December 17, 2018, 09:12:37 am *
Welcome, Guest. Please login or register.
News:
 
   Forum Home   Search Login Register OBiTALK  
Pages: 1 [2] 3 4 ... 10
  Print  
Author Topic: SIP scanners  (Read 790379 times)
kevin8629
Newbie
*
Posts: 5


« Reply #20 on: September 21, 2012, 10:30:18 am »

kevin8629,

I guess you are making changes using the web page. Your changes are being over written by the OBi Portal. Read this:

http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

I suggest you use the OBi Portal via the expert pages at least until you get familiar with the OBi. Click on your OBi device on the Dashboard and follow prompts to get to the Expert Pages.

I'm going to assume you do changes from the portal via the expert pages. To make a change to a value uncheck both boxes to the right of that value, leave them unchecked, make your changes, then press submit and wait for the OBi to reboot. Each page needs a submit/reboot before you move to another page.



Thank your help and the link.  I was able to make the changes and I think I learned a little too Grin 
Logged
corporate_gadfly
Jr. Member
**
Posts: 67


« Reply #21 on: September 23, 2012, 03:08:44 pm »

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  Smiley
Thanks in advance for any replies.

I have an obi202. The default X_InboundCallRoute for obi202 is ph,ph2.

So, keeping in mind that it is an obi202 and with the added requirement to reject calls from 1-800 numbers ala {(1800xx.|1888xx.):}, what changes should I make?

Would something like be appropriate?
Code:
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{(1800xx.|1888xx.):},{ph,ph2}

Cheers,
Logged
ianobi
Hero Member & Beta Tester
*****
Posts: 1828


« Reply #22 on: September 24, 2012, 12:47:51 am »

corporate_gadfly,

Your format works fine, or you could just add to the original rule:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.|1800xx.|1888xx.):},{ph,ph2}

Each X_InboundCallRoute needs its own rule. The "standard" rule I proposed just happened to suit my set up. Looks like it is useful  to lots of other OBi users, but be careful not to ban callers you might want to talk to.
Logged
flex25
Jr. Member
**
Posts: 30


« Reply #23 on: October 19, 2012, 03:27:53 pm »

Thanks ianobi, I put your string in X_InboundCallRoute, and added 7, 8, and 9-digit numbers, because I am in a 10-digit calling area.  I also changed X_UserAgentPort to 5070 for SP1 and 5071 for SP2.  I tested at every step, and it all seems to be working. 

Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work?  Also, do people using SIP scanners check the port range 5060-5080, or must they check one port at a time?  If they can check a port range, it seems to me that they would check the full SIP range 5060-5080, and changing the port wouldn't stop them from ringing my phone.

Thanks.  I am hopeful these changes will stop the SIP scanners.
Logged
QBZappy
Hero Member & Beta Tester
*****
Posts: 2317



« Reply #24 on: October 19, 2012, 04:35:34 pm »

flex25,

Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work? 

I believe that X_UserAgentPort can be any port number you like. If you have ever looked at a sip trace you will be able to see ip:port number in the headers. You may need to test if you need port forwarding.

Sample wireshark trace (partial):
Eyebeam (Softphone) SUCCESSFUL

SUBSCRIBE sip:105@172.16.240.3:5080 SIP/2.0
Via: SIP/2.0/UDP 172.16.240.101:1614;branch=z9hG4bK-d8754z-3560f947510b5a43-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:105@172.16.240.101:1614>   <----------- Note the softphone user agent port number
To: "100Eyebeam"<sip:105@172.16.240.3:5080>
From: "100Eyebeam"<sip:105@172.16.240.3:5080>;tag=df48580b
Call-ID: ZGQxMGRkOTUwMWNjMjljOGI5Yjk2N2RkZjNkMWUwMGE.
CSeq: 2 SUBSCRIBE
Expires: 300
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: eyeBeam release 1102q stamp 51814
Authorization: Digest username="105",realm="5024",nonce="0079de5c",uri="sip:105@172.16.240.3:5080",response="87e08ac88637156c4fd2a098157408fa",algorithm=MD5
Event: message-summary
Content-Length: 0
Logged

Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.
Kaytor
Newbie
*
Posts: 1


« Reply #25 on: October 24, 2012, 06:09:27 pm »

Does the inboundcallroute change potentially block a call back from a 911 operator? I'm not sure if the 911 callback would be 7 digits.
Logged
adamb2k12
Newbie
*
Posts: 4


« Reply #26 on: November 01, 2012, 06:59:23 am »

That is a really good point Kaytor. We should definitely prepend this rule set with

{911:ph},

That will ensure that a call coming from 911 is allowed through.  I've only received bad calls from 3 digit numbers and 555-0000 so far, so my rule looks like this (now with the 911 rule):

{911:ph},{(xxx|555x.):},{ph}

This basically allows 911 no matter what, and blocks any other 3 digit # and anything starting with 555.
« Last Edit: November 01, 2012, 07:15:16 am by adamb2k12 » Logged
QBZappy
Hero Member & Beta Tester
*****
Posts: 2317



« Reply #27 on: November 01, 2012, 07:51:50 am »

That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..
Logged

Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.
CoalMinerRetired
Hero Member
*****
Posts: 594


« Reply #28 on: November 01, 2012, 10:31:13 am »

That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..


