Phone calls from "allow"
Submitted by mbruss on Tue, 05/13/2008 - 7:21am.
I have been getting random calls from "allow". I had about 6 calls on Saturday and then I had another call at about 6:45 AM this morning. When I pick up the phone, there is nothing there. It I do not answer, there is no message. It is ringing the blast group, so this is appears to be coming from the phone system and not the phone.
I have ran reports on the trixbox server and it does not show the calls. I have also looked on the Vitelity website and it does not show any calls at that time.
I thought it might go away after not getting any calls on Sunday and then I got another call today.
Does anyone have any ideas? My server number is 107771.
Thanks,
Mike
This is what I got out the
Tue, 05/13/2008 - 9:10am
This is what I got out the the log. I really do not know what it means though. First I get line on e, and then there are four lines like the second (one for each phone MAC address). I have no idea where this "allow" is coming from...
,"allow","s","main","""allow""
,"allow","1001","blasthandling","""allow""
Could someone point me in the right direction on this?
Thanks,
Mike
Is this Trixbox Pro? We've
Wed, 05/14/2008 - 2:35pm
Is this Trixbox Pro? We've seen it with other Asterisk-based systems that had anonymous SIP turned on. It would usually be someone trying to exploit the system for international calling...Seems like someone might be running a bot net out there. The international calls don't get out of the system, but they do enter any inbound routes you may have.
Don't know if TB Pro has an
Wed, 05/14/2008 - 3:08pm
Don't know if TB Pro has an anonymous SIP setting, where it is, if you can change it, or for that matter if it is even related to the issue you are having. I just know of the same general circumstances on other Asterisk-based systems. Try a Fonality support channel or maybe PM kerryg and see if he can point you in the right direction?
I have just narrowed down my
Wed, 05/14/2008 - 5:04pm
I have just narrowed down my firewall rule for SIP to only allow connections from Vitelity. If what you are saying is the issue, that should resolve it. Hopefully Vitelity does not change thier IP addresses too often...
If anyone from trixbox Fonality has any other suggestions on where this is coming from please let me know.
Thanks a lot for the advice ethans. I did not think that trixbox Pro would be allowing anonymous SIP connections, but maybe that is it.
I will let you know if I continue to get calls from "allow".
Thanks,
Mike
Hey Mike,
Inbound SIP calls
Wed, 05/14/2008 - 8:35pm
Hey Mike,
Inbound SIP calls are allowed to the trixbox Pro. However, they are allowed in the same context as inbound PRI or PSTN calls and do not have the ability to 'dial out' (the thing these botnets are looking for). The way you restricted this is the recommended way from preventing this from occurring.
Thanks,
Mike
Are you on Trixbox Pro or
Thu, 06/19/2008 - 7:05pm
Are you on Trixbox Pro or Trixbox CE? On CE you can disable it in FreePBX General Settings: Allow Anonymous Inbound SIP Calls? No. On Trixbox Pro, you apparently cannot disable it, which seems like a major flaw to me, especially considering the possibility for DoS attacks and/or potentially leaky dial plans.
I can say that changing my
Thu, 06/19/2008 - 8:09pm
I can say that changing my firewall rule to only allow incoming SIP connections from my provider (Vitelity) has stopped all "Allow" inbound calls.
BTW, I am using trixbox Pro. I don't think that really matters what product you are using though, it would still seem to be a best practice for security reasons no matter what product you are using.
I have no more input other than that.
Mike
Me Too
Fri, 06/20/2008 - 4:00am
I had a day this week with several 'allow' calls also. This is on TB 2.2.8 with anonymous sip allowed so the MV370 gsm trunk will work.
All our external calling is with a SIP provider, or over the GSM trunk.
I could narrow the firewall rules fairly easily, but I have a question. If I was to be using enum or wanted to have direct inbound sip allowed from specific other VoIP users, won't I be needing anonymous sip to be enabled to make that work?
Member Since:
2007-09-24