the X_AccessList parameter I specified all the IP addresses of voip.ms (my provider). It fixed my issue. |
|
tritch
join:2007-04-30
Porter, TX
2 edits | said by JEDI:I also had that problem at first. I simply changed my port instead of the default one and added the list of IPs that are allowed to connect to my ATA. I have an Obi100, in the X_AccessList parameter I specified all the IP addresses of voip.ms (my provider). It fixed my issue.
Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.
I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure. |
|
Reviews:
·voip.ms
·Callcentric
·Comcast Business..
·Windstream
| said by tritch:Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.
I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure.
OPs ATA is OBi that currently does not have this functionality. |
|
Reviews:
·AT&T Midwest
| said by lacibaci:said by tritch:Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc.
I have had my Linksys SPA2102 directly connected to a bridged DSL modem for quite some time (no firewall/NAT whatsoever) and it's stopped 100% of these type of scans/hacking attempts. I find "Restrict Source IP" to be very secure.
OPs ATA is OBi that currently does not have this functionality. OBi does have that functionality. Search for X_AccessList on »www.obitalk.com/forum/ and you will find a lot of references. |
|
Reviews:
·voip.ms
·Callcentric
·Comcast Business..
·Windstream
| I was talking about "Restrict Source IP" which restricts access to the registration server. X_AccessList is a very limited subset of this. You have to know all possible IPs, plus there is a length limit on this field (512 chars) which makes it unusable for providers that use hundreds of servers. |
|
| reply to tritch
said by tritch:Exactly. If you have a Linksys ATA just simply enable "Restrict Source IP" to eliminate these types of scans/attacks, other ATA's (Grandstreams, etc) most likely have a similar setting. The ATA simply drops all data packets that don't come from your registered SIP proxy (trusted IP's). There's no need to change SIP ports, play with router settings, etc. +1 for this.
I restricted by IP on my Tomato-based router after getting hit a few weeks ago on ports other than 5060. So far so good. |
|
Reviews:
·AT&T Midwest
| reply to lacibaci
said by lacibaci: X_AccessList is a very limited subset of this. You have to know all possible IPs, plus there is a length limit on this field (512 chars) which makes it unusable for providers that use hundreds of servers.
X_AccessList on the OBi boxes works well for Anveo or voip.ms and probably others, which use anycast addresses; there is only one IP address for each region even though many servers are being used. That's how modern big DNS servers work. X_AccessList would not work for Callcentric, because there is unfortunately no way to specify a range at this time. I would hope OBi would change that by adding the potential for a netmask or other means. Considering the utility of that for so many people, it would be the highest priority if I were specing out new firmware. Some things are of use to a very limited number of people. Sip scanners need to be addressed by every user eventually, and it should be routine to the setup process.
If Linksys has a bit that can be set to solve the problem, then they are to be congratulated. It would seem to be even better if that bit was set by default, unless there is a downside to that. |
|
Mangowww.toao.net
join:2008-12-25
Alberta
kudos:11 Reviews:
·Anveo
·Shaw
·AcroVoice
·Callcentric
·callwithus
·voip.ms
·FreePhoneLine
·TELUS
| This was posted by Oleg on the OBiTALK forums yesterday:
Voice Services >> SPx Service:
X_InboundCallRoute: {>('Insert your AuthUserName here'):ph}
This blocks calls not intended for your AuthUserName. I suspect this coupled with a high X_UserAgentPort number should block annoying SIP scanners, for devices that are not behind a restricted cone NAT router. |
|
DaveN
join:2010-07-18
Santa Fe, NM | reply to Mango
said by Mango:StillLearn's router must use Full-cone NAT, correct?
Is there an easy way to test what type of NAT a router uses?
DogFace05 posted a handy NAT utility for this purpose along with a good explanation of NAT-related issues.
»Re: [Future9] PAP2 optimal settings?
Hope this helps... |
|
| reply to Mango
Works as advertised. Tested with false user name on PBXes account.
Ring group only connected to non-OBI line. Dialing Obi extension produced busy signal.
Definitely a simple and effective level of security.
Thanks, Mango, for the reference. |
|
