OBiTALK Community

General Support => Day-to-Day Use => Topic started by: lacibaci on September 06, 2012, 05:50:04 AM

Title: SIP scanners
Post by: lacibaci on September 06, 2012, 05:50:04 AM
Is there a way of preventing SIP scanners from ringing my phone at night?

I tried looking into X_AccessList to limit incoming calls only from Callcentric but the inability of OBi100 to specify range makes it impossible (CC range is 204.11.192.0/22)

Maybe there is way to restrict calls coming from registered server using X_InboundCallRoute?

[Obihai Support Response]

There are several ways to block SIP scanners. Here are two common ways:

1. A simple way to thwart SIP scanners is to change the SP1 X_UserAgentPort to a non-standard value, such as 35060.   If you have multiple SIP services running on your OBi, remember to make sure each SPn uses a different User Agent port. This trick will stop most SIP scanners if they are only targeting the commonly used port 5060.

2. A more fool-proof method is to enable the parameter: X_EnforceRequestUserID. This parameter is under SPn in the SIP Credentials section.   What this does, is it makes sure the incoming INVITE has a User ID that matches the User ID of your SIP service account. If it does not match, the INVITE will be rejected and the phone will not ring.  Enabling this parameter will maintain normal voice service as well as block SIP scanners. Notes:  Some service providers do not adhere to this rule. This parameter is not available on the OBi100 and OBi110 devices.

[End: Obihai Support Response]

Title: Re: SIP scanners
Post by: Ostracus on September 06, 2012, 07:42:41 AM
An idea. Some routers basically have a "parental" feature were one can turn on and off access to a particular IP address on a time basis. In this case it could be an Obi unit. Give your unit a static address and see if denying access during your night hours helps?
Title: Re: SIP scanners
Post by: lacibaci on September 06, 2012, 07:58:28 AM
Yes, I could do this.  I could also create a firewall rule to disable all traffic to OBi except Callcentric IP range.  I was hoping for a cleaner solution though.

It would be awesome if OBi had a setting "AllowCallsFromRegisteredServers"
Title: Re: SIP scanners
Post by: ianobi on September 06, 2012, 09:38:15 AM
It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.
Title: Re: SIP scanners
Post by: lacibaci on September 06, 2012, 04:54:47 PM
X_InboundCallRoute seems like a good enough temporary solution.  One more question: Does it get logged when it matches?
Title: Re: SIP scanners
Post by: ianobi on September 06, 2012, 11:14:21 PM
No. The failed calls do not get logged. In effect they do not get into your Obi, so nothing is recorded. You know it's working because you sleep better  :)
Title: Re: SIP scanners
Post by: lacibaci on September 07, 2012, 06:57:18 PM
Ok, something weird happened. I disabled SP2 and OBiTALK and I haven't gotten single rogue ring.  Go figure...
Title: Re: SIP scanners
Post by: ianobi on September 08, 2012, 01:10:58 AM
It would be interesting to look in Call History to see exactly where the rogue calls were coming from. You have to access the OBi directly to see Call History. Dial ***1 to get the ip address. It will show the last 200 calls.
Title: Re: SIP scanners
Post by: lacibaci on September 08, 2012, 07:34:03 AM
It does show that all of them came through SP1.  Is it possible that when SP2 and OBiTALK are enabled (even if not configured or used) opens OBi100 enough so that it is vulnerable to these scans?
Title: Re: SIP scanners
Post by: ianobi on September 08, 2012, 08:14:39 AM
Do the calls appear in your Callcentric log? I'm guessing probably not. I think the scanners are dialling random IP addresses and testing port 5060, which is default for most SIP devices and default for X_UserAgentPort on the OBi for sp1. You could change the X_UserAgentPort to 5070.

I cannot see any reason why enabling sp2 and OBiTALK should make any difference, but I'm not an expert with router type config settings.
Title: Re: SIP scanners
Post by: ProfTech on September 08, 2012, 10:51:56 AM
If disabling Obitalk solved your issue that's great, however even though the Obi doesn't allow the nomenclature 204.11.192.0/22 in the access list, I simply manually entered the addresses 204.11.192.20 thru .39 in my access list and haven't seen a problem. I think the field allows 512 characters and those are the only IP's I've seen pop up as registered. Just list the IP addresses with a comma separating each one and no spaces in the list.
Title: Re: SIP scanners
Post by: lacibaci on September 08, 2012, 04:39:59 PM
Ok. BTW, Callcentric just sent me their updated list:

204.11.192.0/24 (204.11.192.0 - 204.11.192.255)
66.193.176.0/24 (66.193.176.0 - 66.193.176.255)
Title: Re: SIP scanners
Post by: tome on September 09, 2012, 12:22:20 PM
Quote from: ianobi on September 06, 2012, 09:38:15 AM
It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

I have gotten calls from odd numbers like "1" or "100" at stupid times.  I also get ones from "unknown" as well.  I would love to stop these.

First, for the X_InboundCallRoute are you talking about
Voice Services -> SP2 Serivce -> X_InboundCallRoute ?
And if so, I currently have "ph" (minus the quotes) in that place.  Should I leave ph or add it to the end of what you have or delete it....?

For example when I am done should it read as below?
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):ph}

Second, will this also stop the "unknown" calls?

Below are a couple calls from my log:
http://bgp.nu/~tom/pub/badcall1.jpg (http://bgp.nu/~tom/pub/badcall1.jpg)
http://bgp.nu/~tom/pub/badcall2.jpg (http://bgp.nu/~tom/pub/badcall2.jpg)
Title: Re: SIP scanners
Post by: lacibaci on September 09, 2012, 12:28:02 PM
If your current entry is ph or {ph} change it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}

Lac
Title: Re: SIP scanners
Post by: tome on September 09, 2012, 12:31:45 PM
Quote from: lacibaci on September 09, 2012, 12:28:02 PM
If your current entry is ph or {ph} change it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}

Lac


Thanks. Should I add this to both SP1 and SP2 or just SP2.  ph, says ring the Phone Port if I am not mistaken, yes?  So if I have it blank, as you do, is ph implied?

Also do you know how to also get rid of calls from "unknown"?

Tom
Title: Re: SIP scanners
Post by: lacibaci on September 09, 2012, 12:34:35 PM
If you have two providers set it for both, sp1 and sp2. I have only one (Callcentric) so I set it on sp1 only.
Title: Re: SIP scanners
Post by: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
Title: Re: SIP scanners
Post by: tome on September 10, 2012, 04:24:15 AM
Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)

Yay, I will!  Thanks!
Tom
Title: Re: SIP scanners
Post by: kevin8629 on September 20, 2012, 10:44:55 AM
Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
What am I doing wrong.  I keep cutting and pasting this into inbound call route.  I submit changes and then reboot.  Its there, but when I close the window or change screens it goes back to ph and the box is check beside it again.  Please help
Title: Re: SIP scanners
Post by: ianobi on September 21, 2012, 12:52:13 AM
kevin8629,

I guess you are making changes using the web page. Your changes are being over written by the OBi Portal. Read this:

http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

I suggest you use the OBi Portal via the expert pages at least until you get familiar with the OBi. Click on your OBi device on the Dashboard and follow prompts to get to the Expert Pages.

I'm going to assume you do changes from the portal via the expert pages. To make a change to a value uncheck both boxes to the right of that value, leave them unchecked, make your changes, then press submit and wait for the OBi to reboot. Each page needs a submit/reboot before you move to another page.

Title: Re: SIP scanners
Post by: kevin8629 on September 21, 2012, 10:30:18 AM
Quote from: ianobi on September 21, 2012, 12:52:13 AM
kevin8629,

I guess you are making changes using the web page. Your changes are being over written by the OBi Portal. Read this:

http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

I suggest you use the OBi Portal via the expert pages at least until you get familiar with the OBi. Click on your OBi device on the Dashboard and follow prompts to get to the Expert Pages.

I'm going to assume you do changes from the portal via the expert pages. To make a change to a value uncheck both boxes to the right of that value, leave them unchecked, make your changes, then press submit and wait for the OBi to reboot. Each page needs a submit/reboot before you move to another page.



Thank your help and the link.  I was able to make the changes and I think I learned a little too ;D 
Title: Re: SIP scanners
Post by: corporate_gadfly on September 23, 2012, 03:08:44 PM
Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
Thanks in advance for any replies.

I have an obi202. The default X_InboundCallRoute for obi202 is ph,ph2.

So, keeping in mind that it is an obi202 and with the added requirement to reject calls from 1-800 numbers ala {(1800xx.|1888xx.):}, what changes should I make?

Would something like be appropriate?
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{(1800xx.|1888xx.):},{ph,ph2}

Cheers,
Title: Re: SIP scanners
Post by: ianobi on September 24, 2012, 12:47:51 AM
corporate_gadfly,

Your format works fine, or you could just add to the original rule:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.|1800xx.|1888xx.):},{ph,ph2}

Each X_InboundCallRoute needs its own rule. The "standard" rule I proposed just happened to suit my set up. Looks like it is useful  to lots of other OBi users, but be careful not to ban callers you might want to talk to.
Title: Re: SIP scanners
Post by: flex25 on October 19, 2012, 03:27:53 PM
Thanks ianobi, I put your string in X_InboundCallRoute, and added 7, 8, and 9-digit numbers, because I am in a 10-digit calling area.  I also changed X_UserAgentPort to 5070 for SP1 and 5071 for SP2.  I tested at every step, and it all seems to be working. 

Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work?  Also, do people using SIP scanners check the port range 5060-5080, or must they check one port at a time?  If they can check a port range, it seems to me that they would check the full SIP range 5060-5080, and changing the port wouldn't stop them from ringing my phone.

Thanks.  I am hopeful these changes will stop the SIP scanners.
Title: Re: SIP scanners
Post by: QBZappy on October 19, 2012, 04:35:34 PM
flex25,

Quote from: flex25 on October 19, 2012, 03:27:53 PM
Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work? 

I believe that X_UserAgentPort can be any port number you like. If you have ever looked at a sip trace you will be able to see ip:port number in the headers. You may need to test if you need port forwarding.

Sample wireshark trace (partial):
Eyebeam (Softphone) SUCCESSFUL

SUBSCRIBE sip:105@172.16.240.3:5080 SIP/2.0
Via: SIP/2.0/UDP 172.16.240.101:1614;branch=z9hG4bK-d8754z-3560f947510b5a43-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:105@172.16.240.101:1614>   <----------- Note the softphone user agent port number
To: "100Eyebeam"<sip:105@172.16.240.3:5080>
From: "100Eyebeam"<sip:105@172.16.240.3:5080>;tag=df48580b
Call-ID: ZGQxMGRkOTUwMWNjMjljOGI5Yjk2N2RkZjNkMWUwMGE.
CSeq: 2 SUBSCRIBE
Expires: 300
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: eyeBeam release 1102q stamp 51814
Authorization: Digest username="105",realm="5024",nonce="0079de5c",uri="sip:105@172.16.240.3:5080",response="87e08ac88637156c4fd2a098157408fa",algorithm=MD5
Event: message-summary
Content-Length: 0
Title: Re: SIP scanners
Post by: Kaytor on October 24, 2012, 06:09:27 PM
Does the inboundcallroute change potentially block a call back from a 911 operator? I'm not sure if the 911 callback would be 7 digits.
Title: Re: SIP scanners
Post by: adamb2k12 on November 01, 2012, 06:59:23 AM
That is a really good point Kaytor. We should definitely prepend this rule set with

{911:ph},

That will ensure that a call coming from 911 is allowed through.  I've only received bad calls from 3 digit numbers and 555-0000 so far, so my rule looks like this (now with the 911 rule):

{911:ph},{(xxx|555x.):},{ph}

This basically allows 911 no matter what, and blocks any other 3 digit # and anything starting with 555.
Title: Re: SIP scanners
Post by: QBZappy on November 01, 2012, 07:51:50 AM
Quote from: adamb2k12 on November 01, 2012, 06:59:23 AM
That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..
Title: Re: SIP scanners
Post by: CoalMinerRetired on November 01, 2012, 10:31:13 AM
Quote from: QBZappy on November 01, 2012, 07:51:50 AM
Quote from: adamb2k12 on November 01, 2012, 06:59:23 AM
That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..


