SIP scanners

Hortoristic · December 27, 2012, 12:08:19 PM

Using this setting below; in my X_InboundCallRoute - I have not had one single SIP scanner get through in a few months. I'm even still using the default 5060 + ports. I receive calls from UK, Canada and USA just fine.

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

lacibaci · December 27, 2012, 06:22:57 PM

I wish I could say the same. I had to modify mine:

{asterisk:},{'asterisk':},{('asterisk'):},{(?|@|@@|@@@|@@@@|@@@@@|ipphone|un@@.|anon@@.):},{ph}

The only true solution is if OBi implements one of the features mentioned here:
http://www.obitalk.com/forum/index.php?topic=4873.0

Felix · January 17, 2013, 11:39:53 PM

I have obihai logs forwarded to my linux server, and I found something interesting there. Here is what I get:

Code Select


CCTL:NewCallOn Term 1[0] ->,00972592573636
[SLIC] Command: 0, 3, 0, 0, 4, 1086051296,
[SLIC] CID to deliver: '201' 201
[SLIC] Command: 0, 4, 5, 0, 0, 0,
[SLIC] Command: 0, 1, 1, 0, 0, 0,
[SLIC] Command: 0, 11, 0, 0, 0, 0,
CCTL:NewCallOn Term 1[1] ->,00972592573636
[SLIC] Command: 1, 3, 0, 0, 4, 1086051296,
[SLIC] CID to deliver: '201' 201
[SLIC] Command: 1, 4, 5, 0, 0, 0,
[SLIC] Command: 1, 1, 1, 0, 0, 0,
[SLIC] Command: 1, 11, 0, 0, 0, 0,
[SLIC] Command: 0, 10, 2, 0, 0, 0,
[SLIC] Command: 1, 10, 2, 0, 0, 0,
PARAM Cache Write Back(256 bytes)
[SLIC] Command: 0, 10, 4, 0, 0, 0,
[SLIC] Command: 1, 10, 4, 0, 0, 0,
[SLIC] Command: 0, 10, 3, 0, 0, 0,
[SLIC] Command: 1, 10, 3, 0, 0, 0,
[SLIC] Command: 0, 10, 3, 0, 0, 0,
[SLIC] Command: 1, 10, 3, 0, 0, 0,
CCTL:NewCallOn Term 1[0] ->,011972592573636
CCTL:NewCallOn Term 1[1] ->,011972592573636
SIP DLG reject: 486

In other words, it's not just a scanner, but it looks like an attempt to make an outgoing call to Palestinian territories in Israel (972-59 number). I don't know what these SLIC commands mean. CID to deliver is the CID I saw on the phone screen. An entry in call history also says From '201' SP1(201).

Obviously, there is no record of such call on my VSP call history - so it is clearly a call directly to my IP address port 5060

johnpane · January 20, 2013, 08:40:26 AM

If I have my OBi behind a firewall and have not opened any ports for it (5060 or otherwise), will this avoid problems with these SIP scanners?

Thanks,
John

Felix · January 20, 2013, 10:07:48 AM

The short answer is "No". Opening ports through firewall has no relevance on the issue.

When OBi registers with the provider it establishes a connection and thereby opens a port. Note, it is not unique to OBi - your Skype or any IM program does the same. Otherwise you wouldn't be able to receive calls / IM messages.

Hope that clarifies.

shap · January 27, 2013, 10:07:32 PM

I think you are not correct. OBi device can not open any port (unless you are using PnP). What it does is connecting to the SIP server and maintaining an "open" connection to it. But even in this case you can miss some of your calls.

In general, you should open 5060 port (or any other you assigned) from your SIP provider to Obi device.

To block scanners or any hacking on this port, you should create a rule in router that accept traffic to port 5060 only from the IP of your SIP provider. This way you will eliminate night "calls" or possibility to hack your device.

Hortoristic · January 28, 2013, 07:37:47 AM

What does that rule looked like for gv?

