Simple bit of dialplan to get IP address of anon callers

Hi just sharing a simple bit of dialplan to catch anon callers ip addresses

Im sure if you have a server with a public IP you will have seen calls on the console screen where the call is to a destination but the callers is exten@yourserver . Well this little bit of dialplan at the end of you default sip context should catch them and log them with the ip of the originating server

exten => _X.,1,Noop(Dead calls rising) exten => _X.,n,Set(uri=${SIPCHANINFO(uri)}) exten => _X.,n,Verbose(3,Unknown call from ${uri} to ${EXTEN}) exten => _X.,n,System(echo "[${STRFTIME(${EPOCH},,%b %d %H:%M:%S)}] SECURITY[] Unknown Call from ${CALLERIDNUM} to ${EXTEN} IPdetails ${uri}" >> /var/log/asterisk/sipsec.log) exten => _X.,n,Hangup()

so you now get

Hope its of help to someone :wink:

That should be ${CHANNEL(uri)} to avoid a deprecated warning.

Also the reply address for the search phase of an attack doesn’t need to be the one in the Contact header, nor does the source address, which is the one you would want to block.

Hi

Yep CHANNEL will do it, This was put together at 6am very quickly and has to work on 1.4 through to 1.8 servers, hence SIPCHANINFO and not CHANNEL.

As to addresses, yes they don’t but this has now been running on production servers and is doing what it should.

I actually use this to find people that are trying to compromise my systems. I then ban their IP’s. I have found that 90% of attempts come from Palestine. Just blocking their IP’s made things a lot easier.