I need to point out that the Obi -- at least IME on my Obi202 -- does not display PRIVATE, UNKNOWN or ANONYMOUS.  All I see are two blank lines, where the number and the name usually are. See this (http://www.obitalk.com/forum/index.php?topic=4275.0) and this (http://www.obitalk.com/forum/index.php?topic=4340.0).

If you are seeing a different behavior, reply in those linked threads.
Title: Re: SIP scanners
Post by: ianobi on November 01, 2012, 10:51:44 AM
I agree. I have never seen PRIVATE, UNKNOWN or ANONYMOUS showing up as a Peer Number in an OBi. However, OBi will accept all of those or any other combination of letters and numbers, and use it as a Peer Number for routing etc.

I guess it all depends on what the hundreds of service providers (or scammers using scanners) wish to send as a Caller ID. I have seen "TEST" sent, I'm not sure if that was scanners or a genuine test call arriving at the wrong place!


Title: Re: SIP scanners
Post by: rsriram22 on November 04, 2012, 07:44:05 AM
Quote from: ianobi on September 06, 2012, 09:38:15 AM
It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

i just had calls coming from 1000,100 (during my daytime and a holiday).. did change the call route as suggested in this thread and changed my SP2 port. so lets see what happens

what is weird is that syslog has entries coming from my obi's LAN IP (Lan 192.168.1.x) -- hackers are getting smarter by the day! obi calling itself !!
Title: Re: SIP scanners
Post by: Hortoristic on November 08, 2012, 10:16:27 AM
These SIP scanner calls, how do you know your getting them?  When you answer, it just hangs up?

I'm getting calls from "From '0' SP1(0)" in my call history, and hangs up right away - does this look like a SIP scanner?

Also; what is the purpose of these folks doing this - are they collecting real phone numbers to give to telemarketers or what?  Wouldn't a robo call machine function the same way and just sit there and call a range of numbers, collecting the ones that were answered?
Title: Re: SIP scanners
Post by: ianobi on November 08, 2012, 11:03:34 AM
Who and why is not easy to answer  ???  Is this really what you see in Call History > Peer Number:
From '0' SP1(0)
If so, then that's a new one! If it is an ongoing nuisance you could try something like this in the relevant InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|Fro@@.):},{ph}

See earlier in this thread for explanations.
Title: Re: SIP scanners
Post by: giqcass on November 09, 2012, 04:04:42 PM
Even SIP devices can be used to hack your internal network if they aren't set up properly.  When someone is port scanning that's usually what they are trying to do.  They might not be looking for a SIP device at all.  They may be scanning all ports.  They may be looking for a specific SIP device that has a vulnerability.  Then they can hijack it to make outbound calls, steal passwords, ect..  The one thing you can be pretty sure of is whatever they plan to do it isn't going to benefit you.
Title: Re: SIP scanners
Post by: QBZappy on November 09, 2012, 06:48:14 PM
giqcass,

You wonder why these guys just don't get themselves a free GV account. It would save everyone a lot of work.  :D
Title: Re: SIP scanners
Post by: Hortoristic on November 10, 2012, 09:32:02 PM
Don't they just need to push out a valid caller id  to bypass this string?
Title: Re: SIP scanners
Post by: ianobi on November 11, 2012, 03:51:20 AM
Hortistic,

That's true, but oddly they don't seem to do that very often. Users still report Caller IDs of "1000", "100" etc. Experience seems to show that some version of that string and changing X_UserAgentPort from 5060, 5061 etc  to maybe 5070, 5071 etc seems to work.
Title: Re: SIP scanners
Post by: Hortoristic on November 11, 2012, 07:15:44 AM
Are we limited to what VoIP Ports we can use, can we use some really weird port numbers?
Title: Re: SIP scanners
Post by: ianobi on November 11, 2012, 07:54:43 AM
I once asked Stewart exactly that question (he knows more about routers etc than me). He said in theory you can use any port you wish. I assume it has to be one not being used for something else.
Title: Re: SIP scanners
Post by: Hortoristic on November 11, 2012, 08:21:46 PM
Someone posted this below, I see they mentioned it would ban among other things, numbers less than seven digits - but my SIP account is mainly used for incoming UK numbers - such as 447833384589, will using below string ban this also - I don't want it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".
Title: Re: SIP scanners
Post by: giqcass on November 11, 2012, 10:48:49 PM
@QBZappy  I must say I am very happy with Google Voice on the OBI but I do like to keep an incoming SIP backup in case there is an issue with Google Voice.  I like redundancy.  Google likes to change things and it may break functionality.  I would think requiring registration would stop that issue but even when I allowed my PAP2 to take unregistered connections I never had the problems being described here. 

I'm sure we will see an increase in this type of activity due to the increased popularity of VOIP.  If the scanner is looking for SIP specific devices putting it in on another port should work.  VOIP should work on any port that isn't being used.  Here are a few ports that should not cause conflicts.
5076-5078
5364-5396
5457-5460
5466-5499
5507-5552
5586-5596
47809-47999

Here is a list of commonly used and unused ports. http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xml
Title: Re: SIP scanners
Post by: ianobi on November 12, 2012, 05:48:27 AM
Hortoristic,

So long as the incoming Caller ID, shown as Peer Number in OBi Call History, has more than six digits, then it will be fine.

I'm still using the original string:
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}
I designed it that way as I need to accept some seven-digit Caller IDs. Other users have added and changed to suit there own situations.

You may simply want to try changing the UserAgentPort as to one suggested by giqcass. That worked for me for a while, but not in the long run. Maybe I should have picked a more obscure port number.
Title: Re: SIP scanners
Post by: Hortoristic on November 12, 2012, 06:43:12 PM
I'm not the smartest tool in the shed, so can someone explain how the SIP scanner is coming in on SP1 - when I have SP1 set up for GV? - the SIP account I have set up is actually on SP2, but my call history when the scanner calls is as:

Call History:
From '1' SP1(1)

So the {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph} string should be put into both X_InboundCallRoute for both SP1 and SP2 I'm assuming?

All my testing seems to show that a (on purpose SIP call from one of my UK DID's) SIP call is ringing one port above whatever SP1 is - I think my SP2 is port 5062, I never could get the first port to ring and thought this was because it was configured with GV.
Title: Re: SIP scanners
Post by: Hortoristic on November 13, 2012, 10:30:17 AM
Will blocked calls show up in my call history still, proving my X_InboundCallRoute is working?
Title: Re: SIP scanners
Post by: ianobi on November 14, 2012, 03:36:33 AM
Hortoristic,

Here is my limited understanding of what is going on. The SIP scanners are testing millions of IP addresses and at each address they test port 5060. The nuisance calls are not coming in via your service providers, but direct to your ip address/port, so it does not matter what service provider is say on sp1. In the Obi UserAgentPort for sp1 is 5060 by default. This is the one to change to some random port as posted above. I think some scanners may also look at 5061 and 5070, as I got caught using them. Using non-default ports and the above string has worked for me.

I don't have an Obi202, so I'm curious about the Call History. You says yours shows: "From '1' SP1(1)" – does this indicate a Caller ID of "1"? If so, then the |x| rule in the string will stop it and any other single-digit Caller ID.

Blocked calls will not show up in Call History, as effectively the calls are not getting into the Obi.
Title: Re: SIP scanners
Post by: Hortoristic on November 18, 2012, 12:07:24 AM
So I've been using {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph} string, and now I'm getting calls from FROM 'user1' SP1(user1)
Title: Re: SIP scanners
Post by: ianobi on November 18, 2012, 05:04:23 AM
Hortoristic - I'm beginning to think that you may be the scanners' number 1 target  ;) The war against scanners goes on! I've been thinking about changing the original blocking string for a while. I have decided on the following:

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

It blocks anonymous calls and any Caller ID with one to six alphanumeric characters. I've tested, it does block "user1". If you wish you can add more combinations of seven or more @, I stopped at six because I needed to accept seven-digit Caller IDs.
Title: Re: SIP scanners
Post by: lacibaci on November 18, 2012, 07:35:13 AM
Quote from: Hortoristic on November 18, 2012, 12:07:24 AM
So I've been using {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph} string, and now I'm getting calls from FROM 'user1' SP1(user1)

Same here. I just added user1 to the list:
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|user1):},{ph}
Title: Re: SIP scanners
Post by: Hortoristic on November 18, 2012, 09:13:03 AM
Thanks guys - what I haven't made time for is to change to obscure port yet too.  Just so busy with life - this is our business number too - so I'm also scared of losing legitimate sales by blocking too much...

One more question; is this happening to everyone, even folks that just use GV - is this because I am using a SIP dialed number as well as other SP's?
Title: Re: SIP scanners
Post by: thegoat54 on December 13, 2012, 05:17:06 AM
Can anyone tell me if the string that were putting in

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

blocks phone numbers less than the number of @'s? Or is it blocking peoples Caller ID NAMES? less than that?


Also so I can just change the port X_UserAgentPort to lets say 5076? And make sure I forward that port on my router to my Obi? I don't have to change the port anywhere else do I? Like the KeepAliverServerPort?

Thank you
Title: Re: SIP scanners
Post by: ianobi on December 13, 2012, 05:55:33 AM
{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

It blocks anonymous calls and any Caller ID with one to six alphanumeric characters. For example @@@@@ blocks callerIDs with five alphanumeric characters: user1, 12345, abc23, Peter.

Each @ is one alphanumeric character - one letter or one number. If you only want to block numbers, then use x in place of @

Yes, simply change X_UserAgentPort and forward in your router. No other change is needed.
Title: Re: SIP scanners
Post by: thegoat54 on December 13, 2012, 06:02:56 AM
Thank you for your reply. I get it now.

I'm just finding the string to be possibly problematic. Let's say I have a chinese friend named Hong Woo.

His Caller ID might say " H Woo". So he would be blocked by this.
Title: Re: SIP scanners
Post by: ianobi on December 13, 2012, 07:07:54 AM
Yes, it may need some fine tuning for your setup. I've looked at your Call History post. This would have stopped all of those unwanted calls:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|555xx.|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, any Peer Number starting 555, Peer Number "unknown" and Peer Number "anonymous".

In your OBi110 Call History it is what appears in Peer Number that matters. Peer Name has no effect.

With a blocking string to suit your setup and changing all X_UserAgentPorts (sp1 and sp2 in your case), You should not be bothered by nuisance calls.
Title: Re: SIP scanners
Post by: thegoat54 on December 13, 2012, 07:18:52 AM
wow. Thanks for the help.

