News:

On Tuesday September 6th the forum will be down for maintenance from 9:30 PM to 11:59 PM PDT

Main Menu

HOWTO: Thwarting SIP Scanners during Set-up

Started by Shale, March 11, 2013, 08:57:16 AM

Previous topic - Next topic

pbd3mon

Hello everyone, thank you for taking the time to provide all of this information.  Like everyone else that ended up here I too fell victim to the middle of the night calls  >:(

Based on method #3 I tried to apply the X_AccessList IPs through OBiTalk but I was not successful.  The field will not allow me to input anything... The OBiTalk settings box is checked.  What am I doing wrong?

Also I see ITSP Profile A SIP and ITSP Profile B SIP, do both have to be provided with the IPs?

Thank you in advance for your help in this matter.

azrobert

#81
QuoteThe OBiTalk settings box is checked.
Uncheck the box under OBiTalk Setting
Then uncheck the box under Device Default
Now change the value
Click Submit at the bottom of the page.
OBiTalk will download the configuration changes to the OBi and reboot it.

QuoteAlso I see ITSP Profile A SIP and ITSP Profile B SIP, do both have to be provided with the IPs?
You only have to block scanners when you defined a SIP trunk for SP2. You don't have to do this for trunks defined as GV. GV uses the XMPP protocol. Define means you supplied a ProxyServer and an AuthUserName for a trunk.

pbd3mon

Quote from: azrobert on June 04, 2015, 07:59:03 AM

Uncheck the box under OBiTalk Setting
Then uncheck the box under Device Default
Now change the value
Click Submit at the bottom of the page.
OBiTalk will download the configuration changes to the OBi and reboot it.

Ahh, what got me was that once I unchecked the OBiTalk Setting box it automatically checked the other box which made me think it was one or the other.  Thank you, I feel pretty silly  :-[


Quote from: azrobert on June 04, 2015, 07:59:03 AM
You only have to block scanners when you defined a SIP trunk for SP2. You don't have to do this for trunks defined as GV. GV uses the XMPP protocol. Define means you supplied a ProxyServer and an AuthUserName for a trunk.

Got it, thank you once again for the quick reply.

infin8loop

I would suggest using option 2:
2. Change the (Voice Services)SPn Service->X_UserAgentPort ports for each SPn  to a number not in the 506x range. 

I was hit with a SIP scanner yesterday when the phone started ringing at 2am about every 4 minutes. The incoming number was 7 digits long but was changing.  I had blocks in place for 1 thru 6 digit numbers. I added a block for 7 digit numbers and the phone stopped ringing. However looking at the debug log I have running for the OBi I noticed the log file was unusually large.  Looking closer I noticed the SIP scanner had been beating the OBi to death for quite some time. Bogus INVITEs with incremented phone numbers that didn't ring the phone because they were less than 7 digits. It appears the OBi responded to the bogus INVITEs with one to many "SIP/2.0 503 Service Unavailable" messages. This was filling up the debug log. The incoming phone number wasn't a solid sequential increment but changing upward until it reached 7 digits and the phone rang.  I changed the X_UserAgentPort to outside the 506x range and that stopped the bogus traffic.  In this case port 5061 was the target on SP2 of an OBi110.  The point I'd like to make is, that if they find your open port they might just keep beating on it like they did mine. You won't know it unless the phone rings, but it's a lot of unnecessary traffic.  Just change the port to something that probably won't be scanned/found in the first place.  I updated my IPKall and Callcentric SIP URL forwards to the new port. I also added an email alert on the debug log that will notify me if it sees more than five "SIP/2.0 503 Service Unavailable" messages in an hour.
"This has not only been fun, it's been a major expense." - Gallagher

Mango

#84
Better yet, place your device behind a firewall.

There have been reports - very few, but not nonexistant - of scanners finding and attempting to exploit VoIP equipment with port numbers above 6000.  If your VoIP equipment is behind a restricted cone NAT firewall, the firewall will only allow traffic from your service provider to reach your equipment.  For everyone else, there will not be any indication that VoIP hardware even exists.

My favourite firewall is a Tomato router.

infin8loop

Quote from: Mango on June 16, 2015, 07:21:13 PM
Better yet, place your device behind a firewall.

