News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

SIP scanners

Started by lacibaci, September 06, 2012, 05:50:04 AM

Previous topic - Next topic

kevin8629

Quote from: ianobi on September 21, 2012, 12:52:13 AM
kevin8629,

I guess you are making changes using the web page. Your changes are being over written by the OBi Portal. Read this:

http://www.obitalk.com/forum/index.php?topic=61.msg109#msg109

I suggest you use the OBi Portal via the expert pages at least until you get familiar with the OBi. Click on your OBi device on the Dashboard and follow prompts to get to the Expert Pages.

I'm going to assume you do changes from the portal via the expert pages. To make a change to a value uncheck both boxes to the right of that value, leave them unchecked, make your changes, then press submit and wait for the OBi to reboot. Each page needs a submit/reboot before you move to another page.



Thank your help and the link.  I was able to make the changes and I think I learned a little too ;D 

corporate_gadfly

Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well  :)
Thanks in advance for any replies.

I have an obi202. The default X_InboundCallRoute for obi202 is ph,ph2.

So, keeping in mind that it is an obi202 and with the added requirement to reject calls from 1-800 numbers ala {(1800xx.|1888xx.):}, what changes should I make?

Would something like be appropriate?
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{(1800xx.|1888xx.):},{ph,ph2}

Cheers,

ianobi

corporate_gadfly,

Your format works fine, or you could just add to the original rule:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.|1800xx.|1888xx.):},{ph,ph2}

Each X_InboundCallRoute needs its own rule. The "standard" rule I proposed just happened to suit my set up. Looks like it is useful  to lots of other OBi users, but be careful not to ban callers you might want to talk to.

flex25

Thanks ianobi, I put your string in X_InboundCallRoute, and added 7, 8, and 9-digit numbers, because I am in a 10-digit calling area.  I also changed X_UserAgentPort to 5070 for SP1 and 5071 for SP2.  I tested at every step, and it all seems to be working. 

Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work?  Also, do people using SIP scanners check the port range 5060-5080, or must they check one port at a time?  If they can check a port range, it seems to me that they would check the full SIP range 5060-5080, and changing the port wouldn't stop them from ringing my phone.

Thanks.  I am hopeful these changes will stop the SIP scanners.

QBZappy

flex25,

Quote from: flex25 on October 19, 2012, 03:27:53 PM
Does anyone know if it is possible to use an even more obsure port in the SIP port range of 5060 to 5080, such as 5078 or 5067?  Other users on this forum routinely recommend changing 5060 to 5070, but would any port number between 5060 and 5080 work? 

I believe that X_UserAgentPort can be any port number you like. If you have ever looked at a sip trace you will be able to see ip:port number in the headers. You may need to test if you need port forwarding.

Sample wireshark trace (partial):
Eyebeam (Softphone) SUCCESSFUL

SUBSCRIBE sip:105@172.16.240.3:5080 SIP/2.0
Via: SIP/2.0/UDP 172.16.240.101:1614;branch=z9hG4bK-d8754z-3560f947510b5a43-1---d8754z-;rport
Max-Forwards: 70
Contact: <sip:105@172.16.240.101:1614>   <----------- Note the softphone user agent port number
To: "100Eyebeam"<sip:105@172.16.240.3:5080>
From: "100Eyebeam"<sip:105@172.16.240.3:5080>;tag=df48580b
Call-ID: ZGQxMGRkOTUwMWNjMjljOGI5Yjk2N2RkZjNkMWUwMGE.
CSeq: 2 SUBSCRIBE
Expires: 300
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, NOTIFY, MESSAGE, SUBSCRIBE, INFO
User-Agent: eyeBeam release 1102q stamp 51814
Authorization: Digest username="105",realm="5024",nonce="0079de5c",uri="sip:105@172.16.240.3:5080",response="87e08ac88637156c4fd2a098157408fa",algorithm=MD5
Event: message-summary
Content-Length: 0
Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.

Kaytor

Does the inboundcallroute change potentially block a call back from a 911 operator? I'm not sure if the 911 callback would be 7 digits.

adamb2k12

#26
That is a really good point Kaytor. We should definitely prepend this rule set with

{911:ph},

That will ensure that a call coming from 911 is allowed through.  I've only received bad calls from 3 digit numbers and 555-0000 so far, so my rule looks like this (now with the 911 rule):

{911:ph},{(xxx|555x.):},{ph}

This basically allows 911 no matter what, and blocks any other 3 digit # and anything starting with 555.