I just disabled SP2 this morning. I only have 1 phone number. So that should take care of that end.

Thank you again! Big Help
Title: Re: SIP scanners
Post by: Hortoristic on December 13, 2012, 08:54:37 AM
Using similar string I was able to stop all scanners. I'm still using default Ports too - just hadn't got around to changing them
Title: Re: SIP scanners
Post by: carl on December 13, 2012, 12:01:04 PM
I thing which concerns me that caller ID sometimes does not come over properly on calls from overseas, especially if people use certain cheap voip services there you just get a few nonsensical numbers.. Wonder whether to take the chance.
Messing with ports is not an option for me, the U-verse gateway will not cooperate with VOIP unless put into DMZ.
On the other hand, I have to get rod off the scanners. I am already turning off everything overnight or when on the road. :(
Title: Re: SIP scanners
Post by: Hortoristic on December 13, 2012, 12:58:21 PM
You just need to modify the string for the correct number if digits. Our UK incoming always begins with 44xxxxxxxx, or similar, so you build a rule that had your appropriate country code and exact number of digits. All my scanner numbers seem to have been less than 5 digits. I've posted my string earlier that has completely blocked them and we receive over seas calls ok.
Title: Re: SIP scanners
Post by: carl on December 13, 2012, 01:43:17 PM
@hortoristic. the problem can occur when the people use a calling card or some voip services- I guess the name was Freecall where I got the short and nonsensical ID's. But you are right about the 5 digits or less with SIP scanners and I will probably take the chance. I let people know that if their calls get blocked they should e-mail me or use a regular carrier.
Title: Re: SIP scanners
Post by: ianobi on December 15, 2012, 01:08:32 AM
@ carl. I don't know anything about the U-verse gateway, but I often run my OBi110 in DMZ and changing UserAgentPorts is still a very good idea. If port 5060 is not allocated to your Obi the scanner calls to 5060 will not call your OBi phone. To try it you only have to change the UserAgentPorts in your OBi; if the OBi is in DMZ then there is no need to change any router settings.

Title: Re: SIP scanners
Post by: flex25 on December 25, 2012, 08:29:13 PM
Update:  It's been over two months since I made changes to X_InboundCallRoute, and X_UserAgentPort, and in that time, I have had no SIP scanner calls.  So, I do believe it's working.

The changes I made I posted on this thread on Oct. 19; incoming calls with no peer number or a peer number of less than 10 digits are blocked, and I'm no longer using the common 5060 user agent port.
Title: Re: SIP scanners
Post by: Hortoristic on December 27, 2012, 12:08:19 PM
Using this setting below; in my X_InboundCallRoute - I have not had one single SIP scanner get through in a few months.  I'm even still using the default 5060 + ports.  I receive calls from UK, Canada and USA just fine.

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
Title: Re: SIP scanners
Post by: lacibaci on December 27, 2012, 06:22:57 PM
I wish I could say the same. I had to modify mine:

{asterisk:},{'asterisk':},{('asterisk'):},{(?|@|@@|@@@|@@@@|@@@@@|ipphone|un@@.|anon@@.):},{ph}

The only true solution is if OBi implements one of the features mentioned here:
http://www.obitalk.com/forum/index.php?topic=4873.0 (http://www.obitalk.com/forum/index.php?topic=4873.0)

Title: Re: SIP scanners
Post by: Felix on January 17, 2013, 11:39:53 PM
I have obihai logs forwarded to my linux server, and I found something interesting there. Here is what I get:

CCTL:NewCallOn Term 1[0] ->,00972592573636
[SLIC] Command: 0, 3, 0, 0, 4, 1086051296,
[SLIC] CID to deliver: '201' 201
[SLIC] Command: 0, 4, 5, 0, 0, 0,
[SLIC] Command: 0, 1, 1, 0, 0, 0,
[SLIC] Command: 0, 11, 0, 0, 0, 0,
CCTL:NewCallOn Term 1[1] ->,00972592573636
[SLIC] Command: 1, 3, 0, 0, 4, 1086051296,
[SLIC] CID to deliver: '201' 201
[SLIC] Command: 1, 4, 5, 0, 0, 0,
[SLIC] Command: 1, 1, 1, 0, 0, 0,
[SLIC] Command: 1, 11, 0, 0, 0, 0,
[SLIC] Command: 0, 10, 2, 0, 0, 0,
[SLIC] Command: 1, 10, 2, 0, 0, 0,
PARAM Cache Write Back(256 bytes)
[SLIC] Command: 0, 10, 4, 0, 0, 0,
[SLIC] Command: 1, 10, 4, 0, 0, 0,
[SLIC] Command: 0, 10, 3, 0, 0, 0,
[SLIC] Command: 1, 10, 3, 0, 0, 0,
[SLIC] Command: 0, 10, 3, 0, 0, 0,
[SLIC] Command: 1, 10, 3, 0, 0, 0,
CCTL:NewCallOn Term 1[0] ->,011972592573636
CCTL:NewCallOn Term 1[1] ->,011972592573636
SIP DLG reject: 486

In other words, it's not just a scanner, but it looks like an attempt to make an outgoing call to Palestinian territories in Israel (972-59 number). I don't know what these SLIC commands mean. CID to deliver is the CID I saw on the phone screen. An entry in call history also says From '201' SP1(201).

Obviously, there is no record of such call on my VSP call history - so it is clearly a call directly to my IP address port 5060
Title: Re: SIP scanners
Post by: johnpane on January 20, 2013, 08:40:26 AM
If I have my OBi behind a firewall and have not opened any ports for it (5060 or otherwise), will this avoid problems with these SIP scanners?

Thanks,
John
Title: Re: SIP scanners
Post by: Felix on January 20, 2013, 10:07:48 AM
The short answer is "No". Opening ports through firewall has no relevance on the issue.

When OBi registers with the provider it establishes a connection and thereby opens a port. Note, it is not unique to OBi - your Skype or any IM program does the same. Otherwise you wouldn't be able to receive calls / IM messages.

Hope that clarifies.
Title: Re: SIP scanners
Post by: shap on January 27, 2013, 10:07:32 PM
I think you are not correct. OBi device can not open any port (unless you are using PnP). What it does is connecting to the SIP server and maintaining an "open"  connection to it. But even in this case you can miss some of your calls.

In general, you should open 5060 port (or any other you assigned) from your SIP provider to Obi device.

To block scanners or any hacking on this port, you should create a rule in router that accept traffic to port 5060 only from the IP of your SIP provider. This way you will eliminate night "calls" or possibility to hack your device.
Title: Re: SIP scanners
Post by: Hortoristic on January 28, 2013, 07:37:47 AM
What does that rule looked like for gv?
Title: Re: SIP scanners
Post by: Felix on January 30, 2013, 10:14:20 PM
I assume that "you are not correct" is addressed to me ;)
Quote from: shap on January 27, 2013, 10:07:32 PM
OBi device can not open any port. What it does is connecting to the SIP server and maintaining an "open"  connection to it.
Isn't it the same thing?

Quote
But even in this case you can miss some of your calls.
Only if firewall for some reason closes the port before device is re-registering... or something... I've never seen it happened.

Quote
In general, you should open 5060 port (or any other you assigned) from your SIP provider to Obi device.
Never had a need for it! I opened a few times for troubleshooting; confirmed that opening the port makes no difference, and closed it back. You are not opening ports for Skype, or for any of your IM clients - no need here, either.

Quote
To block scanners or any hacking on this port, you should create a rule in router that accept traffic to port 5060 only from the IP of your SIP provider. This way you will eliminate night "calls" or possibility to hack your device.
I would be a little nervous... Google is not going to inform you if they change IP; moreover, I think there are several IPs that they use. Finally, my router is part of my AT&T U-Verse modem, and what you are describing is just impossible.

As this long thread indicates, there are several ways to accomplish that; with different levels of success. In my case scanning was on port 5060 only; so I switched SP1 to 5064, and scanning stopped.
Title: Re: SIP scanners
Post by: Phillip on February 03, 2013, 11:50:39 PM
Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?
Title: Re: SIP scanners
Post by: Felix on February 04, 2013, 11:26:30 AM
Quote from: Phillip on February 03, 2013, 11:50:39 PM
Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?
Phillip,
Do you mind starting a new thread? When you do, please explain what you are trying to do. As stated, your question is very difficult to answer...
Title: Re: SIP scanners
Post by: Phillip on February 05, 2013, 01:18:23 AM
Sorry Felix, I was just trying to follow along with the conversation between you and Shap and my question was framed withing the context of the discussion about a firewall exception. But upon further reflection, I think I see what you are saying about a port address being open or closed as being irrelevant. The exception is created at the time of installation, is it not?

I am a little perplexed though, because it seems that without running some rather sophisticated software, there is little that we, the lowly user can do to thwart high-end scanner attacks. Is this a correct assumption? Is there a 'best practices' that we should be reading?

Phillip

Quote from: Felix on February 04, 2013, 11:26:30 AM
Quote from: Phillip on February 03, 2013, 11:50:39 PM
Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?
Phillip,
Do you mind starting a new thread? When you do, please explain what you are trying to do. As stated, your question is very difficult to answer...
Title: Re: SIP scanners
Post by: themessiah on February 14, 2013, 12:34:51 PM
I have 4 GV numbers on a 202 ... if I add this to sp1 will that be good for all 4 numbers?

and

It seems it hangs up on the caller, that correct ?

thanks

Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
Title: Re: SIP scanners
Post by: ianobi on February 15, 2013, 06:16:08 AM
If added to sp1, then that string only protects sp1. You may find that's ok as the default UserAgentPort for sp1 is 5060. 5060 is the standard "SIP Listening Port" throughout the SIP world, so it's likely to get scanned most. Although GV does not use SIP and GV ignores UserAgentPort, scanners still get in as they target ipaddress:port, they do not come in via GV.

Have a read back throught this thread and you will find suggestions for changing UserAgentPort.

The caller should get fast busy and does not get access into your OBi.


Title: Re: SIP scanners
Post by: Hortoristic on February 15, 2013, 07:51:19 AM
Again, since changing my setting below, I have had zero bad calls in months

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}
Title: Re: SIP scanners
Post by: thegoat54 on February 20, 2013, 04:30:24 AM
Hi everyone,

So I haven't been bothered by calls for a while by using this string.

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

Keep in mind I was still using port 5060.

This morning I had the mother of all attacks. In the past, I would receive 1 SIP call and then it would stop. Today someone kept on trying!! I got calls with the following ID's

user1, administrator, admin, admin1, admin12, admin123, admin1234, admin12345, office, office1, office12, office123, office1234, office12345, guest, guest1,guest12

And then I logged in and change my SP1 port to 5076, and SP2 port to 5077 and then the calls stopped.

Wow, talk about abusive. I wonder how long it would have gone for?

Anyhow, all this names came up with no number attached to them. Just a caller ID name. Can we block names without numbers?
Title: Re: SIP scanners
Post by: ianobi on February 20, 2013, 05:54:07 AM
thegoat54,

Scan back to reply #50 in this thread.

"@" will match one number or one letter, "@." will match none or more numbers or none or more letters. For example admin@. will block all of the cases you saw beginning with the letters "admin".
Title: Re: SIP scanners
Post by: Hortoristic on March 20, 2013, 02:39:35 PM
I'm using: {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

However I do want to accept calls from "Unknown" (work work office) - what can I change?


