How to avoid anonymous call attempts showing up in CDR

Status
Not open for further replies.

smn

Member
Jul 18, 2017
201
20
18
* I already block certain user agents.

* I try use domain names instead of IP address for domain. That seems to get rid of most of it but sometimes I want to use the IP address.

* It appears that disabling external profile will prevent it because that disables anonymous access. But external profile is useful so not always a good option.

Obviously there are more heavy handed ways like firewall rules that only allow certain IP's. That's not always a practical solution.
 
Last edited:

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,078
580
113
IMHO, there is no valid reason to use the IP, with a domain costing no more than a couple of $, everyone should be using them. Its the one thing that aids security and has probably been advised for the last 5 years. Even if you are trying to avoid using them because of having to set up DNS you can still use the domain names and simply put the IP in the outbound proxy field on the device.

You can then use the fail2ban rule which is already there to block any attempts to the IP address.
 

smn

Member
Jul 18, 2017
201
20
18
IMHO, there is no valid reason to use the IP, with a domain costing no more than a couple of $, everyone should be using them. Its the one thing that aids security and has probably been advised for the last 5 years. Even if you are trying to avoid using them because of having to set up DNS you can still use the domain names and simply put the IP in the outbound proxy field on the device.

You can then use the fail2ban rule which is already there to block any attempts to the IP address.

Thanks for the suggestion of using outbound proxy. I will try that. Bots now a days are smarter and some have seemingly unlimted IP addresses. So I don't find fail2ban all that useful for this kind of thing.

Does freeswitch/fusion have a qualify packet type feature like Asterisk where it keeps the firewall opened? And if so will that work with carriers? If so I can do that on external profile/port 5080 instead of opening it up to the world on the firewall. IP authentication can be done on internal profile + ACL.
 
Last edited:

smn

Member
Jul 18, 2017
201
20
18
For anyone else looking for a simple solution. Under Accounts > Gateways select the gateway. Under "Advanced" settings there is a "ping" option. Set that to something low enough to keep your firewall opened. On Iptables I think related, established rule lasts for about 180 seconds for UDP. So I used 90 seconds which seems to work. Just make sure you have the related, established rule in iptables.

So now I don't have to open port 5080 external profile on the firewall. The registered gateway still works on external profile and anonymous SIP scanners don't get through and pollute my CDRs.
 
Last edited:

DigitalDaz

Administrator
Staff member
Sep 29, 2016
3,078
580
113
There is no such thing as established or related in UDP that is session based stuff for TCP.

Moreover, the length of time a NAT tunnel stays open, if that's what we are talking about is, entirely dependent on the router device and will vary by manufacturer and model.

As easy as the above for keeping tunnels open, its also just as easy to reduce the registration timer on the gateway, that will do the same job.

I haven't checked how Freeswitch uses the ping to keep alive gateways but unless it generates two way traffic then a whole bunch of routers out there may still close the tunnel, a registration will guarantee it stays open.

Just because a method works in your particular environment doesn't necessarily mean it will work for everyone.

The tried and tested methods will.
 

smn

Member
Jul 18, 2017
201
20
18
There is no such thing as established or related in UDP that is session based stuff for TCP.

Moreover, the length of time a NAT tunnel stays open, if that's what we are talking about is, entirely dependent on the router device and will vary by manufacturer and model.

As easy as the above for keeping tunnels open, its also just as easy to reduce the registration timer on the gateway, that will do the same job.

I haven't checked how Freeswitch uses the ping to keep alive gateways but unless it generates two way traffic then a whole bunch of routers out there may still close the tunnel, a registration will guarantee it stays open.

Just because a method works in your particular environment doesn't necessarily mean it will work for everyone.

The tried and tested methods will.

It is sending a UDP SIP options packet (if using UDP) to port 5060. So similar to what Asterisk does with the qualify= option. The gateway responds with SIP/2.0 200 Ok. If you watch conntrack table you can see RELATED, ESTABLISHED tracking UDP.

It will look something like this.

Code:
udp   17 20 src=192.168.1.2 dst=192.168.1.10 sport=35237 dport=53 \
[UNREPLIED] src=192.168.1.10 dst=192.168.1.2 sport=53 \
dport=35237 use=1

There is no NAT and no router involved since my FusionPBX server is hosted. I am using Extensions behind NAT routers but that is not what I am talking about here. Only gateways on external profile.
 
Last edited:
Status
Not open for further replies.