Some sip providers route by IP. If that's the case, find out the provider's IP
addresses and only allow inbound signalling on port 5060 from these addresses.
-----Original Message-----
From: Lonnie Abelbeck [li...@lonnie.abelbeck.com]
Received: Sunday, 15 Jun 2014, 7:49PM
To: AstLinux Users Mailing List [astlinux-users@lists.sourceforge.net]
Subject: Re: [Astlinux-users] Is this fairly typical and what, if anything can
I do?
Adrian,
There is no doubt that configuring SIP through NAT'ed firewalls can be
confusing. This is one reason that AstLinux is often also used as the edge
router and firewall to eliminate an NAT'ing to/from the public internet for the
SIP traffic. I understand your AstLinux is sitting behind a NAT firewall, so
your sip.conf needs a nat=force_rport or such, or at least not nat=no .
I have never personally used sipgate, but I doubt that opening (forwarding) UDP
5060 is required, usually it is not. Opening UDP 5060 is usually only required
when external (internet) SIP devices register to your asterisk. For the moment
let's say you only want to send and receive calls via sipgate, and local LAN
phones register to your local asterisk via SIP.
In this case you will need to only forward (via edge router) a range of UDP
ports that exactly match the "rtpstart" and "rtpend" values in the
"/etc/asterisk/rtp.conf" file, the defaults of 10000 and 20000 are more than
you need, probably "rtpstart=10000" and "rtpend=10200" will be more than
adequate, make a similar change.
You should also enable the firewall in AstLinux, even when it is behind another
edge firewall, being careful to allow "Pass EXT->Local, TCP, 0/0, 22,80,443" to
allow SSH, HTTP and HTTPS access for administration from your local LAN. Also
specify "Pass EXT->Local, UDP, 0/0, 10000-10200" to allow the rtp.conf port
range. Finally if local phones are reaching asterisk via a single network
interface then "Pass EXT->Local, UDP, 0/0, 5060" is also needed.
Now *only* forward on your edge router the UDP port range 10000-10200 to your
internal AstLinux box. Make sure if your edge router has any SIP "features" ,
"ALG", etc. disable them.
Note -> It is important that your SIP peer in asterisk is the *only* device
that registers with your sipgate account, assuming you only have one account.
Any other SIP phones should register with your local asterisk, and use
"directmedia=no" in all your local sip.conf contexts, then use your
extensions.conf to route you local SIP phones to your various other peers. It
can get confusing when two different devices register to the same account, keep
it simple.
Now, when your sipgate peer in asterisk registers to sipgate, the outbound
packet will open a UDP state in both the AstLinux firewall and your edge
firewall to the remote sipgate SIP server. You may want to add "qualify=yes"
in your sip.conf sipgate peer to make sure the that path (and state) is
regularly 'tickled'. Both inbound and outbound sipgate calls will use this UDP
path for signaling, the RTP (voice) will use UDP ports 10000-10200.
IMHO, that is my advice.
For the sake of argument, let's say you actually need to allow UDP 5060 via the
internet, forwarded to your AstLinux box... in this case AstLinux offers a
couple firewall plugins to help secure your system:
Firewall Plugins
http://doc.astlinux.org/userdoc:tt_firewall_plugins
1) If you have a remote SIP peer specified with a DNS name, which can be a
single or several in a round-robin, or even a dynamic DNS address, the "DynDNS
Host Open" firewall plugin can be configured to allow UDP 5060 for only that
DNS name, for example:
--
DYNDNS_HOST_OPEN_UDP="sip.example.com~5060"
--
2) If you allow SIP connections from any internet source it is recommended to
enable the "Adaptive Ban" firewall plugin, at a minimum specify "asterisk" in
ADAPTIVE_BAN_TYPES, for example:
--
ADAPTIVE_BAN_TYPES="asterisk"
--
from your logs below the Adaptive ban plugin would have blocked IPv4 address
82.205.1.22 automatically.
Hope this gets you down the correct path. Clearly we can't tell you how to
configure your system, you have to figure that out for yourself, and there will
be some trial and error as we all have done. In the end you have a very useful
PBX and a useful skill.
Lonnie
On Jun 15, 2014, at 5:33 PM, Adrian Hodgson wrote:
>
> Is this fairly typical and what, if anything can I do?