Quote from: thegoat54 on February 20, 2013, 04:30:24 AM
Hi everyone,

So I haven't been bothered by calls for a while by using this string.

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

Keep in mind I was still using port 5060.

This morning I had the mother of all attacks. In the past, I would receive 1 SIP call and then it would stop. Today someone kept on trying!! I got calls with the following ID's

user1, administrator, admin, admin1, admin12, admin123, admin1234, admin12345, office, office1, office12, office123, office1234, office12345, guest, guest1,guest12

And then I logged in and change my SP1 port to 5076, and SP2 port to 5077 and then the calls stopped.

Wow, talk about abusive. I wonder how long it would have gone for?

Anyhow, all this names came up with no number attached to them. Just a caller ID name. Can we block names without numbers?
Title: Re: SIP scanners
Post by: oleg on March 20, 2013, 03:21:43 PM
I've also received scanner calls on OBI202 and trying to filter them out.
First of all - I am running OBi202 on custom port (let's say 5078), but scanners finally got there :-(
I do not like the idea to guess about caller id (the way discussed above), this way I would potentially filter out legitimate calls. I would rather match callee id.
This should be possible to do, as explained in "Inbound Call Route Configuration" of "OBi Device Administration Guide"...

"SIP URI" is the address which your peer sends in "invite" request to call you: like this "INVITE sip:123456789@12.34.56.78:5078 SIP/2.0..."

If my SIP URI was "123456789@sip.myhost.com:5078" - I could set X_InboundCallRoute as ">123456789:ph1,ph2" - than only a call with correct URI would pass through. I tried this and it worked.
However, my SIP URI includes letters, for example "myname@sip.myhost.com:5078" or "123456_name@sip.myhost.com:5078". Simply putting alphanumeric id (>myname:ph1,ph2) did not work. I've tried some wildcards like ">12345_@.:ph1,ph2" or ">[mynae].:ph1,ph2" – nothing worked. I did not succeed to make the filter working with non-numeric id.

Has anybody tried / used it? Any ideas?

Thank you
Title: Re: SIP scanners
Post by: Shale on March 20, 2013, 03:32:20 PM
Quote from: oleg on March 20, 2013, 03:21:43 PM">12345_@.:ph1,ph2"
I would try ">'12345_'@.:ph1,ph2" or ">'mynae'@.:ph1,ph2"

or some such... Actually I don't know what it is you are trying to match, but in any case, try single quotes. The admin guide says "'literals' - Everything inside a pair of single quotes is treated as a literal except for the single quote (') character. "
Title: Re: SIP scanners
Post by: oleg on March 20, 2013, 04:10:55 PM
I've tried single quotes (sorry, forgot to mention) - it did not work.
In other words Inbound Call Route ">'myname':ph1,ph2'" blocks call to "myname@12.34.56.78:5078".
Now I've tried to use double quotes - the result was quite surprising - filter allowed everything to come through (either matching or not).
Does not work anyway...
Title: Re: SIP scanners
Post by: QBZappy on March 20, 2013, 04:36:55 PM
oleg,

Nice to see you back on the forum. The IQ of the forum just spiked off the charts.

Our good friend in the UK ianobi came up with something I used in another use case which may be of interest in your setup.
   
([^*+]@@[^+].<+:@>@@.|[^*]@@.'@'@@.)

How to set up Music on hold (MOH) (the easy way)
http://www.obitalk.com/forum/index.php?topic=5180.msg33593#msg33593
Title: Re: SIP scanners
Post by: oleg on March 20, 2013, 07:05:00 PM
Hi QBZappy,
I am glad to see you again :-)

I am afraid you overrate me, I was starring at ianobi's "bizarre digitmap" like a fool :-)
Well, I guessed what that map could do, but I couldn't think how it may help in my case...

Anyway, I found the solution. The parentheses did the trick.
>'myname':ph1,ph2           <- does NOT work
>('myname'):ph1,ph2         <- works!

My final inbound call route is ">('myname'|123456@.):ph1" and it allows both "myname@sip.myhost.com:5078" and "123456_name@sip.myhost.com:5078", while rejects scanner calls like following (these are real calls ringing my phone last night):

3/20/2013 2:19:10 AM    INVITE sip:+972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:14 AM    INVITE sip:0972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:14 AM    INVITE sip:00972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:17 AM    INVITE sip:000972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:17 AM    INVITE sip:0000972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:20 AM    INVITE sip:00000972592280470@12.34.56.78:5078 SIP/2.0
.......

---oleg
Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 07:24:36 AM
Excellent!  This is a great solution that I hope will one day become the default setting.

Is there any way we could do this with a variable, so that changing AuthUserName resulted in the DigitMap changing?

I got such an example to work with a User Defined Macro and $VoiceService.1.VoiceProfile.1.Line.1.SIP.AuthUserName, but I think my solution is actually less convenient.  Can it be done without the Macro?
Title: Re: SIP scanners
Post by: Hortoristic on March 21, 2013, 08:32:23 AM
Getting a bit lost on your examples - and I'm even a software engineer by trade!

You said: My final inbound call route is ">('myname'|123456@.):ph1" and it allows both "myname@sip.myhost.com:5078" and "123456_name@sip.myhost.com:50

What exactly am I doing with your snippet: ">('myname'|123456@.):ph1" ?

I have a couple SIP accounts, one is Callcentric and one is from 3C Softswitch in UK - by just putting your above snippet ">('myname'|123456@.):ph1" in InboundCallRoute, it will auto replace myname with the correct SIP info (either Callcentric or 3C Softswitch)?
Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 08:34:06 AM
I believe the InboundCallRoute for Callcentric would be: (obviously, replace 1777xxxxxxx with your actual 1777 number.)

>('1777xxxxxxx'):ph1

Does that work?
Title: Re: SIP scanners
Post by: Hortoristic on March 21, 2013, 08:42:15 AM
I will try - what does the other code the poster added do the |123456@. part within his example of ">('1777xxxxxxx'|123456@.):ph1"?

And just to clarify; my GV account will never get SIP scanners because it's not a SIP account?  I only need to adjust only my SIP accounts with this type of string?  Since I'm forwarding my GV to Callcentric to get free caller name, I believe Callcentric and my UK DID is where all my scanner calls are originating.
Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 08:46:32 AM
My interpretation is he receives call via SIP URI and via VoIP.ms.  Depending on how your UK DID is routed to your OBi, you could use the same format.

I haven't yet heard of spam calls via a service provider configured for Google Voice.  But you can check Call History to be sure.
Title: Re: SIP scanners
Post by: Hortoristic on March 21, 2013, 08:53:00 AM
But the inboundcallroute is per SP - so it seems each SP would have a different inboundcallroute setting, unique to the SP - or did I misunderstand you? 

Or is it the SIP URI is using same port at Voip.MS - thus why he mixes the settings together on the same SP?
Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 08:54:34 AM
Either way would certainly be appropriate.
Title: Re: SIP scanners
Post by: Hortoristic on March 21, 2013, 08:56:26 AM
A bit off topic - but do we know the value of these SIP scanners?  Are they trying to harvest working phone numbers to sell to telemarketers or what gives?
Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 08:58:56 AM
They're trying to break into IP PBX systems so that they can route their customers' high-cost calls, make illegal/scam calls, or make calls to numbers they get compensation for.  I suspect they're not actually looking for us; we're just collateral damage.

Edited to add: an improperly-configured InboundCallRoute could allow a hacker to route calls via your OBi device.  Use extreme caution when setting up an InboundCallRoute to route calls to spx or li and be sure you're doing it safely.  (If you're routing calls to ph like Oleg demonstrated, that is fine.)

Title: Re: SIP scanners
Post by: ianobi on March 21, 2013, 09:04:30 AM
Hoping not to confuse things here   :)

QuoteMy final inbound call route is ">('myname'|123456@.):ph1"

Anything within the parentheses is simply a digit map, you can put anything you want in there. Anything matching that digit map will ring the phone. As oleg points out, whatever is sent in the SIP INVITE before the "@" is what has to match the digit map.

This is how we send digits in more complex InboundCallRoutes using rules such as {>(Msp2):sp2}, where any digits sent before the "@" in the SIP INVITE that also match Msp2 are sent out to sp2.
Title: Re: SIP scanners
Post by: ianobi on March 21, 2013, 09:08:21 AM
oleg,

Well you certainly got us all talking  :)

This: ([^*+]@@[^+].<+:@>@@.|[^*]@@.'@'@@.) is my entry for the most bizarre OBi digit map competition   :D  It does have a use for sending SIP URI format calls over the OBiTALK network as described in another post. It does not have a function here as far as I can see!

Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 09:11:36 AM
Wouldn't an InboundCallRoute of {>(Msp2):sp2} have the potential to be rather insecure?  I would rather see it restricted to something like {('ianobi')>(Msp2):sp2}, thus preventing anyone who's not you from using it.  That is, assuming whatever you've configured for sp2 is not intended to be publicly accessible.
Title: Re: SIP scanners
Post by: Ostracus on March 21, 2013, 09:17:57 AM
Quote from: ianobi on March 21, 2013, 09:08:21 AM
oleg,

Well you certainly got us all talking  :)

This: ([^*+]@@[^+].<+:@>@@.|[^*]@@.'@'@@.) is my entry for the most bizarre OBi digit map competition   :D  It does have a use for sending SIP URI format calls over the OBiTALK network as described in another post. It does not have a function here as far as I can see!

Indeed. Aside from the nerdiness what advantage does one gain using SIP URIs vs the traditional way of calling, remembering that the ATAs and VoIP providers handle most of the complexity anyway?
Title: Re: SIP scanners
Post by: ianobi on March 21, 2013, 09:25:23 AM
Mango,

Yes, very true. I tried to pick a simple illustration from my actual sp2 InboundCallRoute, which is:

{(Mcot)>(<**7:>(Mtg1))|(Mtg1):tg1},{(Mcot)>(<**7:>(Mextns))|(Mextns)|(<**7:>(Msp2))|(<**2:>(Msp2)):sp2},{(Mcot)>(<**7:>(Mvg4))|(<**4:>(Mvg4)):vg4},{(Mcot)>(<**7:>(Msoft)),(Mcot)>(Msoft):pp},{(Mcot)>(<**7:>(Msoft))|(Msoft)|(<**7:>(Mpp))|(<**9:>(Mpp)):pp},{(Mcot)>(<**7:>(**0))|**0:aa},{(Mcot)>(<**7:>(0|61))|(0|61):ph},{(Mcot):aa}

cot contains the allowed CallerIDs.

This rule from above may be of interest to this thread:
{(Mcot)>(<**7:>(0|61))|(0|61):ph}
Where you can see that the callee digit map (0|61) is used to call the phone.

Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 09:27:14 AM
I see that you certainly know what you are talking about.   :)   Thanks for sharing your InboundCallRoute.
Title: Re: SIP scanners
Post by: ianobi on March 21, 2013, 09:30:34 AM
Ostracus,

It was my solution to calling a SIP URI directly over the OBiTALK network using OBiON from a cell phone or OBiAPP from a softphone. The OBiTALK network does not accept "@", so I replaced "@" with "+" and then translated "+" back to "@" using the bizarre digit map.

