hmspe Premium Member join:2007-07-01 Temple, TX |
hmspe
Premium Member
2014-Apr-16 2:56 am
[Voip.ms] Phantom callsI've been getting incoming calls with two or three digit CID showing on the phones all evening. Calls ring on all four instances (channels) for the DID that appear on the phones. The calls are not showing in the CDR and there is nothing there if I try to answer. The last seven sets of calls have been reported on the phones as CID 101, 201, 301, 401, 501, 601, and 701. It's almost midnight and these calls are waking the whole house. I have filed a support request with voip.ms but I don't expect to hear back until tomorrow. Caller ID filtering does not stop these calls. Any ideas on how to trace them and how to stop them would be appreciated. |
|
|
XANAVirus Premium Member join:2012-03-03 Lavalette, WV 2 edits |
Sounds like a SIP Scanner.
Have you done any port forwarding for Voip.MS? Specifically, have you forwarded UDP port 5060 in your router? It's usually not necessary to do so, for any VoIP provider.
You might consider disabling the UDP port 5060 forwarding on your router, or perhaps changing your ATA's SIP port to something random and forwarding that.
Furthermore, it's not possible to trace these types of calls, since they not are literally calls but rather port scanning applications. Your ATA is faithfully decoding the incoming packets as actual calls and then sending them to the phones. |
|
nirvy join:2003-11-16 Minneapolis, MN |
to hmspe
Hey hmspe. Did it look anything like this? » i.imgur.com/AFWbHrx.pngI noticed a similar thing on my FreePBX server when I was using the default port 5060 and it was fine after I changed the port. I was actually going to add another video to my FreePBX series on YouTube to show people how and why they should change the default port on their servers. Since it's not very straightforward for a lot of people, I'm thinking I should maybe do it but then again, with GoogleVoice going away soon, I'm not sure I'm going to use it anymore because I haven't found a good solution. |
|
1 recommendation |
to hmspe
There's this person on DSLR that was kind enough to put something together for ATA configuration. I think you'll find what you're looking for here: » www.toao.net/500-mangos- ··· i202-ataUnder the heading "OBi ATA Security". This is also on the voip.ms wiki: » wiki.voip.ms/article/OBi_100/110Under the heading "To avoid phone calls in the middle of the night due to SIP scanners (through no fault of VOIP.ms)." I set up our ATA, followed these instructions, and not a single scanner call to date. |
|
hmspe Premium Member join:2007-07-01 Temple, TX |
hmspe
Premium Member
2014-Apr-16 9:15 am
Thanks to all who have responded.
To answer the questions: - No UDP ports are forwarded in the router. - Port 5060 is not used on any of the DIDs. The DID getting the scans was on port 5082. The DIDs on 5080 and 5086 were not getting scanned. - I don't really get logs, but the png from nirvy would be very close. - My ATA is a Mediatrix so the Obi instructions don't directly apply. I'll have to see if I can find an equivalent setting. |
|
N9MDToo busy to chat Premium Member join:2005-10-08 Boca Raton, FL
1 recommendation |
N9MD to hmspe
Premium Member
2014-Apr-16 9:23 am
to hmspe
I'll add my two pfennigs to what those here (and in other threads) have suggested ... including my hero Mango on his site (referenced above).
Everyone with administrative access to their ATAs' settings (and PBX-like systems, too) should avoid using 5060 as the SIP Port. Changing this number will have no negative effect on functionality ... but it will be quite effective in blocking these annoying middle of the night calls. I've been using 5070, 5071, 5072, etc. (with no duplications) for each line on my several 2-line PAP2Ts and an 8-line SPA8000 ... with apparent success.
