HOWTO: Thwarting SIP Scanners during Set-up
pbd3mon:
Hello everyone, thank you for taking the time to provide all of this information. Like everyone else that ended up here I too fell victim to the middle of the night calls >:(
Based on method #3 I tried to apply the X_AccessList IPs through OBiTalk but I was not successful. The field will not allow me to input anything... The OBiTalk settings box is checked. What am I doing wrong?
Also I see ITSP Profile A SIP and ITSP Profile B SIP, do both have to be provided with the IPs?
Thank you in advance for your help in this matter.
azrobert:
Quote
The OBiTalk settings box is checked.
Uncheck the box under OBiTalk Setting
Then uncheck the box under Device Default
Now change the value
Click Submit at the bottom of the page.
OBiTalk will download the configuration changes to the OBi and reboot it.
Quote
Also I see ITSP Profile A SIP and ITSP Profile B SIP, do both have to be provided with the IPs?
You only have to block scanners when you defined a SIP trunk for SP2. You don't have to do this for trunks defined as GV. GV uses the XMPP protocol. Define means you supplied a ProxyServer and an AuthUserName for a trunk.
pbd3mon:
Quote from: azrobert on June 04, 2015, 07:59:03 am
Uncheck the box under OBiTalk Setting
Then uncheck the box under Device Default
Now change the value
Click Submit at the bottom of the page.
OBiTalk will download the configuration changes to the OBi and reboot it.
Ahh, what got me was that once I unchecked the OBiTalk Setting box it automatically checked the other box which made me think it was one or the other. Thank you, I feel pretty silly :-[
Quote from: azrobert on June 04, 2015, 07:59:03 am
You only have to block scanners when you defined a SIP trunk for SP2. You don't have to do this for trunks defined as GV. GV uses the XMPP protocol. Define means you supplied a ProxyServer and an AuthUserName for a trunk.
Got it, thank you once again for the quick reply.
infin8loop:
I would suggest using option 2:
2. Change the (Voice Services)SPn Service->X_UserAgentPort ports for each SPn to a number not in the 506x range.
I was hit with a SIP scanner yesterday when the phone started ringing at 2am about every 4 minutes. The incoming number was 7 digits long but was changing. I had blocks in place for 1 thru 6 digit numbers. I added a block for 7 digit numbers and the phone stopped ringing. However looking at the debug log I have running for the OBi I noticed the log file was unusually large. Looking closer I noticed the SIP scanner had been beating the OBi to death for quite some time. Bogus INVITEs with incremented phone numbers that didn't ring the phone because they were less than 7 digits. It appears the OBi responded to the bogus INVITEs with one to many "SIP/2.0 503 Service Unavailable" messages. This was filling up the debug log. The incoming phone number wasn't a solid sequential increment but changing upward until it reached 7 digits and the phone rang. I changed the X_UserAgentPort to outside the 506x range and that stopped the bogus traffic. In this case port 5061 was the target on SP2 of an OBi110. The point I'd like to make is, that if they find your open port they might just keep beating on it like they did mine. You won't know it unless the phone rings, but it's a lot of unnecessary traffic. Just change the port to something that probably won't be scanned/found in the first place. I updated my IPKall and Callcentric SIP URL forwards to the new port. I also added an email alert on the debug log that will notify me if it sees more than five "SIP/2.0 503 Service Unavailable" messages in an hour.
Mango:
Better yet, place your device behind a firewall.
There have been reports - very few, but not nonexistant - of scanners finding and attempting to exploit VoIP equipment with port numbers above 6000. If your VoIP equipment is behind a restricted cone NAT firewall, the firewall will only allow traffic from your service provider to reach your equipment. For everyone else, there will not be any indication that VoIP hardware even exists.
My favourite firewall is a Tomato router.
Navigation
[0] Message Index
[#] Next page
[*] Previous page