dslreports logo
 
    All Forums Hot Topics Gallery
spc
Search similar:


uniqs
1043

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

1 edit

RobThompson

Premium Member

[Asterisk] PIAF: CDR Report mystery entries...

Hello:

I posted this question on the PIAF Help forum but did not get a solution.

When I review the CDR Report, it has many of the following entries, which were not created by me:

2014-10-03 00:13:55 1412309635.105 8004 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:16:50 1412309810.106 4000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:18:21 1412309901.107 1 Answer s [from-sip-external] ANSWERED 00:01
2014-10-03 00:32:09 1412310729.108 1002 Congestion s [from-sip-external] ANSWERED 00:12
2014-10-03 00:33:37 1412310817.109 8004 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:38:33 1412311113.110 4000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:42:45 1412311365.111 1 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:45:31 1412311531.112 4000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 00:53:31 1412312011.113 8004 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:06:51 1412312811.114 1 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:13:10 1412313190.115 501 Answer s [from-sip-external] ANSWERED 00:01
2014-10-03 01:15:26 1412313326.116 5000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:22:39 1412313759.117 100 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:30:33 1412314233.118 1 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:32:50 1412314370.119 501 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:35:56 1412314556.120 107 Congestion s [from-sip-external] ANSWERED 00:12
2014-10-03 01:44:36 1412315076.121 5000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:52:15 1412315535.122 501 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 01:53:55 1412315635.123 1 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:06:45 1412316405.124 100 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:06:53 1412316413.125 1001 Answer s [from-sip-external] ANSWERED 00:01
2014-10-03 02:12:03 1412316723.126 501 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:14:19 1412316859.127 1001 Congestion s [from-sip-external] ANSWERED 00:13
2014-10-03 02:15:19 1412316919.128 5000 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:17:39 1412317059.129 1 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:18:16 1412317096.130 1001 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:20:11 1412317211.131 1001 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:25:34 1412317534.132 1001 Answer s [from-sip-external] ANSWERED 00:01
2014-10-03 02:26:07 1412317567.133 1001 Answer s [from-sip-external] ANSWERED 00:00
2014-10-03 02:31:37 1412317897.134 501 Answer s [from-sip-external] ANSWERED 00:00

I have none of these extensions setup in PIAF.

Does anyone know where they are from, why they are there or how to prevent them?

May be they should be there but I do not know.

Thanks for any suggestions or input,
tbrummell2
join:2002-02-09
Ottawa, ON

tbrummell2

Member

Turn off SIP Guests and Anonymous SIP, unless you require them.

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

RobThompson

Premium Member

Thank you.
I requested that this post be deleted by the Mods.

nunya
LXI 483
MVM
join:2000-12-23
O Fallon, MO
·Charter

nunya to RobThompson

MVM

to RobThompson
Is your system secured behind a firewall? Are you running IP tables? Do you have "Allow Anonymous Inbound SIP Calls" enabled for some reason?
At first blush, I'm guessing your system is insecure and bad guys are probing it.

It looks like you might need to lock things down. I'd implement "Travelin' Man" too.

Trimline
Premium Member
join:2004-10-24
Windermere, FL

Trimline to RobThompson

Premium Member

to RobThompson
Nunya is correct. Review this article to stop the hacking... »nerdvittles.com/?p=689

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

RobThompson to nunya

Premium Member

to nunya
Thanks nunya.

Is your system secured behind a firewall? -> I don't know, it is on a Digital Ocean CentOS droplet.

Are you running IP tables? -> I don't know, I just setup a default PIAF.

Do you have "Allow Anonymous Inbound SIP Calls" -> I have learned how to set these to "No" & it is done.

I'd implement "Travelin' Man" too. -> I read about that but, because I don't yet understand most of the consequences of changing things of my default installation, I am really worried that I will screw things up. I will read about it again.

Rob.

nunya
LXI 483
MVM
join:2000-12-23
O Fallon, MO
·Charter

nunya

MVM

DO = no firewall: your PBX is directly exposed to the big bad internet.
I don't know if default PIAF comes locked down. I know that if you install incredible PBX along with it, then it is relatively secure.
For the time being, you should probably use IP tables to block all IP addresses except your VOIP provider and your home.

You need to secure that thing or pull the plug before somebody starts doing bad stuff.

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

1 edit

RobThompson

Premium Member

Click for full size
I found how to switch port 5060 to something else, I think.

When I switch it, I can no longer make calls. (consequence)

I guess this means that I must make further changes when I use a different port.

Does anyone know what these further changes must be?

Thank you,
RobThompson

RobThompson to nunya

Premium Member

to nunya
"I know that if you install incredible PBX along with it" -> It must be installed because when I log into the DO droplet it goes through an IncrediblePBX update each time.

Rob.

Trimline
Premium Member
join:2004-10-24
Windermere, FL

Trimline

Premium Member

Did you have a extension 701 when you first logged in and a Demo IVR?. If not, I would take screen shots of your current setup as they will be wiped out when you run and install incredible:

cd /root
wget »incrediblepbx.com/incred ··· pbx11.gz
gunzip incrediblepbx11.gz
chmod +x incrediblepbx11
./incrediblepbx11

This will install all of your security. When that is done, go to the root directory and install incrediblefax as well. Then you can have a PBX fax server along with PBX in a Flash.
Trimline

Trimline to RobThompson

Premium Member

to RobThompson
Here's the code section:

cd /root
wget http://incrediblepbx.com/incrediblepbx11.gz
gunzip incrediblepbx11.gz
chmod +x incrediblepbx11
./incrediblepbx11
 

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

RobThompson to Trimline

Premium Member

to Trimline
said by Trimline:

Did you have a extension 701 when you first logged in

Thanks Trimline.

