Block anonymous sip calls
- Thread starter modcar
- Start date
-
- Tags
- anonymous sip
- Status
Heres 5 examples. Theres over 4000 calls over the space of 2 days. There were no dialing rules or trunks configured for this tenant
Code:
domain_uuid,"start_stamp","start_epoch","hangup_cause","duration","billmsec","recording_file","uuid","bridge_uuid","direction","billsec","caller_id_name","caller_id_number","source_number","destination_number","raw_data_exists","accountcode","answer_stamp","sip_hangup_disposition","pdd_ms","rtp_audio_in_mos","tta"
ecf7efdf-e402-4c4c-91bb-8e6186e360de,"2017-06-07 00:00:02","1496793602","NO_ROUTE_DESTINATION","0","0","","2b6fa20a-a151-44eb-8f40-8db281f91bb9","","","0","888","888","","000972595042104","1","","","send_refuse","0","","-1496793602"
ecf7efdf-e402-4c4c-91bb-8e6186e360de,"2017-06-06 23:58:53","1496793533","NO_ROUTE_DESTINATION","0","0","","9c793b78-643d-40f2-b55a-79142a760d64","","","0","888","888","","00972595042104","1","","","send_refuse","0","","-1496793533"
ecf7efdf-e402-4c4c-91bb-8e6186e360de,"2017-06-06 23:57:40","1496793460","NO_ROUTE_DESTINATION","0","0","","40ef7474-d867-4e49-8e81-0433c3c2e6a8","","","0","8888","8888","","002972595042104","1","","","send_refuse","0","","-1496793460"
ecf7efdf-e402-4c4c-91bb-8e6186e360de,"2017-06-06 23:56:29","1496793389","NO_ROUTE_DESTINATION","0","0","","c04c24ea-a61e-4e7c-a8fe-1abf3d5129d2","","","0","8888","8888","","001972595042104","1","","","send_refuse","0","","-1496793389"
ecf7efdf-e402-4c4c-91bb-8e6186e360de,"2017-06-06 23:55:19","1496793319","NO_ROUTE_DESTINATION","0","0","","981225de-69df-454e-bd7d-56939f616113","","","0","8888","8888","","900972595042104","1","","","send_refuse","0","","-1496793319"You needn't have done that, it says send_refuse so the calls were not going anywhere anyway. This is fairly standard behaviour right down to the 9725 area code they are using.
What you should do is use domain names rather than IP then there is an iptables rule that you can enable that blocks anything that so much as sniffs at the IP
What you should do is use domain names rather than IP then there is an iptables rule that you can enable that blocks anything that so much as sniffs at the IP
When I first setup fusion, I was accessing it from the ip address. Any tenant with trunks and dialing rules is setup with a domain
My worry is, did the calls result in send_refuse because there are no routes for that tenant. What if someone was to guess a domain that had routes
My worry is, did the calls result in send_refuse because there are no routes for that tenant. What if someone was to guess a domain that had routes
This is normal just like all the anonymous scanning your webserver gets every day. It's just more annoying because it shows up in call detail records instead of just logs
If you assign your default domain to a DNS name instead of an IP address you will not see this sip scanning of your IP in your default domain CDR anymore. Setting default domain to DNS name is more secure anyways. You just have to browse to DNS name instead of IP to login.
Other than that, you can try whitelist IP's if that suits your environment. That's not always the most practical solution. You can also set up iptables rules that block common sip scanner user agents. That will probably get rid of most but not all of it.
The easiest is to just set default domain to a DNS name.
If you assign your default domain to a DNS name instead of an IP address you will not see this sip scanning of your IP in your default domain CDR anymore. Setting default domain to DNS name is more secure anyways. You just have to browse to DNS name instead of IP to login.
Other than that, you can try whitelist IP's if that suits your environment. That's not always the most practical solution. You can also set up iptables rules that block common sip scanner user agents. That will probably get rid of most but not all of it.
The easiest is to just set default domain to a DNS name.
Last edited:
- Status