There have been reports - very few, but not nonexistant - of scanners finding and attempting to exploit VoIP equipment with port numbers above 6000.  If your VoIP equipment is behind a restricted cone NAT firewall, the firewall will only allow traffic from your service provider to reach your equipment.  For everyone else, there will not be any indication that VoIP hardware even exists.

No doubt excellent advice, but a lot of folks (including me ;)) probably have no idea what that means and are too lazy (including me) to Google it.  I think my port is exposed by a stun server (yeah, go ahead, beat me down for that) since the OBi is behind a router (not expensive) that serves as a firewall of sorts and there are no port forwards setup in the router. The OBi is not registered to either IPKall (not allowed) nor Callcentric (don't want to). I guess I could go figure out the IP addresses for IPKall and Callcentric and put them in the X_AccessList but I'm too lazy.  I'm so lazy I'm surprised I'm even typing this message.  Someone in another post suggested using ports in the 20000 to 65535? range.  I didn't go that extreme because it would have involved typing extra digits (you know that lazy thing).

Is someone going to commandeer my OBi and launch rockets or something? Or will my phone just ring again at 2am if someone finds my port? I have no virtual PBX and am too lazy to go figure that tech out as well.

<serious>But seriously, what are the risks of a hacker taking over the OBi if they find an open SIP port?</serious>

I always enjoy your informative posts and hope you see the hopefully humorous spirit I have while writing this.

I'm no network guru and if you can't tell already, this stuff ceased to be fun for me months ago.  ;D
"This has not only been fun, it's been a major expense." - Gallagher

Mango

A STUN server does not introduce a security risk.  (But it does add an additional point of failure.)  Your router is a "full cone NAT" type.  This means that even though you didn't set up any port forwards, your router did automatically.  This is why the scanner traffic can reach your ATA.

You mentioned that you're not registered to some of your service providers, and that does make security more tricky - particularly since Callcentric has a great deal of IP addresses.

I think the worst case scenario is that someone figures out how to route calls via your Callcentric account.  As long as you don't keep a very high balance, I wouldn't expect a significant problem.

Ostracus

Quote from: infin8loop on June 16, 2015, 07:17:50 PM
I would suggest using option 2:
2. Change the (Voice Services)SPn Service->X_UserAgentPort ports for each SPn  to a number not in the 506x range. 

I was hit with a SIP scanner yesterday when the phone started ringing at 2am about every 4 minutes. The incoming number was 7 digits long but was changing.  I had blocks in place for 1 thru 6 digit numbers. I added a block for 7 digit numbers and the phone stopped ringing. However looking at the debug log I have running for the OBi I noticed the log file was unusually large.  Looking closer I noticed the SIP scanner had been beating the OBi to death for quite some time. Bogus INVITEs with incremented phone numbers that didn't ring the phone because they were less than 7 digits. It appears the OBi responded to the bogus INVITEs with one to many "SIP/2.0 503 Service Unavailable" messages. This was filling up the debug log. The incoming phone number wasn't a solid sequential increment but changing upward until it reached 7 digits and the phone rang.  I changed the X_UserAgentPort to outside the 506x range and that stopped the bogus traffic.  In this case port 5061 was the target on SP2 of an OBi110.  The point I'd like to make is, that if they find your open port they might just keep beating on it like they did mine. You won't know it unless the phone rings, but it's a lot of unnecessary traffic.  Just change the port to something that probably won't be scanned/found in the first place.  I updated my IPKall and Callcentric SIP URL forwards to the new port. I also added an email alert on the debug log that will notify me if it sees more than five "SIP/2.0 503 Service Unavailable" messages in an hour.

IPv6 can't get here soon enough. Yes, that's security through obscurity. Next up, port knocking.

Mango

Why not use security through firewall, which is available today?

curt00

Quote from: Shale on March 11, 2013, 08:57:16 AM

OBi202  with one trusted caller with service 2 being routed to phone line 2; (Voice Services)SP2 Service->X_InboundCallRoute:
{(x.6065556789):aa},{ph2}  [before]

These are both tested to work:
{(x.6065556789):aa},{>17771234567:ph2}  [ Tested and works]
{(x.6065556789):aa},{>('17771234567'):ph2}  [Permits alphanumerics]
[The single quotes are not needed if the ID is all numbers, but will not hurt]


I have OBi202, but I do not have:

{(x.6065556789):aa},{ph2}

I have:

{('curt00'):aa},{ph1}

I changed it to:

{('curt00'):aa},{>12221234567:ph1}

where 12221234567 is my AuthUserName.  Did I do it right?


ianobi

QuoteI changed it to:

{('curt00'):aa},{>12221234567:ph1}

where 12221234567 is my AuthUserName.  Did I do it right?

