1 Reply Latest reply on Feb 20, 2019 4:57 PM by avayaguy

    scanning and attempted sip hacking

    avayaguy New Member

      I know this has been posted before, but I think this is a rather unique situation.  one of my providers is a provider of providers if you will, in that they route through many carriers.  So when I try to create an access list for them to block this from happening:

       

      Tx: UDP src=192.192.192.192:5060 dst=192.227.153.226:56221

      07:00:15.533 SIP.STACK MSG         SIP/2.0 404 Not Found

      07:00:15.534 SIP.STACK MSG         From: <sip:102@192.192.192.192,>;tag=1160685063

      07:00:15.534 SIP.STACK MSG         To: <sip:927498772915350@192.192.192.192>;tag=4d0f5a28-7f000001-13c4-38199-903c494b-38199

      07:00:15.534 SIP.STACK MSG         Call-ID: 1763559016-137564200-1924688624

      07:00:15.534 SIP.STACK MSG         CSeq: 1 INVITE

      07:00:15.534 SIP.STACK MSG         Via: SIP/2.0/UDP 0.0.0.0:56221;received=192.227.153.226;branch=z9hG4bK1374599745

      07:00:15.534 SIP.STACK MSG         Supported: 100rel,replaces

      07:00:15.535 SIP.STACK MSG         Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER

      07:00:15.535 SIP.STACK MSG         User-Agent: ADTRAN_Total_Access_908e_3rd_Gen/R11.4.4.E

      07:00:15.535 SIP.STACK MSG         Content-Length: 0

       

      I block all of the carriers behind my carrier.  I have the roughly 6 or 7 ip addresses with which to block them and it takes system down.

       

      any other ideas?  Carrier is anveodirect

       

      these guys are constantly trying to route calls through my system.  my carrier uses dnis for authentication.

        • Re: scanning and attempted sip hacking
          avayaguy New Member

          can someone have a glance at this config i wrote up, see if this looks like a better solution for locking this down.  looks like 5060-5069 was needed for sessions to properly go through, i left the show run voice portion of it out so it would be easier to read. 5.4.3.2 outside 1.2.3.4 inside.  Thanks in advance!

           

           

           

          hostname "MYADTRANADTRAN"

          enable password encrypted

          !

          license key esbc-trial

          !

          clock timezone -6-Central-Time

          !

          ip subnet-zero

          ip classless

          ip routing

          ipv6 unicast-routing

          !

          !

          domain-proxy

          name-server 8.8.8.8 4.2.2.2

          !

          !

          no auto-config

          auto-config authname adtran encrypted password

          !

          event-history on

          no logging forwarding

          no logging email

          !

          service password-encryption

          !

          username "admin" password encrypted "000c"

          username "enable" password encrypted "000"

          !

          !

          ip firewall

          ip firewall stealth

          no ip firewall alg msn

          no ip firewall alg mszone

          no ip firewall alg h323

          !

          !

          !

          !

          !

          !

          !

          !

          no dot11ap access-point-control

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          qos map Voice 10

            match dscp 46

            priority 800

          !

          qos map eth0/1QosWizard 20

            match dscp 46

            shape average 4194304

          qos map eth0/1QosWizard 21

            match ip list acleth0/1QosWizSignal21

            set dscp 26

          !

          !

          !

          !

          interface eth 0/1

            description outside

            ip address  5.4.3.2 255.255.255.248

            ip access-policy Public

            media-gateway ip primary

            traffic-shape rate 1000000

          max-reserved-bandwidth 100

            qos-policy out eth0/1QosWizard

            no shutdown

          !

          !

          interface eth 0/2

            description inside

            ip address  1.2.3.4 255.255.255.0

            ip access-policy Private

            media-gateway ip primary

            no shutdown

          !

          !

          !

          !

          interface t1 0/1

            shutdown

          !

          interface t1 0/2

            shutdown

          !

          interface t1 0/3

            shutdown

          !

          interface t1 0/4

            shutdown

          !

          !

          interface fxs 0/1

            no shutdown

          !

          interface fxs 0/2

            no shutdown

          !

          interface fxs 0/3

            no shutdown

          !

          interface fxs 0/4

            no shutdown

          !

          interface fxs 0/5

            no shutdown

          !

          interface fxs 0/6

            no shutdown

          !

          interface fxs 0/7

            no shutdown

          !

          interface fxs 0/8

            no shutdown

          !

          !

          interface fxo 0/0

            shutdown

          !

          !

          !

          !

          !

          !

          !

          !

          ip access-list standard admin-list

            permit 1.2.3.4.0 0.0.0.255

            permit 1.2.3.4 0.0.0.255

          !

          ip access-list standard sip-access-list

            permit host 5.4.3.2

            permit 1.2.3.4 0.0.0.255

          !

          !

          ip access-list extended acleth0/1QosWizSignal21

            permit udp any  any eq 5060-5069

          !

          ip access-list extended Admin

            permit tcp any  any eq ssh

            permit tcp any  any eq https

          !

          ip access-list extended BLOCK

            deny   ip 5.62.0.0 0.0.255.255  any    log

          !

          ip access-list extended MatchAll

            permit ip any  any

          !

          ip access-list extended SIP

            permit udp any  any eq 5060-5069

          !

          !

          !

          !

          ip policy-class Private

            allow list MatchAll self

            nat source list MatchAll interface eth 0/1 overload

            allow list MatchAll self

            nat source list MatchAll interface eth 0/1 overload

          !

          ip policy-class Public

            allow list SIP self

            allow list Admin self

          !

          !

          !

          ip route 0.0.0.0 0.0.0.0 1.2.3.4

          !

          no tftp server

          no tftp server overwrite

          no http server

          http session-limit 1

          http secure-server

          no snmp agent

          no ip ftp server

          no ip scp server

          no ip sntp server

          !

          http ip access-class admin-list in

          http ip secure-access-class admin-list in

          !

          !

          !

          !

          !

          !

          !

          sip

          sip udp 5060

          no sip tcp

          !

          !

          !

          voice feature-mode network

          voice transfer-mode local

          voice forward-mode network

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          voice codec-list CodecList

            codec g711ulaw

            codec g729

          !

          voice codec-list CodeList

          !

          voice codec-list G711u

            codec g711ulaw

          !

          !

          !

          voice trunk T01 type sip (voice trunk config starts here it is fine….. removed)

           

          voice trunking end

          !

          !

          !

          !

          !

          !

          !

          !

          !

          sip privacy

          !

          sip access-class ip "sip-access-list" in

          !

          !

          !

          !

          !

          !

          !

          !

          !

          !

          no sip prefer double-reinvite

          !

          !

          !

          !

          !

          !

          ip rtp symmetric-filter

          ip rtp media-anchoring

          !

          !

          ip rtp quality-monitoring

          ip rtp quality-monitoring udp

          ip rtp quality-monitoring sip

          !

          line con 0

            no login

          !

          line telnet 0 4

            login

            password encrypted 444

            shutdown

          line ssh 0 4

            login local-userlist

            no shutdown

            ip access-class admin-list in

          !

          !

          ntp source ethernet 0/2

          ntp peer 216.239.35.4 source ethernet 0/1 prefer

          !

          !

          !

          end

           

          MYADTRANADTRAN#

          MYADTRANADTRAN#

          MYADTRANADTRAN#