If the 'bad guys' are in the Eastern Hemisphere, they are in daytime sunlight during our Western Hemisphere overnight hours, making it easy for them to cause us Somnus Interruptus. |
|
MangoUse DMZ and you get a kick in the dick. Premium Member join:2008-12-25 www.toao.net |
to hmspe
said by hmspe:- No UDP ports are forwarded in the router. In that case, you probably have a full cone NAT router. When you register to a service provider, your router effectively sets up a port forward, allowing the SIP scanners to reach your device. If they've found you on 5082, you may wish to change your port to a high number between 20000 and 65535. Note that this will not prevent scanners from reaching you, it will just make it less likely. The best (most secure) solution is to configure your router to use restricted cone NAT, or replace your router if that is not possible. Second best is to configure your ATA to reject calls not destined for you. |
|
Mango
2 recommendations |
to Alittlegreen
said by »toao.net/500 :By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName. said by »wiki.voip.ms/article/OBi_100/110 :By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName. Really, guys? Again? |
|
nirvy join:2003-11-16 Minneapolis, MN |
to Mango
said by Mango: The best (most secure) solution is to configure your router to use restricted cone NAT, or replace your router if that is not possible. Second best is to configure your ATA to reject calls not destined for you. I'm not sure how OBi works because I don't own one, but if you can set a whitelist, that's actually one of the best methods of preventing not only scans but actual hack attempts. When I log into Webmin and go into Networking -> Firewall on my FreePBX server machine, this is what it looks like: » i.imgur.com/DfpPOSM.pngFor the time being, I went from port 5060 to 2060, and now to 8089 and I have to allow it both in the Linux firewall and in my router because my FreePBX server doesn't operate as UPnP and that's a good thing. Both ports 2060 and 8089 have not received any such scan attempts or suspicious activity in the call log, so I don't have a need for a blacklist or a whitelist. If I were to set up a whitelist, I'd block all IP addresses in the Linux firewall rules and only allow my T-Mobile and Comcast internet IP addresses to connect. The OP doesn't necessarily have to get a new router, though. |
|
brg Premium Member join:2001-01-03 Chicago, IL
1 recommendation |
brg to Mango
Premium Member
2014-Apr-16 12:18 pm
to Mango
said by Mango:said by »toao.net/500 :By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName. said by »wiki.voip.ms/article/OBi_100/110 :By default, OBi devices accept calls destined for any username. The above syntax rejects calls that are not intended for whatever you have configured as AuthUserName. Really, guys? Again? /sarcasm mode on:
Perhaps it's intended as a form of flattery. /sarcasm mode off |
|
2 edits |
to Alittlegreen
said by Alittlegreen:There's this person on DSLR that was kind enough to put something together for ATA configuration. I think you'll find what you're looking for here: »www.toao.net/500-mangos- ··· i202-ata Under the heading "OBi ATA Security".
This is also on the voip.ms wiki: »wiki.voip.ms/article/OBi_100/110 Under the heading "To avoid phone calls in the middle of the night due to SIP scanners (through no fault of VOIP.ms)."
I set up our ATA, followed these instructions, and not a single scanner call to date. I believe this OBi firmware Build 4330 setting can be used instead to prohibit anonymous SIP and works with VoIP.ms: Voice Services SPn Service - SIP Credentials::X_EnforceRequestUserID = checked Edit: Supersedes InboundCallRoute methods (see below) but may not work with all ITSPs. OE |
|
adit7 join:2013-04-02 Oakville, ON 1 edit |
adit7
Member
2014-Apr-16 5:10 pm
said by OzarkEdge:I believe this OBi firmware Build 4330 setting can be used instead to prohibit anonymous SIP and works with VoIP.ms:
Voice Services SPn Service - SIP Credentials::X_EnforceRequestUserID = checked
OE You are right. This works for OBI202 with the latest firmware. However you can still use "Oleg's method" which works on older firmware and OBI models which do not have that settings. I did not bother to change, I have set Oleg's method (look on OBI forum for it) long time ago and never had a problem since then. As a note, "Oleg's method" works with all providers, the flag above require provider support, so it will not work with all providers (if I remember well, Voice.ms supports it).There is another thread in Obi forum related to this flag. Oleg's method: » www.obitalk.com/forum/in ··· c=5467.0 |
|
|
said by adit7:You are right. This works for OBI202 with the latest firmware. However you can still use "Oleg's method" which works on older firmware and OBI models which do not have that settings. I did not bother to change, I have set Oleg's method (look on OBI forum for it) long time ago and never had a problem since then. As a note, "Oleg's method" works with all providers, the flag above require provider support, so it will not work with all providers (if I remember well, Voice.ms supports it).There is another thread in Obi forum related to this flag.
Oleg's method: »www.obitalk.com/forum/in ··· c=5467.0 Thanks! Also from my notes... I've only used the first option with VoIP.ms until OBi instituted the X_EnforceRequestUserID setting: Voice Services SPn Service - SPn Service::X_InboundCallRoute = ph1 (route inbound to phoneport1) o {>[Your Account User ID]:ph1} prohibit anonymous SIP but does not work for Builds 4303 and 4318 o {>[Called Number]:ph1} prohibit anonymous SIP but only works after Build 4269 OE |
|
flinchlock Premium Member join:2003-04-25 Augusta, MI ARRIS SB6121 Obihai OBi200
|
to hmspe
FYI...I used OBiTALK to configure SP1 & SP2 (for CC) and AuthUserName was automagically set for me. Mike |
|
nunyaLXI 483 MVM join:2000-12-23 O Fallon, MO |
to Mango
Re: [Voip.ms] Phantom callsSomebody from Voip.ms owes you a Coke. Or at least some credit. What ever happened to footnotes and citations? Did they disappear with the typewriter? |
|
MangoUse DMZ and you get a kick in the dick. Premium Member join:2008-12-25 www.toao.net |
Mango
Premium Member
2014-Apr-17 12:18 am
There's a citation on » wiki.voip.ms/w/index.php ··· y_issues, but only because I added it. It got approved and published months later. |
|
|
The ultimate in self-service! |
|
|
to hmspe
Hi! It looks like this turned into an Obi discussion. I skimmed the manual for the Mediatrix 4102. Is this your model of ATA?