Looks good to me.

unmesh

Quote from: Mango on June 16, 2015, 07:21:13 PM
Better yet, place your device behind a firewall.

There have been reports - very few, but not nonexistant - of scanners finding and attempting to exploit VoIP equipment with port numbers above 6000.  If your VoIP equipment is behind a restricted cone NAT firewall, the firewall will only allow traffic from your service provider to reach your equipment.  For everyone else, there will not be any indication that VoIP hardware even exists.

My favourite firewall is a Tomato router.
I switched to a Tomato router because the other fixes were not working. The phone still rings at midnight  >:(

I have GV configured on SP1 and nothing on SP2 on a Obi110 with the latest firmware. Any suggestions?

Mango

#92
Google Voice is not vulnerable to this type of attack.

Please check Voice Services >> SP2 Service >> Enable and verify it is unchecked.

If it is already that way, or if that does not solve your problem, then your ringing is caused by something that is not a SIP scanner.

Does your ATA have a static IP address?  If not you might want to set one up.  I seem to recall a similar situation that caused the phone to ring when the ATA renewed its IP.

I assume you've checked your call history and found nothing?  If there is something around the time of the calls, please post details.

unmesh

#93
Quote from: Mango on May 11, 2016, 07:09:41 PM
Google Voice is not vulnerable to this type of attack.

Please check Voice Services >> SP2 Service >> Enable and verify it is unchecked.

If it is already that way, or if that does not solve your problem, then your ringing is caused by something that is not a SIP scanner.

Does your ATA have a static IP address?  If not you might want to set one up.  I seem to recall a similar situation that caused the phone to ring when the ATA renewed its IP.

I assume you've checked your call history and found nothing?  If there is something around the time of the calls, please post details.
Enable is unchecked and there is nothing in the call history. DHCP is set to issue 1440 minute leases and the Obi is renewing at about 7pm.

Let me try a static IP address tonight.

unmesh

Unfortunately, setting up a static IP address did not fix the problem.

Mango

In that case I suggest you make a new thread.  You may get more exposure that way, since this problem is not related to SIP scanners.

I suggest you state what appears on your Caller ID and what happens if you answer the phone.

PennyPincher

Hi All,

I am a newbie to this SIP scanner issue. I setup Obihai 202 with 1 phone line using freephoneline.ca. This setup worked perfectly fine for almost 6 months. 2 weeks ago I changed my router from motorola to a "Hitron" due to a upgraded internet service. Since then I have started receiving calls from 1001 and 3001.

So I went into the forum and started researching and came across this thread.

1. Based on the information I have Unchecked SP2, SP3 & SP4. Does this need to be done for ObiTalk too?
2. My X_UserAgentPort is 5080
3. My X_InboundCallRoute shows as {ph1}. Here I see suggestions to modify this to something "XXXX"|aa,some phone number...I am getting thoroughly confused here. Can someone guide me?

Best Regards

PP

Mango

#97
1) OBiTALK can stay active.
2) Change your X_UserAgentPort to a random number between 20000 and 65535, such as 31688.
3) Follow step 3 from the first post in this thread: http://forum.fongo.com/viewtopic.php?f=15&t=16090

as an alternate to 3) you can use X_AcceptSipFromRegistrarOnly if you have a newer firmware version.

When you are done, test to be sure legitimate incoming calls still arrive.  This should block the scanning calls.

PennyPincher

Quote from: Mango on August 29, 2016, 10:24:02 AM
1) OBiTALK can stay active.
2) Change your X_UserAgentPort to a random number between 20000 and 65535, such as 31688.
3) Follow step 3 from the first post in this thread: http://forum.fongo.com/viewtopic.php?f=15&t=16090

as an alternate to 3) you can use X_AcceptSipFromRegistrarOnly if you have a newer firmware version.

When you are done, test to be sure legitimate incoming calls still arrive.  This should block the scanning calls.

Hi Mango,

Effected the changes, and phone is still working. Now to wait and see if the scanning still happens. Thank you so much for your help.

+1 to you.

Regards

PP