Felix · January 30, 2013, 10:14:20 PM

I assume that "you are not correct" is addressed to me

Quote from: shap on January 27, 2013, 10:07:32 PM
OBi device can not open any port. What it does is connecting to the SIP server and maintaining an "open" connection to it.

Isn't it the same thing?

Quote
But even in this case you can miss some of your calls.

Only if firewall for some reason closes the port before device is re-registering... or something... I've never seen it happened.

Quote
In general, you should open 5060 port (or any other you assigned) from your SIP provider to Obi device.

Never had a need for it! I opened a few times for troubleshooting; confirmed that opening the port makes no difference, and closed it back. You are not opening ports for Skype, or for any of your IM clients - no need here, either.

Quote
To block scanners or any hacking on this port, you should create a rule in router that accept traffic to port 5060 only from the IP of your SIP provider. This way you will eliminate night "calls" or possibility to hack your device.

I would be a little nervous... Google is not going to inform you if they change IP; moreover, I think there are several IPs that they use. Finally, my router is part of my AT&T U-Verse modem, and what you are describing is just impossible.

As this long thread indicates, there are several ways to accomplish that; with different levels of success. In my case scanning was on port 5060 only; so I switched SP1 to 5064, and scanning stopped.

Phillip · February 03, 2013, 11:50:39 PM

Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?

Felix · February 04, 2013, 11:26:30 AM

Quote from: Phillip on February 03, 2013, 11:50:39 PM
Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?

Phillip,
Do you mind starting a new thread? When you do, please explain what you are trying to do. As stated, your question is very difficult to answer...

Phillip · February 05, 2013, 01:18:23 AM

Sorry Felix, I was just trying to follow along with the conversation between you and Shap and my question was framed withing the context of the discussion about a firewall exception. But upon further reflection, I think I see what you are saying about a port address being open or closed as being irrelevant. The exception is created at the time of installation, is it not?

I am a little perplexed though, because it seems that without running some rather sophisticated software, there is little that we, the lowly user can do to thwart high-end scanner attacks. Is this a correct assumption? Is there a 'best practices' that we should be reading?

Phillip

Quote from: Felix on February 04, 2013, 11:26:30 AM
Quote from: Phillip on February 03, 2013, 11:50:39 PM
Hi,

Rank newbie here. So am I to presume that xxxxxxxxxx@sip.voice.google.com where Xs represent you GV number, will not work for a Google IP addr?
Phillip,
Do you mind starting a new thread? When you do, please explain what you are trying to do. As stated, your question is very difficult to answer...

themessiah · February 14, 2013, 12:34:51 PM

I have 4 GV numbers on a 202 ... if I add this to sp1 will that be good for all 4 numbers?

and

It seems it hangs up on the caller, that correct ?

thanks

Quote from: ianobi on September 09, 2012, 11:37:47 PM
{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|un@@.|anon@@.):},{ph}

This will ban calls with no Peer Number, any Peer Number less than seven digits, Peer Number "unknown" and Peer Number "anonymous".

Sleep well

ianobi · February 15, 2013, 06:16:08 AM

If added to sp1, then that string only protects sp1. You may find that's ok as the default UserAgentPort for sp1 is 5060. 5060 is the standard "SIP Listening Port" throughout the SIP world, so it's likely to get scanned most. Although GV does not use SIP and GV ignores UserAgentPort, scanners still get in as they target ipaddress:port, they do not come in via GV.

Have a read back throught this thread and you will find suggestions for changing UserAgentPort.

The caller should get fast busy and does not get access into your OBi.

Hortoristic · February 15, 2013, 07:51:19 AM

Again, since changing my setting below, I have had zero bad calls in months

{(?|@|@@|@@@|@@@@|@@@@@|@@@@@@):},{ph}

thegoat54 · February 20, 2013, 04:30:24 AM

Hi everyone,

So I haven't been bothered by calls for a while by using this string.

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

Keep in mind I was still using port 5060.