The right way to block these calls is to use restricted cone NAT as suggested by Mango. When a SIP scanner tries to connect to your public IP address, the restricted cone NAT would block the connection since it not coming from voip.ms.
If you can't fix your router, the high port numbers suggested by Mango helps since the SIP scanners would concentrate on the popular ports.
I did find one setting in the Mediatrix 4102 manual that might help. The SIP Trusted Sources feature lets you choose six different IP addresses that the ATA will listen to. When enabled, calls from other IP addresses will be ignored. You would have to look up the numerical IP addresses of your voip.ms servers and enter them into the Mediatrix. This is not an ideal solution. What if voip.ms adds a new regional server that you want to try? You'll be scratching your head until you remember to change this setting. |
|
hmspe Premium Member join:2007-07-01 Temple, TX |
hmspe
Premium Member
2014-Apr-17 8:46 am
Thanks again to all for the help and suggestions.
The router is a Netgear R6300. The only NAT settings I can find are 'NAT Filtering', which is set to secured, and 'Disable SIP ALG', which is unchecked.
The Mediatrix is a 4108.
Changing the ports has stopped the problem for the moment. I'll look at the SIP Trusted Sources option when I get a few minutes. If I can do two LA servers, two Denver, and two Dallas I'm probably covered for any server changes I would make. Unlikely that they will add servers in Phoenix. |
|
MangoUse DMZ and you get a kick in the dick. Premium Member join:2008-12-25 www.toao.net |
Mango
Premium Member
2014-Apr-17 9:45 am
Does SIP Trusted Sources allow you to use hostnames instead of IP addresses? This would be more reliable, in case the IP address for your server(s) change.
It's curious that you're having the problem, even with NAT Filtering set to Secured. That seems backwards to me. |
|
brg Premium Member join:2001-01-03 Chicago, IL |
brg to hmspe
Premium Member
2014-Apr-17 9:47 am
to hmspe
said by hmspe:...and 'Disable SIP ALG', which is unchecked. Unrelated, but conventional wisdom in this forum is generally to disable SIP ALG. However, if things have been otherwise working fine thus far, maybe don't fix what ain't broke in that regard... |
|
hmspe Premium Member join:2007-07-01 Temple, TX |
hmspe
Premium Member
2014-Apr-17 1:29 pm
The Mediatrix I have has the DGW software. 'SIP Trusted Sources' is only part of Mediatrix's SIP software. I think there are equivalent methods in the DGW software but the terminology in the manual is a bit foreign to me so it may take a while to figure out.
I agree that it is strange to have this problem with NAT Filtering set to secure. It is also strange that the DID on port 5082 was being hit but the DID on port 5080 was not. |
|
|
Just brainstorming here with little experience...
Did VoIP.ms Support offer any advice on the matter?
If my router was letting unsolicited 'SIP scans' through to my ata, I should think about getting a different router, yes?
Could the inbound be spurious SIP from the registered VoIP.ms server? Could this be tested by temporarily registering with a different server?
OE |
|
MangoUse DMZ and you get a kick in the dick. Premium Member join:2008-12-25 www.toao.net |
Mango
Premium Member
2014-Apr-17 4:21 pm
said by OzarkEdge:I should think about getting a different router, yes? If your router cannot be configured otherwise, and is not compatible with third-party firmware, for best security you should replace the router. For adequate security you can configure your ATA to reject calls not intended for you. said by OzarkEdge:Could the inbound be spurious SIP from the registered VoIP.ms server? Nope. m. |
|
|
to OzarkEdge
said by OzarkEdge:Could the inbound be spurious SIP from the registered VoIP.ms server? If it were from voip.ms, there are two possibilities: --It has to be a real crank call to your DID. The caller would have paid to call your number. --You publicly revealed your voip.ms incoming SIP URI. In either case, the call should show up in the voip.ms call logs. |
|
brawney Premium Member join:2002-03-02 Frederick, MD |
to OzarkEdge
said by OzarkEdge:If my router was letting unsolicited 'SIP scans' through to my ata, I should think about getting a different router, yes? +1 |
|
brawney
1 recommendation |
to Mango
said by Mango:If your router cannot be configured otherwise, and is not compatible with third-party firmware, for best security you should replace the router. For adequate security you can configure your ATA to reject calls not intended for you. I would do both. My router doesn't have that issue, but I still configure the ATA to reject calls not intended for it. If my router did have that issue it would be replaced immediately. |
|