Bill H Posted October 29, 2013 Report Share Posted October 29, 2013 I have an older PBXNSIP CS-410 Version 3 system where someone, or more likely something (scanner), is trying to make calls to foreign countries.Since the customer does not make international calls I have blocked the International Calling Code of 011 and the telco service provider has also blocked it.That stopped that portion of the trouble.A SIP Trace shows that the calls were from an Unregistered Extension.What happens now is that these Unregistered Extension calls go to the first extension (Ext 221) in the CS-410 and end up in that persons mailbox as dead air.I did catch the IP Address of the scanner once and placed it in the Access Blocked Table, but it seems they change their IP Address to get around the blocking.I looked for a feature within the CS-410 to block Unregistered Extensions from making calls, but did not see anything that looked like it would do the job.My next and maybe last option is to block Access to everything except certain IP Addresses in the Access area.Does anyone have any additional ideas?Thanks. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted October 29, 2013 Report Share Posted October 29, 2013 Well version 3 did not have any protection against this. At those times, scanners were not very common yet. You can use the Linux iptables to block certain IP addresses; however this is tedious labor as those scanner keep on changing their IP addresses. But what you can do on version 3 is make sure that your passwords are reasonably secure and your trunks have the outbound proxy set. Then someone might be able to try out a lot of passwords and extension numbers, but will not succeed getting anything out of the system and eventually move on. Quote Link to comment Share on other sites More sharing options...
Bill H Posted October 29, 2013 Author Report Share Posted October 29, 2013 Thank you for your response. The scanner is not trying to Register at all, they are just sending a fake Invite to the CS-410. Why would this type of call ring the first extension in the CS-410? Also, the scanner is using a 46.4.100.xxx IP Address. Can I use 46.4.0.0 with 255.255.0.0 to block all packets from the entire range? Thanks again Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted October 29, 2013 Report Share Posted October 29, 2013 This attack may occur if you don't specify an outbound proxy on your trunk. The PBX may think that the call comes from a trunk if you don't tell the PBX where the traffic will go to (and come from). As far as I remember version 3 did not have IP blocking? Anyway, it would not hurt to block the IP as far as I can tell. I would use 46.4.100.0 with a netmask of 255.255.255.0 instead. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.