Title: Re: SIP scanners
Post by: ianobi on March 21, 2013, 09:34:04 AM
Mango,

It all makes sense if you read posts concerning using CSipSimple with OBi and using any OBI as a home PBX. Each idea just adds a little to the complexity!
Title: Re: SIP scanners
Post by: Shale on March 21, 2013, 12:00:34 PM
Mango has suggested that I add Oleg's method as a good alternative way to thwart SIP scanners.  I would like to understand and then be able to describe the method in a way that a person doing setup could use.

As I understand this, the modification of the InboundCallRoute looking for the AuthUserName is an alternative method of thwarting SIP scanners.  The InboundCallRoute is what identifies whether to send a given call to ph, ph1 or ph2 on OBi202, or AA,
or to kick it to the byte bucket.

Question 1: The strings on the left side of colons are compared against the incoming caller ID equivalent -- what do we call that string?

Oleg's situation seems to be that he gets connections directly from his company rather than a sip provider...  maybe I am wrong on this.

Question 2.  Is this method be suitable as the method for avoiding SIP scanners if they receive their calls through Anveo, Callcentric, voip.ms, etc?  This method seems particularly useful for providers that have too many server IPs to list.  It also
seems useful for those that want to permit some direct connections without opening the path to everybody.

Oleg posted
3/20/2013 2:19:10 AM    INVITE sip:+972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:14 AM    INVITE sip:0972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:14 AM    INVITE sip:00972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:17 AM    INVITE sip:000972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:17 AM    INVITE sip:0000972592280470@12.34.56.78:5078 SIP/2.0
3/20/2013 2:19:20 AM    INVITE sip:00000972592280470@12.34.56.78:5078 SIP/2.0

Question 3: Where did Oleg get these logs and how would I get them?  The Call History from my OBi202 does not resemble that.

Title: Re: SIP scanners
Post by: Mango on March 21, 2013, 12:12:00 PM
1) When considering the InboundCallRoute, the string to the left of the colon is known as the "peering-list".  This takes the format: caller-list > callee-list

In this case, the AuthUserName would be considered the "callee".  Does this answer your question?

2) I believe you're correct.
Title: Re: SIP scanners
Post by: oleg on March 21, 2013, 08:03:16 PM
I think many questions were already answered, will try to clarify some...

Early suggestions (in this thread) to block scanners were based on matching caller. Caller is a string sent by calling party, that's how it represents itself. Provided that normally you receive calls with valid 10 digits caller id and that scanners use something like "10001", "admin", etc. you can filter them out. But what if scanner uses a right pattern? Your OBi will ring the phone...

My idea was to use callee id instead. The way is documented in Inbound Call Route part of OBi manual  (may be lacking more examples). Most of us use one or several providers, may-be receiving direct SIP calls - pretty much determined set of valid strings. All other calls may be dropped. That's what I made.
BTW, old good Sipura / Linksys adapters allow the only user_id, any call not matching it does not ring.

>('myname'|123456@.):ph1
This is to allow incoming calls to myname@myhost (direct SIP calls) and 123456_me@myhost (voip.ms pattern, all sub-accounts have the same prefix), forward both to ph1 (I do not use ph2 now) and disregard all other calls. Note that you may receive SIP calls from several providers on the same SPn, that's why you may want to combine several patterns. You need separate SPn only if you want to register with several providers.

>('1777xxxxxxx'):ph1
This should work for Callcentric, but I believe you may remove quotas and even parentheses.

>>> Aside from the nerdiness what advantage does one gain using SIP URIs vs the traditional way...
It may be independent from any provider (sometimes more reliable), completely free, always the best quality (direct traffic)... Not something necessary though...

>>> 3/20/2013 2:19:10 AM    INVITE sip:+972592280470@12.34.56.78:5078 SIP/2.0
This is from syslog. I have it enabled on OBi, most verbose and sent to the server.



Title: Re: SIP scanners
Post by: QBZappy on March 21, 2013, 09:21:35 PM
Brilliant. This should put an end to sip scanners as long as they don't use the same service provider that you use. Then what would be the odds of that.

Don't you just hate it when you read something and say, why didn't I think of that!

Worthy of a sticky indeed.
Title: Re: SIP scanners
Post by: lacibaci on March 22, 2013, 06:14:11 AM
I tested {>(1777xxxxxxx):ph} (without quotes) and it works. I also reverted back to port 5060 and enabled syslog. I'm hoping to see a lot of messages like this:
SIP DLG reject: 486
Then I'll know it's working  :)

Lac
Title: Re: SIP scanners
Post by: oleg on March 22, 2013, 07:23:33 AM
Quote from: QBZappy on March 21, 2013, 09:21:35 PM
This should put an end to sip scanners as long as they don't use the same service provider that you use.

Scanners do not use service providers, they are trying to establish direct SIP call and trick your device to allow them pass through. Like place international call in the example above. In simple case with VOIP adapter it may ring your phone (in the middle of night  >:(). If you allow pass through (like calling from soft OBi to your home OBi and than into another trunk) - you have to be very cautious.

Quote from: lacibaci on March 22, 2013, 06:14:11 AM
SIP DLG reject: 486

This also happens when your line is busy :-)

Title: Re: SIP scanners
Post by: ianobi on March 22, 2013, 08:16:32 AM
QuoteIf you allow pass through (like calling from soft OBi to your home OBi and than into another trunk) - you have to be very cautious.

Yes, I agree with this. Some of us have complex InboundCallRoutes allowing incoming calls to use outgoing trunks on our OBi. Many users will have "Trusted Callers" giving access to their auto attendant and maybe more. This means that there are still reasons for using CallerID and changing UserAgentPort to increase security.

I see the "oleg approach" as most useful anywhere you have an InboundCallRoute containing the rules like "ph" or "ph,ph2". I will be be changing my "ph" to something like {>('myname'|123456@.):ph}.




Title: Re: SIP scanners
Post by: lacibaci on March 22, 2013, 09:44:33 AM
Quote from: oleg on March 21, 2013, 08:03:16 PM
...
>('1777xxxxxxx'):ph1
This should work for Callcentric, but I believe you may remove quotas and even parentheses.
...

I can confirm that for Callcentric following inbound route route works:

>1777XXXXXXX:ph

(replace X with your number)

Lac
Title: Re: SIP scanners
Post by: RegularJoe on March 29, 2013, 04:31:13 PM
Ok I seem to be a dummy - How do I implement OLEG  method - I have OBI100 and Voip.MS - is there a step by step procedure with Voip.ms service.

Thank you for yor help ahead of time.

Regards
Joe
Title: Re: SIP scanners
Post by: Shale on March 29, 2013, 06:26:18 PM
Quote from: RegularJoe on March 29, 2013, 04:31:13 PM
Ok I seem to be a dummy - How do I implement OLEG  method - I have OBI100 and Voip.MS - is there a step by step procedure with Voip.ms service.

See http://www.obitalk.com/forum/index.php?topic=5467.0

Method 4 is the Oleg method. Method 3 has a string that you could copy and paste for voip.MS.
Title: Re: SIP scanners
Post by: giqcass on April 17, 2013, 04:41:14 PM
QuoteDon't you just hate it when you read something and say, why didn't I think of that!

"why didn't I think of that!"  Was going through my head the whole time.  

I'm going to try adding a "User Defined Digit Map" and put all the user names in so I can easily edit them.  Thanks for a beautiful solution oleg.  I just added this topic to my personal OBi library.
Title: Re: SIP scanners
Post by: Hyrules on April 29, 2013, 01:30:35 PM
I would be interested in setting up this method on Freephoneline. Anyone willing to help me ? We could add it to oleg howto after. I have already setuped a Syslog server to get info from the obi202. What should i be looking for in my logs to get the information needed ?
Title: Re: SIP scanners
Post by: donly on May 10, 2013, 11:45:24 AM
Quote from: Hyrules on April 29, 2013, 01:30:35 PM
I would be interested in setting up this method on Freephoneline. Anyone willing to help me ? We could add it to oleg howto after. I have already setuped a Syslog server to get info from the obi202. What should i be looking for in my logs to get the information needed ?

I am using FPL and made the change a few weeks ago and so far no issues.
I just put this in my SP1 X_InboundCallRoute.

{>1xxxxxxxxxx:ph}
Title: Re: SIP scanners
Post by: Hyrules on May 16, 2013, 07:59:08 AM
this line is not working here. The SIP request are all rejected.
Title: Re: SIP scanners
Post by: donly on May 29, 2013, 07:38:05 PM
Quote from: Hyrules on May 16, 2013, 07:59:08 AM
this line is not working here. The SIP request are all rejected.

Did you replace the xxxxxxxxxx with your fpl number?
Title: Re: SIP scanners
Post by: Hyrules on May 30, 2013, 06:31:30 AM
if you mean my phone number yes.
Title: Re: SIP scanners
Post by: Shale on May 30, 2013, 07:36:48 AM
Quote from: Hyrules on May 30, 2013, 06:31:30 AM
if you mean my phone number yes.

Donly means your authorized user name or account number.  The AuthUserName can be read from your OBi or ObiTalk expert at
(Voice Services)SPx Service->AuthUserName.

This method is discussed as method 4 in https://www.obitalk.com/forum/index.php?topic=5467.0
Title: Re: SIP scanners
Post by: Hyrules on May 30, 2013, 08:33:40 AM
basically yes that's my phone number. My AuthUserName is my phone number with FPL. It tried it earlier and it doesn't work. I'll try again.
Title: Re: SIP scanners
Post by: carl on May 30, 2013, 06:24:59 PM
I noticed that over the last several months the scanner attacks diminished without me doing anything. Anyone else with the same experience?
Title: Re: SIP scanners
Post by: lacibaci on June 05, 2013, 04:09:40 PM
Quote from: carl on May 30, 2013, 06:24:59 PM
I noticed that over the last several months the scanner attacks diminished without me doing anything. Anyone else with the same experience?

I still see many attempts in my log. Just last week, in about 2 minutes, some idiot from Vietnam tried 700 times to call an off shore number... I didn't even noticed until I checked logs a couple of days later.

Lac
Title: Re: SIP scanners
Post by: dial.tone on June 06, 2013, 06:26:09 AM
I did the Oleg Method on my Obi202/GoogleVoice/SimonTelephonics SP1 line and it seems to have eliminated the 100/1000/1001 calls in the middle of the night.  Oleg, wherever you are, my wife says thanks!  However, I am still being deluged with calls in the middle of the afternoon that the caller id identifies as "Private Caller."  They seem to come 12-15 at a time over a period of about 30 min.  I went into GoogleVoice and checked the box to "block anonymous calls," but that doesn't seem to have changed anything.  These calls don't show up in my GoogleVoice call history and the fact that each call can ring my phone 20+ times without going to voice mail makes me think they bypassing GoogleVoice altogether.  I checked the SimonTelephonics website and the problem isn't addressed there and the ST forum is closed.  Thoughts on how to stop these troublesome Private-Caller calls?
Title: Re: SIP scanners
Post by: Shale on June 06, 2013, 08:28:33 AM
Quote from: dial.tone on June 06, 2013, 06:26:09 AM
I did the Oleg Method on my Obi202/GoogleVoice/SimonTelephonics SP1 line and it seems to have eliminated the 100/1000/1001 calls in the middle of the night.  Oleg, wherever you are, my wife says thanks!  However, I am still being deluged with calls in the middle of the afternoon that the caller id identifies as "Private Caller."  They seem to come 12-15 at a time over a period of about 30 min.  I went into GoogleVoice and checked the box to "block anonymous calls," but that doesn't seem to have changed anything.  These calls don't show up in my GoogleVoice call history and the fact that each call can ring my phone 20+ times without going to voice mail makes me think they bypassing GoogleVoice altogether.  I checked the SimonTelephonics website and the problem isn't addressed there and the ST forum is closed.  Thoughts on how to stop these troublesome Private-Caller calls?
Do they show up in the Status-> Call History in the web access of your OBi? If they are coming in on a different SP, disable (method 0) the unused SPis. If they are coming in on the SP used for GV, that will be interesting.
Title: Re: SIP scanners
Post by: dial.tone on June 06, 2013, 12:48:40 PM
Quote from: Shale on June 06, 2013, 08:28:33 AM
Do they show up in the Status-> Call History in the web access of your OBi? If they are coming in on a different SP, disable (method 0) the unused SPis. If they are coming in on the SP used for GV, that will be interesting.