QBZappy

Quote from: adamb2k12 on November 01, 2012, 06:59:23 AM
That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..
Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.

CoalMinerRetired

Quote from: QBZappy on November 01, 2012, 07:51:50 AM
Quote from: adamb2k12 on November 01, 2012, 06:59:23 AM
That will ensure that a call coming from 911 is allowed through. 

It's unlikely that the return CID will show up as 911. There is no easy solution for this. I think you might get various different CIDs such as UNKNOWN, PRIVATE, etc..


I need to point out that the Obi -- at least IME on my Obi202 -- does not display PRIVATE, UNKNOWN or ANONYMOUS.  All I see are two blank lines, where the number and the name usually are. See this and this.

If you are seeing a different behavior, reply in those linked threads.

ianobi

I agree. I have never seen PRIVATE, UNKNOWN or ANONYMOUS showing up as a Peer Number in an OBi. However, OBi will accept all of those or any other combination of letters and numbers, and use it as a Peer Number for routing etc.

I guess it all depends on what the hundreds of service providers (or scammers using scanners) wish to send as a Caller ID. I have seen "TEST" sent, I'm not sure if that was scanners or a genuine test call arriving at the wrong place!



rsriram22

#30
Quote from: ianobi on September 06, 2012, 09:38:15 AM
It may be worth looking at Peer Number in Call History to see what the scanners identity looks like. The scanners calling me at 2am used numbers like 100, 1000, 1001. I put this rule in one of my X_InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx):} ...

It bans any blank caller id and any caller id less that seven digits. It's been working for me for a long time. Also can be worth changing your X_UserAgentPort from 5060 and 5061 to maybe 5070 and 5071.

i just had calls coming from 1000,100 (during my daytime and a holiday).. did change the call route as suggested in this thread and changed my SP2 port. so lets see what happens

what is weird is that syslog has entries coming from my obi's LAN IP (Lan 192.168.1.x) -- hackers are getting smarter by the day! obi calling itself !!
have two 100s and one 110

Hortoristic

These SIP scanner calls, how do you know your getting them?  When you answer, it just hangs up?

I'm getting calls from "From '0' SP1(0)" in my call history, and hangs up right away - does this look like a SIP scanner?

Also; what is the purpose of these folks doing this - are they collecting real phone numbers to give to telemarketers or what?  Wouldn't a robo call machine function the same way and just sit there and call a range of numbers, collecting the ones that were answered?

ianobi

Who and why is not easy to answer  ???  Is this really what you see in Call History > Peer Number:
From '0' SP1(0)
If so, then that's a new one! If it is an ongoing nuisance you could try something like this in the relevant InboundCallRoute:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|Fro@@.):},{ph}

See earlier in this thread for explanations.

giqcass

Even SIP devices can be used to hack your internal network if they aren't set up properly.  When someone is port scanning that's usually what they are trying to do.  They might not be looking for a SIP device at all.  They may be scanning all ports.  They may be looking for a specific SIP device that has a vulnerability.  Then they can hijack it to make outbound calls, steal passwords, ect..  The one thing you can be pretty sure of is whatever they plan to do it isn't going to benefit you.
Long live our new ObiLords!

QBZappy

giqcass,

You wonder why these guys just don't get themselves a free GV account. It would save everyone a lot of work.  :D
Owner of the 1st OBi110/100 units in service in Canada & South America. 1st OBi202 on my street. 1st OBi1032 in Montreal.

Hortoristic

Don't they just need to push out a valid caller id  to bypass this string?

ianobi

Hortistic,

That's true, but oddly they don't seem to do that very often. Users still report Caller IDs of "1000", "100" etc. Experience seems to show that some version of that string and changing X_UserAgentPort from 5060, 5061 etc  to maybe 5070, 5071 etc seems to work.

Hortoristic

Are we limited to what VoIP Ports we can use, can we use some really weird port numbers?

ianobi

I once asked Stewart exactly that question (he knows more about routers etc than me). He said in theory you can use any port you wish. I assume it has to be one not being used for something else.

Hortoristic

Someone posted this below, I see they mentioned it would ban among other things, numbers less than seven digits - but my SIP account is mainly used for incoming UK numbers - such as 447833384589, will using below string ban this also - I don't want it to:

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".