Suspicious ports opened by asterisk (both ipv4 and ipv6). Minimal config

Hi!

Why asterisk listen on all interfaces on random udp ports? What module should i disable or configure?

1. What i need.
   I want to use a few voip phones to call my parents. Planned to setup asterisk on cheapest VPS with openvpn. No NAT (on phones), no DBs, no PSTN, etc. Just SIP (codec conversion when needed) with callerid. Simplest config with minimum memory usage.

2. What i have.
   Asterisk 15.2.2 in archlinux guest VM. One Yealink voip-phone and one softphone (linphone) in local network, of course no NAT. Bare minimum config (see below).

3. Problem.
   For some unknown reason after every restart asterisk binds to all available interfaces (both ipv4 and ipv6) and listen on random ports (somewhere 30000-60000).

ss -ulpn

State  Recv-Q Send-Q   Local Address:Port   Peer Address:Port                                                                
UNCONN    0     0      192.168.1.100:5060        0.0.0.0:*        users:(("asterisk",pid=929,fd=8))
UNCONN    0     0            0.0.0.0:58324       0.0.0.0:*        users:(("asterisk",pid=929,fd=6))
UNCONN    0     0               [::]:47208          [::]:*        users:(("asterisk",pid=929,fd=7))

4. Config. Only these files in /etc/asterisk:

extensions.conf

[general]
static=yes
writeprotect=no

[demo]
exten => 600,1,Playback(demo-echotest)
exten => 600,n,Echo
exten => 600,n,Playback(demo-echodone)
exten => 600,n,Goto(s,1)

[home]
exten => 301,1,Dial(SIP/test1)
exten => 302,1,Dial(SIP/test2)
include => demo

modules.conf

[modules]
autoload=yes

musiconhold.conf

[general]

[default]
mode=files
directory=moh

sip.conf

[general]
udpbindaddr=192.168.1.100:5060

mohinterpret=default
mohsuggest=default

[testuser](!)
type=friend
context=home
host=dynamic

[test1](testuser)
secret=pass1
callerid="test user 1" <301>
disallow=all
allow=g722,g926,ilbc,alaw

[test2](testuser)
secret=pass2
callerid="test user 2" <302>
disallow=all
allow=g722,g926,ilbc,alaw

5. I’m not a programmer. Simple linux home user.
   Spend so many hours on wiki and google.
   Configured logger.conf, "grep $SUSPICIOUSPORT /var/log/asterisk/debugfile.txt, nothing. Played with sip.conf. Tried to disable modules autoload and load only important ones (cannot even make calls despite the efforts made to guess necessary modules, ha-ha). Tried to send random data to that opened ports (only get errors in asterisk console when sending to 5060 port). Out of ideas.

I don’t see you disabling TCP or TLS with tcpenable=no and tlsenable=no in your sip.conf so chan_sip will bind all interfaces to handle traffic for those protocols.

You really should be using chan_pjsip and not chan_sip, it’s 2018, chan_sip doesn’t have a maintainer.

You didn’t provide your rtp.conf so it’s impossible to guess what ports asterisk is binding to for RTP.

I don’t see you disabling TCP or TLS with tcpenable=no and tlsenable=no

I tried AFAIR.

should be using chan_pjsip

Ok. Where should i enable support for chan_pjsip? How to disable chan_sip?

didn’t provide your rtp.conf

don’t have one. Moved all default *.conf files to backup directory. But default rtp.conf have this commented line

Defaults are rtpstart=5000 and rtpend=31000

and that unknown ports from range 30000-60000.

Is there absolute minimum modules.conf with autoload=no and only few load=xxx.so only for sip calling (like #1 in OP)?

You can add a noload line to your modules.conf to disable chan_sip.

You would need to compile asterisk with pjsip if you did not to enable it. Once you do the autoloader should load it as long as you have configuration files for it.