I have never been able to find Call History.  I just checked the Dashboard and went into Expert Configuration, and I didn't find it in either place.  Where am I not looking?
Title: Re: SIP scanners
Post by: Shale on June 06, 2013, 06:40:04 PM
To check the call history log:

1.  If you do not know the IP address of your OBi, find IP address:
from your phone dial ***1 and listen for the IP address.  Write it
down.

2. Enable web access from the WAN for your OBi:
Let a comma represent a pause.
dial ***0,30#, 1, 1
Your OBi should read your current IP number to you. It is often
192.168.__.__ or 10.0.__/.___ where __ represents some numbers. Write
that down.

3. Enter the IP address that you wrote down into the address box on your
browser. If you don't know what a browser is, that means Internet Explorer,
Chrome or Safari. It could  also mean Firefox,  etc.

Be prepared to enter the password for your OBi. The username is admin.

4. On the left, click Status -> Call History.
Title: Re: SIP scanners
Post by: dial.tone on June 07, 2013, 05:27:08 AM
Quote from: Shale on June 06, 2013, 06:40:04 PM
To check the call history log:
. . .
4. On the left, click Status -> Call History.

Sweet -- there is a bunch of cool stuff in there!  Thanks for the tutorial.

Quote from: Shale on June 06, 2013, 08:28:33 AM
Do they show up in the Status-> Call History in the web access of your OBi? If they are coming in on a different SP, disable (method 0) the unused SPis. If they are coming in on the SP used for GV, that will be interesting.

So, the "Private Caller" calls are showing up on the call history for SP1 -- which uses the SimonTelephonics/GoogleVoice setup (with ST providing caller ID name).  So I don't know if these "Private Caller" calls are getting in through GV or ST.  I think I read on here that SIP scanners can't get in through GV because of how GV works, which, if that's the case, would only leave the ST path.  When I did the Oleg setup, the AuthUserName I put in the InboundCallRoute string was "GVxxxxxxxxxx" where the x's are my GV number.  When I look in Expert Configuration, I don't see any AuthUserName associated with the ST part of the setup.  Does this help or just muddy the water?
Title: Re: SIP scanners
Post by: Shale on June 07, 2013, 07:25:55 AM
I don't know how this Simon Telephonics + Obi  should be cured. I found http://tech.iprock.com/?p=6592 which explains the hookup somewhat. I don't know if the sip scanner hits the OBi or the Simon Telephonics (ST) unit. If its the ST unit, then the cure would have to be applied to that ST unit.

Maybe on of the other methods such as method 2 or 3 (port number or IP number) would work for you. If not, I would give up on CNAME until there was a solution.

I hope somebody else knows the cure for you.
Title: Re: SIP scanners
Post by: dial.tone on June 07, 2013, 09:07:07 AM
Quote from: dial.tone on June 07, 2013, 05:27:08 AM
When I did the Oleg setup, the AuthUserName I put in the InboundCallRoute string was "GVxxxxxxxxxx" where the x's are my GV number.  When I look in Expert Configuration, I don't see any AuthUserName associated with the ST part of the setup.  Does this help or just muddy the water?

I just realized that the InboundCallRoute string (GVxxxxxxxxxx) I found in Expert Configuration for SP1 is the SimonTelephonics username for that GV/ST setup.  I have a different, standalone GV number coming in on SP2, so I compared its InboundCallRoute string with the one on SP1 and they are totally different.  The InboundCallRoute string on SP2 is the GV email address associated with that number.  So ST used my SP1 GV number to construct its username and Obi202 used ST's username for its InboundCallRoute.  Doesn't solve the mystery but helps clear up that point.  Actually, now that I think about it, it only deepens the mystery.  Now I know that I have properly implemented the Oleg method on the ST-configured SP1 and yet Private Caller calls are still getting through.  At least the middle-of-the-night 100/1000/1001 calls have stopped. 

Quote from: Shale on June 07, 2013, 07:25:55 AM
Maybe on of the other methods such as method 2 or 3 (port number or IP number) would work for you. If not, I would give up on CNAME until there was a solution.

At this point, that's about all I have left.  I hate to pull the plug on SimonTelephonics caller ID name service -- the 80% of the time it works it is pretty cool!  Any additional ideas would be more than welcome!
Title: Re: SIP scanners
Post by: ianobi on June 08, 2013, 07:44:13 AM
The question here is do these calls come in via the ST servers? If so, then methods 2,3 & 4 will not work because as far as the OBi knows the calls are genuine with the correct UserAgentPort, correct ip address and correct AuthUserName.

While researching further you might try a version of method 1, combined with the oleg method such as:

Voice Services > SP1 Service > X_InboundCallRoute:

{(Priv@@.):},{>(GVxxxxxxxxxxx):ph}

This will block all calls with a CallerID / Peer Number of "Priv" followed by anything. Make sure you get the upper/lower cases correct for "Priv" exactly as shown in Call History > Peer Number.

If you get genuine calls with the CallerID / Peer Number "Private Caller" that you wish to receive, then this will block those, so may not be a good method for you. In that case we are out of ideas for now   ???

Title: Re: SIP scanners
Post by: dial.tone on June 09, 2013, 03:12:58 PM
Quote from: ianobi on June 08, 2013, 07:44:13 AM
The question here is do these calls come in via the ST servers? If so, then methods 2,3 & 4 will not work because as far as the OBi knows the calls are genuine with the correct UserAgentPort, correct ip address and correct AuthUserName.

While researching further you might try a version of method 1, combined with the oleg method such as:

Voice Services > SP1 Service > X_InboundCallRoute:

{(Priv@@.):},{>(GVxxxxxxxxxxx):ph}

This will block all calls with a CallerID / Peer Number of "Priv" followed by anything. Make sure you get the upper/lower cases correct for "Priv" exactly as shown in Call History > Peer Number.

If you get genuine calls with the CallerID / Peer Number "Private Caller" that you wish to receive, then this will block those, so may not be a good method for you. In that case we are out of ideas for now   ???




I haven't gotten any of these Private Caller calls for a couple of days now, but it looks like some are still coming into the Obi202.  Here's why I say that.  I compared the caller ID log on my phone with the Obi Call History log on the Obi web portal.  The Obi Call History shows a bunch of calls labeled "PH1" that don't correspond to any calls we have received, nor do they correspond to any calls that show up on the phone's caller ID log.  The phone's time stamp on the Private Caller calls we were getting a few days ago DO, however, correspond with the time stamp on the Obi Call History for some of the older calls that are labeled "PH1."  So I assume (yes, I know) that the PH1-labeled calls are the calls that used to get through as Private Caller calls but are now being stopped by the Oleg settings.  At least most of them are -- I know some of them got through the first/second day after I made the Oleg change.  The biggest thing that concerns me now is that the duration of these PH1 calls, according to the Obi Call History,  is anywhere from 20 seconds to over nine minutes.  These calls never make it to our desktop phone, so what the heck are they doing on my system for nine minutes.  Do I need to be concerned?
Title: Re: SIP scanners
Post by: Shale on June 09, 2013, 03:23:56 PM
Do the calls you are concerned with say "From PH1" or "To PH1" in the call history?
Title: Re: SIP scanners
Post by: dial.tone on June 10, 2013, 06:08:45 AM
Quote from: Shale on June 09, 2013, 03:23:56 PM
Do the calls you are concerned with say "From PH1" or "To PH1" in the call history?

Argh, NO, imanidiot!  I had to go back and look and the "To" data on all those calls and they all had numbers associated with them. . .they looked like phone numbers. . .familiar numbers. . .I wondered why the Frisbee was getting larger, then it hit me. . .those were our OUTGOING calls.  Sorry about that!
Title: Re: SIP scanners
Post by: dial.tone on June 11, 2013, 04:57:57 AM
Well, here we go again.  About 9 o'clock last night, the Private Caller calls started coming in again.  After about the 6th one, I went in and removed the SimonTelephonics configuration from SP1.  I'll miss the caller ID name, but I won't miss the nuisance calls.  Hopefully, GV will come up with its own caller ID name sometime soon.  My thanks to the forum for its help in trying to resolve this. 
Title: Re: SIP scanners
Post by: Hortoristic on June 11, 2013, 04:51:13 PM
Been using this string below and haven't had scanner call in over a year - I also am able to get blank names (my work uses PBX so only the number shows when I call home).  The number is used immensely as my wife uses our home phone as a business line too.

I also forward all calls to CallCentric free NY number, so I have been getting great CNAM lookup too.

{(x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}
Title: Re: SIP scanners
Post by: Hyrules on September 04, 2013, 02:10:22 PM
Well after a couples of tries, I didn't had any succes with method 4. I don't know why but my X_InboundCallRoute kept sending me to my voicemail. I tried those :

{>(1XXXXXXXXXX):ph}
{>('1XXXXXXXXXX'):ph}
{>1XXXXXXXXXX:ph}

I did try : {>('sip.fongo.com'):ph} this was working but i'm not sure it will do as asked.

1XXXXXXXXXX being my AuthUserName and my phone number at FPL.

Here is an example of my SIP Syslog server when I received a call :

Message Detail Information
DateTime:04/09/2013 16:39:26
From Host:192.168.5.X
Facility:Kernel
Severity:Informational
Message: CCTL:NewCallOn Term 1[0] ->sip.fongo.com,sip.fongo.com

Incoming call from a potential spammer

2013-09-03 22:37:45
kernel.debug
192.168.5.X 
CCTL:NewCallOn Term 1[0] ->,sip.fongo.com\n
Title: Re: SIP scanners
Post by: Shale on September 04, 2013, 06:01:32 PM
Quote from: Hyrules on September 04, 2013, 02:10:22 PM
Well after a couples of tries, I didn't had any succes with method 4. I don't know why but my X_InboundCallRoute kept sending me to my voicemail.

You could try method 3 with System Management -> Service Providers-> ISTP Profile n SIP -> X_AccessList. Here is the string I came up with for fongo.com:
208.65.240.160,208.65.240.165,208.65.240.142

I presume you are not using a PBX or Asterisk server.
Title: Re: SIP scanners
Post by: Hyrules on September 05, 2013, 03:40:10 AM
No PBX or Asterisk. I did Wednesday night after I received weird calls from most likely spammers. I know they were spammer because their call was not showing in the FPL logs on the website. Oddly they had a real name CALLERID and a real phone number. Before adding my X_AccessList I was changing my X_UserAgentPort to a number other than 5060 but it did happen anyway. I'm using the following ip addresses for FPL :

208.65.240.165,
208.65.240.142,
208.65.240.170,
208.72.121.72,
208.65.240.44
Title: Re: SIP scanners
Post by: dial.tone on September 19, 2013, 03:26:08 PM
Quote from: Hortoristic on June 11, 2013, 04:51:13 PM
Been using this string below and haven't had scanner call in over a year - I also am able to get blank names (my work uses PBX so only the number shows when I call home).  The number is used immensely as my wife uses our home phone as a business line too.