Yes 701 was and is there now.
Does that mean that incrediblepbx is properly installed?

Trimline
Premium Member
join:2004-10-24
Windermere, FL

Trimline

Premium Member

You would need to review your install logs, but at the end of the incredible install, it should have asked you to confirm the installation of Travel'n Man 3. After replying, you should have provided a FQDN that will be accessing your system (your home/work IP).

Did that happen?

I'm trying to figure out why you are seeing those log entries. Those are hackers trying to get in and should not even "see" your machine.

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

1 edit

RobThompson

Premium Member

said by Trimline:

Did that happen?

I'm trying to figure out why you are seeing those log entries. Those are hackers trying to get in and should not even "see" your machine.

Yes, that did happen but I think that I got worried that I would not know how to set it up (read: Chickened Out) and might have Ctrl-C or Ctrl-X to exit it - I can't remember.

Since I disallowed SIP Guests & blocked Anonymous Inbound SIP Calls,
I no longer have any of those entries!


Rob.
RobThompson

RobThompson

Premium Member

Click for full size
Hello:

Now that I no longer have those mystery entries in my CRD Report, I am trying to figure out how to close UDP port 5060 access to my Digital Ocean Droplet PIAF server.

Right now, I assume that 5060 is open as I did nothing to close it, that I know of. If installing Travelin Man 3 closes it, then it must be closed as it is installed.

I can still make calls after veryfying that Travelin Man 3 is installed - I don't know how to verify that it is working properly.

All that I know is, if I set "Bind Port" to 5067 is the Asterisk SIP Settings, that I can no longer make calls. Is this the *** incorrect *** way to close port 5060?

From what I have read, or perhaps miss-read, this is a way to do it - but I have my doubts as it prevents me from making calls.

On my system, I have created one extension (205), one trunk (voip.ms), one inbound route and one outbound route that use the extension & trunk.

If some one can point me to a post or a tutorial or bar where I can find out how to close port 5060 properly and what adjustment, if any, that I must make to my extension, trunk or routes, I would greatly appreciate it.

Thanks,

Rob.

nunya
LXI 483
MVM
join:2000-12-23
O Fallon, MO
·Charter

nunya

MVM

In most cases, you shouldn't change the bind port. That's something else.
"Travelin' Man" works in IP tables by "blacklisting" all, and "whitelisting" only the IP addresses that should be associated with your PBX (Your VoIP provider, your cell phone, your house, your office, etc...).
The beauty is - you don't don't have to know a lot about IP tables or Firewall for it to work. You just input the domains (or IP addresses) and it magically does the rest.
I do have to say, the first time I installed it I had trouble following the configuration guide. Once I read it a few times and was able to wrap my head around it, it made perfect sense.
Once it's up and running, if you look at the rules it uses, it makes even more sense.
Stewart
join:2005-07-13

Stewart to RobThompson

Member

to RobThompson
If you change bindport, you also have to change the port that your phones and other SIP devices and apps connect to. With most, you would put e.g. :5067 after the IP address or domain name of your PIAF. Some devices have a separate entry called "server port" or similar.

In addition, if you enable TM3, you will have to modify the script to use 5067 instead of 5060.

As nunya says, changing bindport is probably unnecessary, if your TM3 or other firewall mechanism is working correctly. Changing it offers some additional protection, in case TM3 stops working properly or is improperly configured.

For an alternative to TM3 that is IMO simpler and requires no continuing administration, see »Re: [Asterisk] FreePBX a couple of security questions

In any case, test your firewall both by examining the iptables settings, e.g.
iptables -L
and by attempting to connect from an IP address or device that shouldn't have access, confirming that you don't get in!

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

RobThompson

Premium Member

Thanks Stewart.

By changing the "Bind Port" am I "locking down port 5060"?

Also, aside from adjusting the SIP devices when I change the "Bind Port", must I make any changes to extensions, trunks or routes or anywhere else is Asterisk and/or TM3?

I ask this because when I do change the "Bind Port" to 5067, I cannot make calls using Yate whether I use mydomainname.com or mydomainname.com:5067

Maybe I should try a different softphone? I prefer to use Linux Mint on my PC but I do have Windows 7 installed as well.

Rob.
Stewart
join:2005-07-13

Stewart to RobThompson

Member

to RobThompson
I don't use either Yate or TM3, but it does appear that :5067 is the correct syntax. »yate.null.ro/pmwiki/inde ··· teClient

Most likely, TM3 has allowed you access to 5060 but not 5067. Use iptables -L to check. You'll probably need to modify the script to use 5067. Be careful that you don't lock yourself out of your own server. »nerdvittles.com/?p=815

RobThompson
Caution - VoIP Challenged Alert
Premium Member
join:2012-02-14
J8G 0C9

RobThompson

Premium Member

Thank you Stewart.