I believe you need to have an RTP.conf

My suggestion is to keep using the autoloader but only compile the modules that you wish to have loaded.

to compile asterisk with pjsip if you did not to enable it

Turns out it was compiled when installed from AUR.

changed modules.conf to disable chan_sip:

[modules]
autoload=yes
noload=chan_sip.so

added rtp.conf:

[general]
rtpstart=10000
rtpend=20000

changed extensions.conf (“SIP” to “PJSIP”):

[general]
static=yes
writeprotect=no

[demo]
exten => 600,1,Playback(demo-echotest)
exten => 600,n,Echo
exten => 600,n,Playback(demo-echodone)
exten => 600,n,Goto(s,1)

[home]
exten => 301,1,Dial(PJSIP/301)
exten => 302,1,Dial(PJSIP/302)
include => demo

new pjsip.conf:

[transportudp]
type=transport
protocol=udp
bind=192.168.1.100

[301]
type=endpoint
context=home
auth=auth301
aors=301

[auth301]
type=auth
auth_type=userpass
password=1234
username=301

[301]
type=aor
max_contacts=1

[302]
type=endpoint
context=home
auth=auth302
aors=302

[auth302]
type=auth
auth_type=userpass
password=5678
username=302

[302]
type=aor
max_contacts=1

Asterisk still listen on random ports (ss -ulpn):

State        Recv-Q     Send-Q          Local Address:Port          Peer Address:Port                                                                
UNCONN       27692      0               192.168.1.100:5060               0.0.0.0:*         users:(("asterisk",pid=1842,fd=12))              
UNCONN       0          0                     0.0.0.0:59234              0.0.0.0:*         users:(("asterisk",pid=1842,fd=10))              
UNCONN       0          0                        [::]:52155                 [::]:*         users:(("asterisk",pid=1842,fd=11))

6. Now i cannot just call “301”. Linphone say “unknown error - not acceptable here”. Same with the other phone. I can call “301@192.168.1.102” (ip address of the other phone), but hope there is better way.

6. answer: enable some codecs (allow=all). Now i can call “short” number 301

Spent another twenty not so happy hours.

Stripped pjsip.conf to:

[transportudp]
type=transport
protocol=udp
bind=192.168.1.100:5061

[tranudp6]
type=transport
protocol=udp
bind=::1:25025

[transtls]
type=transport
protocol=tls
bind=192.168.1.100:25026

Disabled almost all pjsip .so modules (except res_pjsip.so and res_pjproject.so):

[modules]
autoload=yes

noload=chan_pjsip.so
noload=func_pjsip_aor.so
noload=func_pjsip_contact.so
noload=func_pjsip_endpoint.so
noload=res_hep_pjsip.so
noload=res_pjsip_acl.so
noload=res_pjsip_authenticator_digest.so
noload=res_pjsip_caller_id.so
noload=res_pjsip_config_wizard.so
noload=res_pjsip_dialog_info_body_generator.so
noload=res_pjsip_diversion.so
noload=res_pjsip_dlg_options.so
noload=res_pjsip_dtmf_info.so
noload=res_pjsip_empty_info.so
noload=res_pjsip_endpoint_identifier_anonymous.so
noload=res_pjsip_endpoint_identifier_ip.so
noload=res_pjsip_endpoint_identifier_user.so
noload=res_pjsip_exten_state.so
noload=res_pjsip_header_funcs.so
noload=res_pjsip_history.so
noload=res_pjsip_logger.so
noload=res_pjsip_messaging.so
noload=res_pjsip_mwi_body_generator.so
noload=res_pjsip_mwi.so
noload=res_pjsip_nat.so
noload=res_pjsip_notify.so
noload=res_pjsip_one_touch_record_info.so
noload=res_pjsip_outbound_authenticator_digest.so
noload=res_pjsip_outbound_publish.so
noload=res_pjsip_outbound_registration.so
noload=res_pjsip_path.so
noload=res_pjsip_phoneprov_provider.so
noload=res_pjsip_pidf_body_generator.so
noload=res_pjsip_pidf_digium_body_supplement.so
noload=res_pjsip_pidf_eyebeam_body_supplement.so
noload=res_pjsip_publish_asterisk.so
noload=res_pjsip_pubsub.so
noload=res_pjsip_refer.so
noload=res_pjsip_registrar_expire.so
noload=res_pjsip_registrar.so
noload=res_pjsip_rfc3326.so
noload=res_pjsip_sdp_rtp.so
noload=res_pjsip_send_to_voicemail.so
noload=res_pjsip_session.so
noload=res_pjsip_sips_contact.so
;noload=res_pjsip.so
noload=res_pjsip_t38.so
noload=res_pjsip_transport_websocket.so
noload=res_pjsip_xpidf_body_generator.so
;noload=res_pjproject.so

ss -ulpn (5060 port from enabled chan_sip):