I also forward all calls to CallCentric free NY number, so I have been getting great CNAM lookup too.

{(x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}

I copied/pasted that exact string into my "Voice Services > SP1 Service > X_InboundCallRoute:" back in June and haven't had a single "Private Caller" call since.  I don't know why it works, but it does.  Big thanks to Hortoristic for posting the solution that worked for me.
Title: Re: SIP scanners
Post by: drgeoff on September 20, 2013, 04:23:28 AM
Quote from: dial.tone on September 19, 2013, 03:26:08 PM
I don't know why it works, but it does.
Calls with a CID of 1 to 6 digits get sent to nowhere.  All others ring the phone.
Title: Re: SIP scanners
Post by: carl on September 20, 2013, 03:47:19 PM
Interestingly, i have not had a single sip scanner call for at least 6 months without having done anything. Used to be rally bad.
Title: Re: SIP scanners
Post by: Mango on September 20, 2013, 03:48:38 PM
Did you change your router or your router's firmware, or do you use OBiTALK to configure your device?  These could account for the SIP scans being blocked.
Title: Re: SIP scanners
Post by: carl on September 20, 2013, 08:09:07 PM
I use indeed the portal to configure the device. I do not think that it has anything to do with my router. I did not check the Obi 100, which is traveling now, but i know that my Obi 202 is not getting anything any more. Wonder whether Obihai changed something.
Title: Re: SIP scanners
Post by: Mango on September 20, 2013, 08:10:17 PM
Yes, there were some reports some time ago that Obihai was implementing some of the methods suggested by users in this thread.  :)
Title: Re: SIP scanners
Post by: carl on September 20, 2013, 09:11:48 PM
Since there are a few people who still do report the same problems I wonder whether Obi 202 is now less susceptible than obi100 or 110 and or whether those having problems did all the firmware upgrades.
Title: Re: SIP scanners
Post by: Mango on September 20, 2013, 09:14:12 PM
It's entirely possible.  Anyone with an OBi202 connected directly to a modem (no double-NAT) want to test the type of NAT that its router employes?

http://www.dslreports.com/forum/remark,22292023
Title: Re: SIP scanners
Post by: ddgiant on February 01, 2014, 02:50:34 AM
I know it has been a while since any one posted in here but I have just received what I think is more SIP scanners.

From my call history they are showing "from 'abc' sp1(abc)" and "from 'us' sp1(us)"

My question is if I tweak my string as shown below, should that block these?

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|us@@|abc@@):},{ph,ph2}

Thanks for all of your time and advise.
Title: Re: SIP scanners
Post by: ianobi on February 01, 2014, 05:42:55 AM
ddgiant – welcome to the forum.

You are on the right lines, but the format is a bit more tricky. For example "abc" followed by something or nothing would be "abc@."  The dot is important!

The following string should work:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|u's'@.|abc@.):},{ph,ph2}

A further complication is that the "s" is a reserved character, so it needs to be enclosed by single apostrophes.

There are other ways to defeat scanners as detailed here:

http://www.obitalk.com/forum/index.php?topic=5467.msg35387#msg35387

The "Oleg Method" is highly recommended.

Title: Re: SIP scanners
Post by: giqcass on February 01, 2014, 06:09:12 AM
I'm a big supporter of the "Oleg Method" myself.  It ended all sip scanner activity from ringing my phone.  Using  the "Oleg Method" the sip scanner would need your Ip address, port number, and user name to ring your phone.
Title: Re: SIP scanners
Post by: ddgiant on February 01, 2014, 07:12:51 AM
Thanks for both of your quick reply's.  The last time I had to deal with this was before the Oleg method.

I just want to make sure I am re-setting this correctly due to a lot of talk in these forms that I do not deal with regularly so it is a little confusing to me.

I have 2 SP services (Callcentric for E911 and GV for everything else)

SP1 I will change my X_InboundCallRoute from {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|u's'@.|abc@.):},{ph,ph2} to{>17771234567:ph1,ph2} (I just changing back to default will not set this)
SP2 I will change my X_InboundCallRoute from {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|u's'@.|abc@.):},{ph,ph2} to {>gmailaddres@gmail.com} is this correct?

If the Google voice one is not correct then is there an easy fix, or being I know Google is dropping the protocol I am using, maybe it is time to do my change over to 100% callcentric.
Title: Re: SIP scanners
Post by: azrobert on February 01, 2014, 09:47:00 AM
GoogleVoice doesn't use the SIP protocol, so you don't need to block SIP scanners on the GV trunk.
Title: Re: SIP scanners
Post by: ianobi on February 01, 2014, 09:55:43 AM
For Callcentric on sp1 this {>17771234567:ph1,ph2} should work fine.

As azrobert says, you should not need to worry about GV on sp2. You can see from your Call History that the scanner calls are coming in on sp1.

Personally, I like to use the Oleg Method and change the UserAgentPorts away from 5060, 5061 etc as these are the ones most often targeted by scanners. Some may say it's overkill, but I like a "belt and braces" approach to this problem   :)
Title: Re: SIP scanners
Post by: gderf on February 01, 2014, 10:09:59 AM
On my Obi200 the "Oleg Method" is applied automatically when configured via OBiTALK. There is no need to do this manually.
Title: Re: SIP scanners
Post by: jazzy on February 03, 2014, 01:04:10 PM
I use Obi100 and receive incoming calls from an IPKALL number, registered
with Getonsip.  Receiving calls just fine, but now I want to add method #4
to thwart sip scanners.

I thought I understood what string to place in my inbound call routing.

So I did this:

X_InboundCallRoute:   {>('my_auth_user_name'):ph}

the authusername I'm using comes right from my SIP credentials
from the SIP Credentials page on the Obi
and yes, authusername are alpha/numeric

Can this method work with my Getonsip account with the IPKall # ?

currently calls do not ring my Obi with this string in the Inboundcallroute.
Suggestions?
Title: Re: SIP scanners
Post by: gderf on February 03, 2014, 02:13:39 PM
I have

{>123456789:ph}

Where 123456789 is my_auth_user_name
Title: Re: SIP scanners
Post by: jazzy on February 03, 2014, 03:24:56 PM
My authusername is Alphanumric.

when I place this in the X inbound call route
{>('myauthusername28'):ph}   the attached phone does not ring.

I'm getting myauthusername28 right from SP2 SIP credentials
authusername. Sp2 is using Getonsip (from an IPKALL # )

Does method #4 not work with authusernames from Getonsip?



Title: Re: SIP scanners
Post by: gderf on February 03, 2014, 04:00:18 PM
Why don't you try it without the parentheses and single quotes?
Title: Re: SIP scanners
Post by: drgeoff on February 03, 2014, 04:11:06 PM
Quote from: jazzy on February 03, 2014, 03:24:56 PM
My authusername is Alphanumric.

when I place this in the X inbound call route
{>('myauthusername28'):ph}   the attached phone does not ring.

I'm getting myauthusername28 right from SP2 SIP credentials
authusername. Sp2 is using Getonsip (from an IPKALL # )

Does method #4 not work with authusernames from Getonsip?




Your format is correct so the next suspect is that the username you expect is not coming in.  Have a look at your call history to see what is shown against an incoming call.  Or perhaps call status during an incoming call call throw some light.  Revert your InboundCallRoute to ph for those test calls.
Title: Re: SIP scanners
Post by: jazzy on February 03, 2014, 04:49:06 PM
Quote from: gderf on February 03, 2014, 04:00:18 PM
Why don't you try it without the parentheses and single quotes?


no difference, attached phone still does not ring.
Title: Re: SIP scanners
Post by: jazzy on February 03, 2014, 04:58:59 PM
Quote from: drgeoff on February 03, 2014, 04:11:06 PM
Quote from: jazzy on February 03, 2014, 03:24:56 PM
My authusername is Alphanumric.

when I place this in the X inbound call route
{>('myauthusername28'):ph}   the attached phone does not ring.

I'm getting myauthusername28 right from SP2 SIP credentials
authusername. Sp2 is using Getonsip (from an IPKALL # )

Does method #4 not work with authusernames from Getonsip?




Your format is correct so the next suspect is that the username you expect is not coming in.  Have a look at your call history to see what is shown against an incoming call.  Or perhaps call status during an incoming call call throw some light.  Revert your InboundCallRoute to ph for those test calls.

Call history in the Obi?  When calling in via my cell, the Obi call history shows my CID of the cell phone. No user name.  what username might I be looking for?

Maybe this will help. I do not have my GV# ring the Obi.
My GV# forwards to an IPKALL #
The Obi picks up that IPKall number on SP2 using Getonsip credentials.
I currently call out on SP1 ( GV ) at least until May 2014

Testing  incoming options for when GV no longer supports XMMP, but want to be sure to
thwart the sip scanners. 
Title: Re: SIP scanners
Post by: drgeoff on February 03, 2014, 05:36:29 PM
Yes, on reflection I think the Call History only shows "high level" stuff and not far enough down into the nitty-gritty.  I'm not even sure if Call Status will have what we are looking for.

Syslog will show the low-level detail but that is a bit more work to set up the server on a PC and then configure the Obi to use it.  Also, the log will have many other messages as well as those for an incoming SIP invite.

It is way past my bed-time!  I'll be off-line now until morning, UK time.
Title: Re: SIP scanners
Post by: azrobert on February 03, 2014, 05:58:28 PM
Here is a trick you can do to determine the username.
Temporarily add {sp1($2)} to the beginning of your SP2 X_InboundCallRoute, then call your SP2 phone number.
$2 is a variable that contains the username of SP2.
The above rule will attempt to bridge the inbound call out SP1 using the username as the outbound phone number.
This call will obviously fail, but the call history will show the username as the outbound number.
Title: Re: SIP scanners
Post by: jazzy on February 03, 2014, 08:58:38 PM
@azrobert  you da man! 

Make the trick described above happen and of course the call failed, but
I did see  a 'peer number' show up.  It was my alpha numeric user ID, not exactly as the one
in the SIP credentials of SP2 ( it was missing the 'getonsip_' )

Replaced {ph} with {>'my_user_id':ph} and the attached phone now rings!  :D

BTW I originally replaced {ph} with {>('my_user_id'):ph} but phone did not ring.

So if any one else uses Getonsip, just delete the 'getonsip_' and put in the rest of your user id.


Title: Re: SIP scanners
Post by: ianobi on February 04, 2014, 04:41:49 AM
QuoteHere is a trick you can do to determine the username.
Temporarily add {sp1($2)} to the beginning of your SP2 X_InboundCallRoute, then call your SP2 phone number.

That is a neat trick. I'm filing that one away for future use ...   :)
Title: Re: SIP scanners
Post by: giqcass on February 04, 2014, 06:01:14 AM
Quote from: ianobi on February 04, 2014, 04:41:49 AM
QuoteHere is a trick you can do to determine the username.
Temporarily add {sp1($2)} to the beginning of your SP2 X_InboundCallRoute, then call your SP2 phone number.