This morning I had the mother of all attacks. In the past, I would receive 1 SIP call and then it would stop. Today someone kept on trying!! I got calls with the following ID's

user1, administrator, admin, admin1, admin12, admin123, admin1234, admin12345, office, office1, office12, office123, office1234, office12345, guest, guest1,guest12

And then I logged in and change my SP1 port to 5076, and SP2 port to 5077 and then the calls stopped.

Wow, talk about abusive. I wonder how long it would have gone for?

Anyhow, all this names came up with no number attached to them. Just a caller ID name. Can we block names without numbers?

ianobi · February 20, 2013, 05:54:07 AM

thegoat54,

Scan back to reply #50 in this thread.

"@" will match one number or one letter, "@." will match none or more numbers or none or more letters. For example admin@. will block all of the cases you saw beginning with the letters "admin".

Hortoristic · March 20, 2013, 02:39:35 PM

I'm using: {(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

However I do want to accept calls from "Unknown" (work work office) - what can I change?

Quote from: thegoat54 on February 20, 2013, 04:30:24 AM
Hi everyone,

So I haven't been bothered by calls for a while by using this string.

{(?|x|xx|xxx|xxxx|xxxxx|xxxxxx|xxxxxxx|xxxxxxxx|xxxxxxxxx):},{ph}

Keep in mind I was still using port 5060.

This morning I had the mother of all attacks. In the past, I would receive 1 SIP call and then it would stop. Today someone kept on trying!! I got calls with the following ID's

user1, administrator, admin, admin1, admin12, admin123, admin1234, admin12345, office, office1, office12, office123, office1234, office12345, guest, guest1,guest12

And then I logged in and change my SP1 port to 5076, and SP2 port to 5077 and then the calls stopped.

Wow, talk about abusive. I wonder how long it would have gone for?

Anyhow, all this names came up with no number attached to them. Just a caller ID name. Can we block names without numbers?

oleg · March 20, 2013, 03:21:43 PM

I've also received scanner calls on OBI202 and trying to filter them out.
First of all - I am running OBi202 on custom port (let's say 5078), but scanners finally got there :-(
I do not like the idea to guess about caller id (the way discussed above), this way I would potentially filter out legitimate calls. I would rather match callee id.
This should be possible to do, as explained in "Inbound Call Route Configuration" of "OBi Device Administration Guide"...

"SIP URI" is the address which your peer sends in "invite" request to call you: like this "INVITE sip:123456789@12.34.56.78:5078 SIP/2.0..."

If my SIP URI was "123456789@sip.myhost.com:5078" - I could set X_InboundCallRoute as ">123456789:ph1,ph2" - than only a call with correct URI would pass through. I tried this and it worked.
However, my SIP URI includes letters, for example "myname@sip.myhost.com:5078" or "123456_name@sip.myhost.com:5078". Simply putting alphanumeric id (>myname:ph1,ph2) did not work. I've tried some wildcards like ">12345_@.:ph1,ph2" or ">[mynae].:ph1,ph2" – nothing worked. I did not succeed to make the filter working with non-numeric id.

Has anybody tried / used it? Any ideas?

Thank you

Shale · March 20, 2013, 03:32:20 PM

Quote from: oleg on March 20, 2013, 03:21:43 PM">12345_@.:ph1,ph2"

I would try ">'12345_'@.:ph1,ph2" or ">'mynae'@.:ph1,ph2"

or some such... Actually I don't know what it is you are trying to match, but in any case, try single quotes. The admin guide says "'literals' - Everything inside a pair of single quotes is treated as a literal except for the single quote (') character. "

oleg · March 20, 2013, 04:10:55 PM

I've tried single quotes (sorry, forgot to mention) - it did not work.
In other words Inbound Call Route ">'myname':ph1,ph2'" blocks call to "myname@12.34.56.78:5078".
Now I've tried to use double quotes - the result was quite surprising - filter allowed everything to come through (either matching or not).
Does not work anyway...

News:

SIP scanners