State    Recv-Q    Send-Q         Local Address:Port        Peer Address:Port                                           
UNCONN   0         0              192.168.1.100:5060             0.0.0.0:*       users:(("asterisk",pid=4254,fd=15))    
UNCONN   0         0              192.168.1.100:5061             0.0.0.0:*       users:(("asterisk",pid=4254,fd=12))    
UNCONN   0         0                    0.0.0.0:58039            0.0.0.0:*       users:(("asterisk",pid=4254,fd=10))    
UNCONN   0         0                      [::1]:25025               [::]:*       users:(("asterisk",pid=4254,fd=13))    
UNCONN   0         0                       [::]:48441               [::]:*       users:(("asterisk",pid=4254,fd=11))

Asterisk still listen. But when i disable res_pjsip.so i get nice clean output:

State    Recv-Q    Send-Q         Local Address:Port       Peer Address:Port                                            
UNCONN   0         0              192.168.1.100:5060            0.0.0.0:*        users:(("asterisk",pid=4009,fd=10))

Edit1:
added “log_level=5” to pjproject.conf. Now i can see entries in log for those ports from pjsip.conf:

[May 29 05:12:36] DEBUG[4340] pjproject: 	   udpv60x558a655face0 SIP UDP IPv6 transport started, published address is [::1]:25025
[May 29 05:12:36] DEBUG[4340] pjproject: 	           tlstp:25026 SIP TLS listener is ready for incoming connections at 192.168.1.100:25026
[May 29 05:12:36] DEBUG[4340] pjproject: 	     udp0x558a65971bc0 SIP UDP transport started, published address is 192.168.1.100:5061

But random ports still a mystery. Maybe pjsip triggers something in other modules?

How to overcome this problem? I almost gave up.

PJSIP implements its own DNS client, which will result in it listening on some other ports in order to do DNS resolution.

is it possible to disable this “feature”? If not, how dangerous is it when i have asterisk bound to openvpn interface (users should connect only through vpn) and this “feature” connects by her own to public static ip in the wild internet?

It’s not a feature, it’s a fundamental DNS resolution aspect. Without it you wouldn’t be able to use hostnames in chan_pjsip. There haven’t been any reported problems leaving it available.

be able to use hostnames in chan_pjsip

I don’t need this. User\password authentication should be enough in my own vpn network. My only concern is asterisk shows up where it shouldn’t be. Oh, btw, my vps has no firewall, doing well, and i don’t have plans to install one

While you may not need that, most people do so noone has written such functionality to disable it or explored such a thing.

I think you have inexperienced security consultants, who use simplistic rules for deciding something is dangerous.

I am too concerned about the random high number port listened on by Asterisk. I need a large number of RTP ports available and don’t like the idea of having Asterisk listening on a random port within that range.

Running Asterisk 15, I have tried both the built-in DNS resolver in PJSIP as well as res_resolver_unbound (https://blogs.asterisk.org/2016/08/10/res_resolver_unbound/). In both cases I can see how the DNS client talks to the DNS server(s), on different local ports every time (as expected).

The random port Asterisk continuously listens to must be something else. Can someone provide a reference to the PJSIP library feature, source code pointer or some text describing why PJSIP listens to this port.

I guess the community in large would benefit from having this sorted out, enabling everyone to decide on their security implications.

The PJSIP source code is readily available from their website, as is the unbound source code. I haven’t looked at this in a few years so I do not recall where in the source code it would be. As previously mentioned from the original reporter, in their configuration it was PJSIP that was listening.

Not exactly true. I said