That is a neat trick. I'm filing that one away for future use ...   :)
I saved it to my file already. lol
Title: Re: SIP scanners
Post by: Rick on May 14, 2014, 12:56:20 PM
I've now setup Callcentric on both SP1 and SP2 on my 110.  I got 2 free DIDs, and setup GV to forward my two numbers, one to each of them.  Works great.

Then, I setup SP2 with the {>1777xxxxxxx:ph} and it worked fine.

I now want to setup SP1 also.  Since it uses an extension, it's 1777xxxxxxx101.  I tried that, and nothing comes through (this is the peer number displayed in history).  I tried using it without the extension, and nothing comes through, which doesn't surprise me. 

Ideas welcome.
Title: Re: SIP scanners
Post by: azrobert on May 14, 2014, 01:23:13 PM
Check my post here:
http://www.obitalk.com/forum/index.php?topic=4067.msg46145#msg46145
Title: Re: SIP scanners
Post by: Rick on May 14, 2014, 02:06:06 PM
I read that (earlier in the thread), tried it, but got nothing new.  Perhaps I was doing it wrong.  If SP2 works today and is setup just fine, and SP1 is just plain PH, I change that to:

{sp2($2)}:ph    ?

I want to discover what to put in the SP1 X_Inbound Call Route.

Thanks!
Title: Re: SIP scanners
Post by: Shale on May 14, 2014, 03:31:04 PM
Quote from: Rick on May 14, 2014, 02:06:06 PMIf SP2 works today and is setup just fine, and SP1 is just plain PH, I change that to:

{sp2($2)}:ph    ?

I want to discover what to put in the SP1 X_Inbound Call Route.

Thanks!
I am thinking that would be
{sp2($2)},{ph}
Title: Re: SIP scanners
Post by: Rick on May 15, 2014, 12:43:02 PM
What that shows me is the Callcentric number with the extension after it, and when I used that it didn't ring at all. 

I guess I'll worry about it when I start getting callers in the middle of the night on that line.
Title: Re: SIP scanners
Post by: azrobert on May 15, 2014, 01:01:42 PM
Try:
{>(1777xx.):ph}
Title: Re: SIP scanners
Post by: Rick on May 15, 2014, 01:08:38 PM
Thanks, that worked (i.e. call came through).

So that restricts it to receiving Callcentric calls only, correct?  Appreciate it.

Now I have to figure out how to setup a Voice Gateway for all my outbound calls to automatically use the gateway, not SP1 or SP2  :)
Title: Re: SIP scanners
Post by: Shale on May 19, 2014, 07:51:11 AM
Quote from: Rick on May 15, 2014, 01:08:38 PM
Thanks, that worked (i.e. call came through).

So that restricts it to receiving Callcentric calls only, correct?  Appreciate it.

Now I have to figure out how to setup a Voice Gateway for all my outbound calls to automatically use the gateway, not SP1 or SP2  :)
Depends on what you mean by a Callcentric call. Non-Callcentric users will be able to dial your phone number that is served by Callcentric.

Regarding gateway, set it up to test first.

On phone OutboundCallRoute, I think that is processed left to right. So if you add {(Mvg1):vg1}, after your 911 processing and after your **1, **2 etc processing, and before other things that you want to have less precedence, then if the number matches the DigitMap for VG1, then the number will be sent out on the VG1 service. If it does not, then the next thing in the routing will be processed. The last thing in the OutboundCallRoute would normally be ,{(Mpli):pli} -- so that things that don't match the special cases go out on the Primary Line.

If VG1 were a choice for your Primary Line, you could just select that. It looks like you could maybe put VG1 into a trunk group and make that the Primary. I have not tried trunk groups.


Title: Re: SIP scanners
Post by: Rick on May 19, 2014, 10:45:04 AM
I guess I have to set aside a few hours to get this done.  Basically I want 911 and 933 to go out on SP2, and ANY OTHER CALL to go out on a Voice Gateway that I'll set up with a cheap outbound service.  So the Outbound Call Route should be fairly short and simple.
Title: Re: SIP scanners
Post by: pvpham on July 01, 2014, 08:04:21 AM
Hi,

Due to my ignorance, I totally lost reading these post. I would like to implement Oleg's method to block Sip scanner.

I currently have PhonePower on Sp1, CallCentric on Sp2.

My X_InboundCallRoute is now like this: {my_CC_ID>(Msp1):sp1},{101>1777xxxxxxx:aa},{ph}

I recalled the above setting is to ring my cell phone .

How do I implement the Oleg's string to my X_InboundCallRoute .

Thanks
Title: Re: SIP scanners
Post by: DPMc on December 18, 2015, 07:15:09 AM
Dear ObiHai,

I can not find the way to make the change as outlined in part 2 of the instructions on the first post in this page. Would you please tell me where to find it on the ObiTalk 100?

2. A more fool-proof method is to enable the parameter: X_EnforceRequestUserID. This parameter is under SPn in the SIP Credentials section.   What this does, is it makes sure the incoming INVITE has a User ID that matches the User ID of your SIP service account. If it does not match, the INVITE will be rejected and the phone will not ring.  Enabling this parameter will maintain normal voice service as well as block SIP scanners. Notes:  Some service providers do not adhere to this rule. This parameter is not available on the OBi100 and OBi110 devices.
http://www.obitalk.com/obinet/pg/obhdev/config/2251269/advcfg_VS_1_VP_1_L_1_?inst=1


2. A more fool-proof method is to enable the parameter: X_EnforceRequestUserID. This parameter is under SPn in the SIP Credentials section.   What this does, is it makes sure the incoming INVITE has a User ID that matches the User ID of your SIP service account. If it does not match, the INVITE will be rejected and the phone will not ring.  Enabling this parameter will maintain normal voice service as well as block SIP scanners. Notes:  Some service providers do not adhere to this rule. This parameter is not available on the OBi100 and OBi110 devices.[/color]

[End: Obihai Support Response]


[/quote]
Title: Re: SIP scanners
Post by: Mango on December 18, 2015, 07:57:54 AM
X_EnforceRequestUserID is a feature not available on the OBi1 series.  For the same behaviour, set your SPx Service X_InboundCallRoute to: {>Insert your AuthUserName here:ph}

However, I disagree that this is a "more fool-proof method".  With this method, the OBi will still accept, then reject the scanning traffic, indicating to a hacker that a device is present.  If one day someone finds an exploit in OBi devices, all devices using this method will be hacked fairly quickly and most likely used to make expensive long distance calls.

The best way to prevent SIP scanners is with a firewall.  In this case, the hacker will have no indication that VoIP equipment exists.  Never use port forwarding or DMZ with any VoIP equipment as this disables your firewall.  If you don't use port forwarding or DMZ and still receive scanning calls, you should consider replacing your router with a more secure one, such as any router with Tomato firmware: http://tomato.groov.pl/?page_id=69
Title: Re: SIP scanners
Post by: ScottS on February 10, 2018, 03:11:41 PM
Hi, where is this setting in the Obi302> "EnforceRequestUserID" ?

Quote from: lacibaci on September 06, 2012, 05:50:04 AM
A more fool-proof method is to enable the parameter: X_. This parameter is under SPn in the SIP Credentials section.   What this does, is it makes sure the incoming INVITE has a User ID that matches the User ID of your SIP service account. If it does not match, the INVITE will be rejected and the phone will not ring.  Enabling this parameter will maintain normal voice service as well as block SIP scanners. Notes:  Some service providers do not adhere to this rule. This parameter is not available on the OBi100 and OBi110 devices.[/color]

[End: Obihai Support Response]


Title: Re: SIP scanners
Post by: Taoman on February 10, 2018, 03:45:58 PM
Quote from: ScottS on February 10, 2018, 03:11:41 PM
Hi, where is this setting in the Obi302> "EnforceRequestUserID" ?


I only have the 1xx and 2xx series but I assume it would be in the same location:

Voice Services-->SPx Service-->SIP Credentials
Title: Re: SIP scanners
Post by: ScottS on February 12, 2018, 03:08:28 PM
yes TY! obiTalk parameter was unchecked by me.

found Inbound routing unchecked both and edited to block
& Have been using back up feature.
IF both Inbound routing boxes unchecked, it appears that line is not saved. I searched in wordpad but not found.
so started a text file to save that line.
What else should I do? I have several backups now JIC.  
TY!
Title: Re: SIP scanners
Post by: Taoman on February 12, 2018, 05:39:00 PM
Quote from: ScottS on February 12, 2018, 03:08:28 PM

What else should I do? 


Voice Services-->SPn Service-->X_AcceptSipFromRegistrarOnly

Check the box for that parameter.
Title: Re: SIP scanners
Post by: ScottS on April 02, 2018, 11:35:48 AM
Phonepower list setup 
Click the Enter OBi Expert button.
Click to enlarge
• On the left hand side of the new page, expand the menu for Service Providers by clicking on it.
Click to enlarge
• Click on ITSP Profile A SIP.
Click to enlarge
• Scroll down until you see the section for X_AccessList.
Click to enlarge
• Click the box on the checked box on the far right to uncheck the box.
• In the text entry box to the right of "X_AccessList" please enter

   208.64.8.6,206.15.130.6,206.15.150.6

Works on my Obii302s w/ latest firmware

Quote from: lacibaci on September 06, 2012, 05:50:04 AM
Is there a way of preventing SIP scanners from ringing my phone at night?....
...
Title: Re: SIP scanners
Post by: flamaest@gmail.com on May 27, 2018, 12:44:48 PM
Quote from: ScottS on April 02, 2018, 11:35:48 AM
Phonepower list setup 
Click the Enter OBi Expert button.
Click to enlarge
• On the left hand side of the new page, expand the menu for Service Providers by clicking on it.
Click to enlarge
• Click on ITSP Profile A SIP.
Click to enlarge
• Scroll down until you see the section for X_AccessList.
Click to enlarge
• Click the box on the checked box on the far right to uncheck the box.
• In the text entry box to the right of "X_AccessList" please enter

   208.64.8.6,206.15.130.6,206.15.150.6

Works on my Obii302s w/ latest firmware

Quote from: lacibaci on September 06, 2012, 05:50:04 AM
Is there a way of preventing SIP scanners from ringing my phone at night?....
...

Can we please get these steps detailed for an OBIHAI 202 which is just using GVoice?  I turned off DMZ on my router and I still see {much less} phantom calls come in, but the ones that make it through into the obihai are sometimes at 2 or 3 am!  I am about to toss this thing in the garbage. 
Title: Re: SIP scanners
Post by: SteveInWA on May 27, 2018, 01:46:53 PM
All you need to do is to go to your OBiTALK dashboard page, click on your OBi 202, then get into Expert configuration mode.  In Expert mode, click on Voice Services, then click on the SPx that is using Google Voice.  Find the parameter on the right side of the page, "X_AcceptSIPFromRegistrarOnly", and enable it by adding a check mark.  You must remove both check marks to the right of the parameter to be able to edit it.  After check-marking it, scroll down and click the "Submit" button.  See the attached screenshot.

Note that this setting has been updated in the OBiTALK XML template for Google Voice, so that all new Google Voice configurations should already have this setting enabled.  Only users who configured Google Voice before the template was changed may need to manually fix it.
Title: Re: SIP scanners
Post by: flamaest@gmail.com on May 27, 2018, 02:03:22 PM
PERFECT THANKS!   This exact info should be on the top of this post IMHO.