Strange calls

Hi asterisk-fellows!

Since a while, really strange things happen on my asterisk-box. At least they seam strange to me.
I’m quite new to asterisk, hope some of you can explain that to me.
It is as follows:
One day I started to receive calls with nobody answering.
The callerid was ‘asterisk’,
and the extension was ‘011442073479999’.
This happened in my “incoming”-context, so one of my dahdi phones began to ring.
I got these values from an AGI-script, but found nothing in the logs.
I googled for it, and found terrifying details about bruteforce-attcks and such things.
So I reinstalled the system and changed some passwords where easily possible.
But after a few days, the same happened again, but with a differnt extension: ‘01442073479999’ this time.
In my dialplan, I forwarded this extension to a Hangup(), but the next time the extension changed again to: ‘00000442073479999’.

What does this mean?

This is my extensions.conf with a little extra redirection in the incoming_o2 context, I added later (since then no such call occured, but I don’t think thats because of this little change):



[globals]

HOME=55
BUSINESS=80

NUM_o2_home=XXXXXXXXXXX
NUM_o2_business=XXXXXXXXXXXXX

[general]
autofallthrough=yes


[default]
exten => s,1,Verbose(1,unrouted call handler)
exten => s,n,AGI(/home/master/tools/call_log/call_log_default.py)
exten => s,n,Answer()
exten => s,n,Wait(1)
exten => s,n,Playback(tt-weasels)
exten => s,n,Hangup()


[incoming_sipgate]
exten => _X.,1,NoOp()
exten => _X.,n,Dial(DAHDI/1)
exten => _X.,n,Hangup()


[incoming_o2]
exten => _X.,1,NoOp()
exten => _X.,n,Verbose(1,incoming call)
exten => _X.,n,Verbose(1,extension is: ${EXTEN})
exten => _X.,n,Verbose(1,callerid is: ${CALLERID(num)})
exten => _X.,n,AGI(/home/master/tools/call_log/call_log.py)
exten => _X.,n,GotoIf($["${EXTEN}" = "${NUM_o2_business}"]?business:other)
exten => _X.,n(business),Dial(DAHDI/1)
exten => _X.,n,Hangup()
exten => _X.,n(other),GotoIf($["${EXTEN}" = "${NUM_o2_home}"]?home:strange)
exten => _X.,n(home),Dial(DAHDI/2)
exten => _X.,n,Hangup()
exten => _X.,n(strange),AGI(/home/master/tools/call_log/call_log_strange.py)
exten => _X.,n,Hangup()


[outgoing_calls]
exten => _X.,1,NoOp()
exten => _X.,n,Verbose(1,outgoing call - callerID is: ${CALLERID(num)})
exten => _X.,n,AGI(/home/master/tools/call_log/call_log_outgoing.py)
exten => _X.,n,Dial(SIP/o2_out_home/${EXTEN},30,trg)
exten => _X.,n,Hangup()


[internal]
exten => 500,1,Verbose(1,echo test application)
exten => 500,n,Echo()
exten => 500,n,Hangup()

exten => ${HOME},1,Verbose(1,home phone is called internally)
exten => ${HOME},n,Dial(DAHDI/2)
exten => ${HOME},n,Hangup()

exten => ${BUSINESS},1,Verbose(1,business is called internally)
exten => ${BUSINESS},n,Dial(DAHDI/1)
exten => ${BUSINESS},n,Hangup()

[phones]
include => internal
include => outgoing_calls

And this is my sip.conf:

[general]


useragent=pbx
port=5060
bindaddr=0.0.0.0
;security options
alwaysauthreject=yes
;allowguest=no

qualify=no
disallow=all
allow=ulaw
allow=alaw
allow=g729
allow=gsm
allow=slinear
srvlookup=yes
externhost=mydomain.org
localnet=192.168.1.0/255.255.255.0

register=>XXXXXXXXX:XXXXXXXXX:XXXXXXXXXXXX@sip.o2online.de/XXXXXXXXXXX
register=>XXXXXXXXXX:XXXXXXXX@sipgate.de/XXXXXXX
register=>XXXXXXXXX:XXXXXXXXXX:XXXXXXXXXXX@sip.o2online.de/XXXXXXXXXXXX

context=incoming_o2

[o2_out_home]
;type=friend
type=peer
host=sip.o2online.de
username=XXXXXXXX ;variables don't work
fromuser=XXXXXXXXXX
fromdomain=sip.o2online.de
secret=XXXXXXXXXXX
dtmfmode=auto
insecure=port,invite
nat=no
qualify=no
canreinvite=no

My logger.conf looks like this:

[general]


dateformat=%F %T       ; ISO 8601 date format

rotatestrategy = rotate

[logfiles]


console => notice,warning,error

messages => notice,warning,error

syslog.local0 => notice,warning,error

I wonder why there is not much info in the logs.
I got this message in syslog:

this happened 16 seconds after such a mysterious call.