I need to point out that the Obi -- at least IME on my Obi202 -- does not display PRIVATE, UNKNOWN or ANONYMOUS.  All I see are two blank lines, where the number and the name usually are. See this and this.

If you are seeing a different behavior, reply in those linked threads.
Logged
ianobi
Hero Member & Beta Tester
*****
Posts: 1828


« Reply #29 on: November 01, 2012, 10:51:44 am »

I agree. I have never seen PRIVATE, UNKNOWN or ANONYMOUS showing up as a Peer Number in an OBi. However, OBi will accept all of those or any other combination of letters and numbers, and use it as a Peer Number for routing etc.

I guess it all depends on what the hundreds of service providers (or scammers using scanners) wish to send as a Caller ID. I have seen "TEST" sent, I'm not sure if that was scanners or a genuine test call arriving at the wrong place!


Logged
rsriram22
Full Member
***
Posts: 97


« Reply #30 on: November 04, 2012, 07:44:05 am »

It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

i just had calls coming from 1000,100 (during my daytime and a holiday).. did change the call route as suggested in this thread and changed my SP2 port. so lets see what happens

what is weird is that syslog has entries coming from my obi's LAN IP (Lan 192.168.1.x) -- hackers are getting smarter by the day! obi calling itself !!
« Last Edit: November 04, 2012, 09:25:02 am by rsriram22 » Logged

have two 100s and one 110
Hortoristic
Sr. Member
****
Posts: 304


« Reply #31 on: November 08, 2012, 10:16:27 am »

These SIP scanner calls, how do you know your getting them?  When you answer, it just hangs up?

I'm getting calls from "From '0' SP1(0)" in my call history, and hangs up right away - does this look like a SIP scanner?

Also; what is the purpose of these folks doing this - are they collecting real phone numbers to give to telemarketers or what?  Wouldn't a robo call machine function the same way and just sit there and call a range of numbers, collecting the ones that were answered?
Logged
ianobi
Hero Member & Beta Tester
*****
Posts: 1828


« Reply #32 on: November 08, 2012, 11:03:34 am »

Who and why is not easy to answer  Huh  Is this really what you see in Call History > Peer Number:
From '0' SP1(0)
If so, then that's a new one! If it is an ongoing nuisance you could try something like this in the relevant InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|Fro@@.):},{ph}

See earlier in this thread for explanations.
Logged
giqcass
Hero Member & Beta Tester
*****
Posts: 1429


« Reply #33 on: November 09, 2012, 04:04:42 pm »

Even SIP devices can be used to hack your internal network if they aren't set up properly.  When someone is port scanning that's usually what they are trying to do.  They might not be looking for a SIP device at all.  They may be scanning all ports.  They may be looking for a specific SIP device that has a vulnerability.  Then they can hijack it to make outbound calls, steal passwords, ect..  The one thing you can be pretty sure of is whatever they plan to do it isn't going to benefit you.
Logged

Register at e164.org and friends can use Sipbroker to call you from a regular telephone for free from almost any country.
DDNS hack for OBi
Old OBi? Want Ring.to?
QBZappy
Hero Member & Beta Tester
*****
Posts: 2317



« Reply #34 on: November 09, 2012, 06:48:14 pm »

giqcass,

You wonder why these guys just don't get themselves a free GV account. It would save everyone a lot of work.  Cheesy
Logged

Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.
Hortoristic
Sr. Member
****
Posts: 304


« Reply #35 on: November 10, 2012, 09:32:02 pm »

Don't they just need to push out a valid caller id  to bypass this string?
Logged
ianobi
Hero Member & Beta Tester
*****
Posts: 1828


« Reply #36 on: November 11, 2012, 03:51:20 am »

Hortistic,

That's true, but oddly they don't seem to do that very often. Users still report Caller IDs of "1000", "100" etc. Experience seems to show that some version of that string and changing X_UserAgentPort from 5060, 5061 etc  to maybe 5070, 5071 etc seems to work.
Logged
Hortoristic
Sr. Member
****
Posts: 304


« Reply #37 on: November 11, 2012, 07:15:44 am »

Are we limited to what VoIP Ports we can use, can we use some really weird port numbers?
Logged
ianobi
Hero Member & Beta Tester
*****
Posts: 1828


« Reply #38 on: November 11, 2012, 07:54:43 am »

I once asked Stewart exactly that question (he knows more about routers etc than me). He said in theory you can use any port you wish. I assume it has to be one not being used for something else.
Logged
Hortoristic
Sr. Member
****
Posts: 304


« Reply #39 on: November 11, 2012, 08:21:46 pm »

Someone posted this below, I see they mentioned it would ban among other things, numbers less than seven digits - but my SIP account is mainly used for incoming UK numbers - such as 447833384589, will using below string ban this also - I don't want it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".
Logged
Pages: 1 [2] 3 4 ... 10
  Print  
 
Jump to:  

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC