Quantcast

Ghost calls 1001

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Ghost calls 1001

Uzair Hassan
Hello all, 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Nabeel
Hi,

You can set client to use random port instead of standard 5060.

But a better way is to set the client to only allow your required domain, if possible.

On 20 Apr 2017 9:51 p.m., "Uzair Hassan" <[hidden email]> wrote:
Hello all, 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

aqsyounas
In reply to this post by Uzair Hassan
iptables, fail2ban and ip authentication if your users have static ips.

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:
Hello all, 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

David Villasmil
+1 for iptables, fail2ban and ip authentication. Configure you log properly and have fail2ban ban IPs failing to authenticate.

Regards,

David Villasmil
phone: +34669448337

On Thu, Apr 20, 2017 at 10:54 PM, Aqs Younas <[hidden email]> wrote:
iptables, fail2ban and ip authentication if your users have static ips.

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:
Hello all, 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

robert
In reply to this post by aqsyounas

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Nabeel
My understanding of ghost calls is that they go directly via the client through a loophole in the IP range rather than through the SIP server itself. In this case, server-based solutions don't seem likely to work?

On 20 Apr 2017 10:08 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

robert

Do you mean a client is using SIP/RTP to make a call direct to backend servers and bypassing the opensips proxy? Or somehow just using RTP without SIP to bypass the opensips proxy?

 

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Nabeel
Sent: Thursday, April 20, 2017 5:17 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

My understanding of ghost calls is that they go directly via the client through a loophole in the IP range rather than through the SIP server itself. In this case, server-based solutions don't seem likely to work?

 

On 20 Apr 2017 10:08 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

 


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

 

Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Nabeel
In a ghost call, there is no RTP -- only the INVITE. If you answer a ghost call, there will be no response. Usually, an IP scanner named 'SipVicious' directly sends the INVITE to your client, so your server may not come into play at all.

On 20 Apr 2017 10:32 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

Do you mean a client is using SIP/RTP to make a call direct to backend servers and bypassing the opensips proxy? Or somehow just using RTP without SIP to bypass the opensips proxy?

 

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Nabeel
Sent: Thursday, April 20, 2017 5:17 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

My understanding of ghost calls is that they go directly via the client through a loophole in the IP range rather than through the SIP server itself. In this case, server-based solutions don't seem likely to work?

 

On 20 Apr 2017 10:08 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

 


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

 

Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

David Villasmil
I've always seen the invite, then my "auth required" and then they usually never answer, but the keep trying invites with other destination numbers. That's why you need to setup your fail2ban
On Thu, Apr 20, 2017 at 11:42 PM Nabeel <[hidden email]> wrote:
In a ghost call, there is no RTP -- only the INVITE. If you answer a ghost call, there will be no response. Usually, an IP scanner named 'SipVicious' directly sends the INVITE to your client, so your server may not come into play at all.

On 20 Apr 2017 10:32 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

Do you mean a client is using SIP/RTP to make a call direct to backend servers and bypassing the opensips proxy? Or somehow just using RTP without SIP to bypass the opensips proxy?

 

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Nabeel
Sent: Thursday, April 20, 2017 5:17 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

My understanding of ghost calls is that they go directly via the client through a loophole in the IP range rather than through the SIP server itself. In this case, server-based solutions don't seem likely to work?

 

On 20 Apr 2017 10:08 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

 


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

 

Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Uzair Hassan
Thank you all for your reply's I will learn how to implement fail2ban integration in a VM environment and then commit it to the production server. 


From: "David Villasmil" <[hidden email]>
To: "users" <[hidden email]>
Sent: Thursday, April 20, 2017 3:50:07 PM
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

I've always seen the invite, then my "auth required" and then they usually never answer, but the keep trying invites with other destination numbers. That's why you need to setup your fail2ban
On Thu, Apr 20, 2017 at 11:42 PM Nabeel <[hidden email]> wrote:
In a ghost call, there is no RTP -- only the INVITE. If you answer a ghost call, there will be no response. Usually, an IP scanner named 'SipVicious' directly sends the INVITE to your client, so your server may not come into play at all.

On 20 Apr 2017 10:32 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

Do you mean a client is using SIP/RTP to make a call direct to backend servers and bypassing the opensips proxy? Or somehow just using RTP without SIP to bypass the opensips proxy?

 

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Nabeel
Sent: Thursday, April 20, 2017 5:17 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

My understanding of ghost calls is that they go directly via the client through a loophole in the IP range rather than through the SIP server itself. In this case, server-based solutions don't seem likely to work?

 

On 20 Apr 2017 10:08 p.m., "Mundkowsky, Robert" <[hidden email]> wrote:

User authentication at SIP level as well.

 

Robert

 

From: Users [mailto:[hidden email]] On Behalf Of Aqs Younas
Sent: Thursday, April 20, 2017 4:55 PM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

iptables, fail2ban and ip authentication if your users have static ips.

 

On 21 April 2017 at 01:46, Uzair Hassan <[hidden email]> wrote:

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

 

 


This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.

 

Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users



This e-mail and any files transmitted with it may contain privileged or confidential information. It is solely for use by the individual for whom it is intended, even if addressed incorrectly. If you received this e-mail in error, please notify the sender; do not disclose, copy, distribute, or take any action in reliance on the contents of this information; and delete it from your system. Any other use of this e-mail is prohibited.


Thank you for your compliance.



_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Alexander Jankowsky
In reply to this post by Uzair Hassan

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Uzair Hassan

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Schneur Rosenberg
In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Uzair Hassan

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Schneur Rosenberg
User agent variable is stored in $ua do a if and drop()

Regarding iptables do something like this 


On Apr 21, 2017 10:12 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Johan De Clercq

Another approach is sending 200 ok and then exit().

 

From: Users [mailto:[hidden email]] On Behalf Of Schneur Rosenberg
Sent: Friday, April 21, 2017 11:00 AM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

User agent variable is stored in $ua do a if and drop()

 

Regarding iptables do something like this 

 

 

On Apr 21, 2017 10:12 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Nabeel
In reply to this post by Uzair Hassan
In case the call is attempted via your server, you can add the following to opensips.cfg to block sip scanners:

 if($ua=~"friendly-scanner") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }
  if($ua=~"sipvicious") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }

On 21 Apr 2017 8:12 a.m., "Uzair Hassan" <[hidden email]> wrote:

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Schneur Rosenberg
In reply to this post by Johan De Clercq
Sending a 200 ok will notify the hacker that a sip server exists on the IP/port, simply ignoring the request is best.

On Apr 21, 2017 12:20 PM, "johan de clercq" <[hidden email]> wrote:

Another approach is sending 200 ok and then exit().

 

From: Users [mailto:[hidden email]] On Behalf Of Schneur Rosenberg
Sent: Friday, April 21, 2017 11:00 AM
To: OpenSIPS users mailling list <[hidden email]>
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

 

User agent variable is stored in $ua do a if and drop()

 

Regarding iptables do something like this 

 

 

On Apr 21, 2017 10:12 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: Ghost calls 1001

Uzair Hassan
In reply to this post by Nabeel
thank you, i added this to my opensips.cfg file and it started successfully. Lets see if it works.


From: "Nabeel" <[hidden email]>
To: "users" <[hidden email]>
Sent: Friday, April 21, 2017 2:23:52 AM
Subject: Re: [OpenSIPS-Users] Ghost calls 1001

In case the call is attempted via your server, you can add the following to opensips.cfg to block sip scanners:

 if($ua=~"friendly-scanner") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }
  if($ua=~"sipvicious") {
        xlog("L_ERROR", "Auth error for $fU@$fd from $si method $rm
user-agent (friendly-scanner)\n");
        drop();
        exit;
     }

On 21 Apr 2017 8:12 a.m., "Uzair Hassan" <[hidden email]> wrote:

Is there any documentation I could read to understand the process you just described?

On April 20, 2017 11:15:54 PM Schneur Rosenberg <[hidden email]> wrote:

In addition to iptables/fail2ban you should inspect the useragent that the packets come from, most of them will come from sip vicious or friendly scanner etc, you can block them with iptables and/or with drop() in opensips, this will stop the scanner right away because he won't get any replies so he will just move on. 

On Apr 21, 2017 8:11 AM, "Uzair Hassan" <[hidden email]> wrote:

Is there a way to change opensips port ? Whenever I try it doesn't even start.

On April 20, 2017 9:09:55 PM "Alexander Jankowsky" <[hidden email]> wrote:

 

You might need to do a Wireshark trace and find out if the calls originate externally into the system.

If you are in an open DMZ with the router, that could be just the start of your problems.

I had Opensips 2.3.0-beta in the open on DMZ with the router for only a few hours and

I then had a couple of dozen automated break in attempts trying to access the system.

You need to pay a lot of attention to the system logs otherwise you may not even notice.

Go over your router very carefully and restrict everything you do not need exposed.

Port 5060 is a very popular target with automated robots, use another port if your able to.

 

Alex

 

 

From: Users [mailto:[hidden email]] On Behalf Of Uzair Hassan
Sent: Friday, 21 April 2017 6:16 AM
To: [hidden email]
Subject: [OpenSIPS-Users] Ghost calls 1001

 

Hello all, 

 

I have setup a opensips 2.3 on a new server and I'm getting ghost calls into my system. How do I stop these ghost call? The opensips server is brand new. the install is clean and nothing has been touched after the initial simple residential script setup. What can I do to defend myself from these ghost calls.

Thank you so much.

 

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users


_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users

_______________________________________________
Users mailing list
[hidden email]
http://lists.opensips.org/cgi-bin/mailman/listinfo/users
Loading...