And in /var/log/asterisk/messages I get some of these messages:

But this doesn’t happen at the same time as the calls.

What’s going on here?
Where are security holes?

Ports 5060 and 16384-32767 (for rtp) are open.
I use Asterisk 1.6.2.5-0ubuntu1.3

PS:
I just stumbled over a file called iax.conf. I don’t know anything about that and just use the default (I can’t imagine that it is insecure by default):

[general]

bandwidth=low

disallow=lpc10                  ; Icky sound quality...  Mr. Roboto.

jitterbuffer=no
forcejitterbuffer=no

autokill=yes


[guest]
type=user
context=default
callerid="Guest IAX User"

[iaxtel]
type=user
context=default
auth=rsa
inkeys=iaxtel

[iaxfwd]
type=user
context=default
auth=rsa
inkeys=freeworlddialup

[demo]
type=peer
username=asterisk
secret=supersecret
host=216.207.245.47

I need this asterisk box for daily use.
Thank you for your help!

sip nodes may dial each other directly without needing the server

it could be coming into your router, and dialing the phones directly

block port 5060 for traffic coming into the network

if you have remote phones, use socket based filtering, expecting to see an incoming ip/port combo, or even mac address

Thank you for the quick reply!

No, the calls are actually going through my server. They are processed in the context
"incoming_o2". Since yesterday I had 3 more calls of this kind.
Before I changed this context in order to send these unknown extensions
to the AGI script:

exten => _X.,n(strange),AGI(/home/master/tools/call_log/call_log_strange.py)

they endet up at

exten => _X.,n(home),Dial(DAHDI/2)

so a dahdi phone was ringing.

In my router configuration port 5060 is forwarded to the asterisk machine in order to receive calls from
the three registered peers of my sip-providers.

Can anyone answer me any of these questions please?

  • What does it mean, when the callid is not a number, but the sting ‘asterisk’?
    How is this possible?
  • Are other peers than those of my sip providers connecting to my machine, and how can
    somone achive this?
  • Is my configuration insecure at some point?
  • Is my iax.conf secure? (I did not touch it)
  • Has my asterisk been hacked?

Please help!

This is a hack to see if they can use your server to make international calls. so yes, this is an issue. At this point there are lots of places you can get guidance for on securing your server which you must do as soon as possible. Start here: voip-info.org/wiki/view/Asterisk+security …google “securing asterisk” and you can find lots of tips on how to protect yourself from that nightmare $25,000 bill coming in.

Thank you, the documentation you referenced was very helpful.
I cleared my default context, and added some rules to the iptables
firewall. I block all incoming traffic, but ssh and connections established
by my machine.
The sipgate voip-peer can send calls though such an established connection,
so no extra rule is needed, but the o2-peers are opening new connections.
I looked in the iptables-logs to identify the ip-addresses of the o2-servers,
and allowed that traffic on port 5060.
I think the difference between the two sip-providers is, that o2 peers are
connecting as guest, whereas sipgate does authenticate.
Because when I added to my sip.conf “allowguest=no”, the o2-peers were not able
to connect anymore, but incoming sipgate calls worked.

Additionally my router is forwarding only port 5060 and rtp ports.
To my astonishment, no rtp ports are needed in iptables rules.

To give some hints to other people facing a similar problem, here are my iptables
rules:

# Generated by iptables-save v1.4.4 on Fri Feb 25 16:26:33 2011
*nat
:PREROUTING ACCEPT [44:39033]
:POSTROUTING ACCEPT [14:1015]
:OUTPUT ACCEPT [14:1015]
COMMIT
# Completed on Fri Feb 25 16:26:33 2011
# Generated by iptables-save v1.4.4 on Fri Feb 25 16:26:33 2011
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1328:258465]
:fail2ban-ASTERISK - [0:0]
-A INPUT -i lo -j ACCEPT 
-A INPUT -s 192.168.1.27/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables all: " --log-level 7
-A INPUT -j fail2ban-ASTERISK 
-A INPUT -s 217.188.32.4/32 -p udp -m udp --dport 5060 -j ACCEPT 
-A INPUT -s 195.71.106.68/32 -p udp -m udp --dport 5060 -j ACCEPT
-A INPUT -m limit --limit 5/min -j LOG --log-prefix "iptables dropped: " --log-level 7 
-A INPUT -j DROP 
-A fail2ban-ASTERISK -j RETURN 
COMMIT
# Completed on Fri Feb 25 16:26:33 2011

This seems to fix the problem.
No bogus calls occured since I set up the software firewall.
Thanks for helping me to prevent the $25,000 bill !