>
>
> Jun 15 21:44:39 astpbx local0.notice asterisk[406]: NOTICE[446][C-00000095]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 1004<sip:1...@xxx.xxx.xxx.xxx>;tag=7169f612
> Jun 15 21:45:13 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"1020"
> <sip:1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11464' - Wrong
> password
> Jun 15 21:46:07 astpbx local0.notice asterisk[406]: NOTICE[446][C-00000096]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 777<sip:7...@xxx.xxx.xxx.xxx>;tag=9e45a2aa
> Jun 15 21:46:09 astpbx local0.notice asterisk[406]: NOTICE[446][C-00000097]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 777<sip:7...@xxx.xxx.xxx.xxx>;tag=93513e43
> Jun 15 21:46:11 astpbx local0.notice asterisk[406]: NOTICE[446][C-00000098]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 777<sip:7...@xxx.xxx.xxx.xxx>;tag=7594d687
> Jun 15 21:46:46 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"271"
> <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11453' - Wrong
> password
> Jun 15 21:47:38 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"cc1001"
> <sip:cc1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11446' - Wrong
> password
> Jun 15 21:48:07 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"7012"
> <sip:7...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11428' - Wrong
> password
> Jun 15 21:48:53 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"9012"
> <sip:9...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11455' - Wrong
> password
> Jun 15 21:49:51 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"3012"
> <sip:3...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11428' - Wrong
> password
> Jun 15 21:57:57 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"630"
> <sip:6...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11461' - Wrong
> password
> Jun 15 21:59:13 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"271"
> <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11442' - Wrong
> password
> Jun 15 21:59:35 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"301"
> <sip:3...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11461' - Wrong
> password
> Jun 15 22:01:24 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"5012"
> <sip:5...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11457' - Wrong
> password
> Jun 15 22:01:32 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"22"
> <sip:2...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11411' - Wrong
> password
> Jun 15 22:01:46 astpbx local0.notice asterisk[406]: NOTICE[446]:
> chan_sip.c:28073 in handle_request_register: Registration from '"cc1001"
> <sip:cc1...@xxx.xxx.xxx.xxx:5060>' failed for '82.205.1.22:11445' - Wrong
> password
> Jun 15 22:03:08 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009a]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 1004<sip:1...@xxx.xxx.xxx.xxx>;tag=08778401
> Jun 15 22:10:50 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009b]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=ebb5bfdf
> Jun 15 22:10:51 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009c]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=477e39fb
> Jun 15 22:10:52 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009d]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=c0c61d2d
> Jun 15 22:10:53 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009e]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=d823cabd
> Jun 15 22:10:54 astpbx local0.notice asterisk[406]: NOTICE[446][C-0000009f]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 5905<sip:5...@xxx.xxx.xxx.xxx>;tag=8037e8da
> Jun 15 22:19:02 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a1]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 0123456<sip:0123...@xxx.xxx.xxx.xxx>;tag=5dc1fe53
> Jun 15 22:21:26 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a2]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 2001<sip:2...@xxx.xxx.xxx.xxx>;tag=22c19a11
> Jun 15 22:23:05 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a3]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 205<sip:2...@xxx.xxx.xxx.xxx>;tag=acc15539
> Jun 15 22:23:07 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a4]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 205<sip:2...@xxx.xxx.xxx.xxx>;tag=db760146
> Jun 15 22:23:09 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a5]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 205<sip:2...@xxx.xxx.xxx.xxx>;tag=c87a5446
> Jun 15 22:23:37 astpbx local0.warn asterisk[406]: WARNING[446]:
> chan_sip.c:4176 in retrans_pkt: Retransmission timeout reached on
> transmission 653f78ffb65531d477b7269677de0da2 for seqno 2 (Critical Response)
> -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retrans
> Jun 15 22:26:13 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a7]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 209<sip:2...@xxx.xxx.xxx.xxx>;tag=dcf7b74e
> Jun 15 22:39:48 astpbx local0.notice asterisk[406]: NOTICE[446][C-000000a8]:
> chan_sip.c:25533 in handle_request_invite: Failed to authenticate device
> 2001<sip:2...@xxx.xxx.xxx.xxx>;tag=b589c4fb
>
>
> I have ports 5060 and 5004 fowarded through my router to my pbx UDP only, to
> keep my sipgate account working, no others.
>
> I guess this is typical of someone scanning for access to various systems.
>
> Cheers
>
> Adrian
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Astlinux-users mailing list
Astlinux-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/astlinux-users
Donations to support AstLinux are graciously accepted via PayPal to
pay...@krisk.org.
