News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

SIP scanners

Started by lacibaci, September 06, 2012, 05:50:04 AM

Previous topic - Next topic

lacibaci

Is there a way of preventing SIP scanners from ringing my phone at night?

I tried looking into X_AccessList to limit incoming calls only from Callcentric but the inability of OBi100 to specify range makes it impossible (CC range is 204.11.192.0/22)

Maybe there is way to restrict calls coming from registered server using X_InboundCallRoute?

[Obihai Support Response]

There are several ways to block SIP scanners. Here are two common ways:

1. A simple way to thwart SIP scanners is to change the SP1 X_UserAgentPort to a non-standard value, such as 35060.   If you have multiple SIP services running on your OBi, remember to make sure each SPn uses a different User Agent port. This trick will stop most SIP scanners if they are only targeting the commonly used port 5060.

2. A more fool-proof method is to enable the parameter: X_EnforceRequestUserID. This parameter is under SPn in the SIP Credentials section.   What this does, is it makes sure the incoming INVITE has a User ID that matches the User ID of your SIP service account. If it does not match, the INVITE will be rejected and the phone will not ring.  Enabling this parameter will maintain normal voice service as well as block SIP scanners. Notes:  Some service providers do not adhere to this rule. This parameter is not available on the OBi100 and OBi110 devices.


[End: Obihai Support Response]


Ostracus

An idea. Some routers basically have a "parental" feature were one can turn on and off access to a particular IP address on a time basis. In this case it could be an Obi unit. Give your unit a static address and see if denying access during your night hours helps?

lacibaci

Yes, I could do this.  I could also create a firewall rule to disable all traffic to OBi except Callcentric IP range.  I was hoping for a cleaner solution though.

It would be awesome if OBi had a setting "AllowCallsFromRegisteredServers"

ianobi

It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

lacibaci

X_InboundCallRoute seems like a good enough temporary solution.  One more question: Does it get logged when it matches?

ianobi

No. The failed calls do not get logged. In effect they do not get into your Obi, so nothing is recorded. You know it's working because you sleep better  :)

lacibaci

Ok, something weird happened. I disabled SP2 and OBiTALK and I haven't gotten single rogue ring.  Go figure...

ianobi

It would be interesting to look in Call History to see exactly where the rogue calls were coming from. You have to access the OBi directly to see Call History. Dial ***1 to get the ip address. It will show the last 200 calls.

lacibaci

It does show that all of them came through SP1.  Is it possible that when SP2 and OBiTALK are enabled (even if not configured or used) opens OBi100 enough so that it is vulnerable to these scans?

ianobi

Do the calls appear in your Callcentric log? I'm guessing probably not. I think the scanners are dialling random IP addresses and testing port 5060, which is default for most SIP devices and default for X_UserAgentPort on the OBi for sp1. You could change the X_UserAgentPort to 5070.

I cannot see any reason why enabling sp2 and OBiTALK should make any difference, but I'm not an expert with router type config settings.

ProfTech

If disabling Obitalk solved your issue that's great, however even though the Obi doesn't allow the nomenclature 204.11.192.0/22 in the access list, I simply manually entered the addresses 204.11.192.20 thru .39 in my access list and haven't seen a problem. I think the field allows 512 characters and those are the only IP's I've seen pop up as registered. Just list the IP addresses with a comma separating each one and no spaces in the list.

lacibaci

Ok. BTW, Callcentric just sent me their updated list:

204.11.192.0/24 (204.11.192.0 - 204.11.192.255)
66.193.176.0/24 (66.193.176.0 - 66.193.176.255)

tome

Quote from: ianobi on September 06, 2012, 09:38:15 AM
It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

I have gotten calls from odd numbers like "1" or "100" at stupid times.  I also get ones from "unknown" as well.  I would love to stop these.

First, for the X_InboundCallRoute are you talking about
Voice Services -> SP2 Serivce -> X_InboundCallRoute ?
And if so, I currently have "ph" (minus the quotes) in that place.  Should I leave ph or add it to the end of what you have or delete it....?

For example when I am done should it read as below?
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):ph}

Second, will this also stop the "unknown" calls?

Below are a couple calls from my log:
http://bgp.nu/~tom/pub/badcall1.jpg
http://bgp.nu/~tom/pub/badcall2.jpg

lacibaci

If your current entry is ph or {ph} change it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}

Lac

tome

Quote from: lacibaci on September 09, 2012, 12:28:02 PM
If your current entry is ph or {ph} change it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):},{ph}

Lac


Thanks. Should I add this to both SP1 and SP2 or just SP2.  ph, says ring the Phone Port if I am not mistaken, yes?  So if I have it blank, as you do, is ph implied?

Also do you know how to also get rid of calls from "unknown"?

Tom

lacibaci

If you have two providers set it for both, sp1 and sp2. I have only one (Callcentric) so I set it on sp1 only.

ianobi

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)

tome

Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)

Yay, I will!  Thanks!
Tom

kevin8629

Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
What am I doing wrong.  I keep cutting and pasting this into inbound call route.  I submit changes and then reboot.  Its there, but when I close the window or change screens it goes back to ph and the box is check beside it again.  Please help

ianobi

kevin8629,

I guess you are making changes using the web page. Your changes are being over written by the OBi Portal. Read this:

http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

I suggest you use the OBi Portal via the expert pages at least until you get familiar with the OBi. Click on your OBi device on the Dashboard and follow prompts to get to the Expert Pages.

I'm going to assume you do changes from the portal via the expert pages. To make a change to a value uncheck both boxes to the right of that value, leave them unchecked, make your changes, then press submit and wait for the OBi to reboot. Each page needs a submit/reboot before you move to another page.