hacking calls

[gustavoy]

Hi we have deployed a pbx with internal and external extensions.
The external extensions (public ips) are getting random calls from extensions that do not exist on the pbx and dont appear on pbx logs.
My guess is that this are hackers trying to acces the pone on the public internet. Is there a way that the pone only talks to the sip server. This woul stop requests from other ips.
Bellow the only log i have been able to put from the pone.
x.x.x.x is phone ip address.
Can you help? thanks

4 Lun Oct 21 01:43pm x.x.x.x@x.x.x.x 1000 1000@x.x.x.x
5 Lun Oct 21 01:43pm x.x.x.x@x.x.x.x 1000 1000@x.x.x.x
6 Lun Oct 21 01:43pm x.x.x.x@x.x.x.x 1000 1000@x.x.x.x
7 Lun Oct 21 01:43pm x.x.x.x@x.x.x.x 1000 1000@x.x.x.x
8 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
9 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
10 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
11 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
12 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
13 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
14 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
15 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
16 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
17 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
18 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
19 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
20 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
21 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
22 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
23 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
24 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
25 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
26 Lun Oct 21 01:20pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
27 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
28 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
29 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
30 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
31 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
32 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
33 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
34 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
35 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
36 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
37 Lun Oct 21 01:19pm x.x.x.x@x.x.x.x 201 201@x.x.x.x
38 Lun Oct 21 11:31am x.x.x.x@x.x.x.x 100 100@x.x.x.x
39 Lun Oct 21 11:31am x.x.x.x@x.x.x.x 100 100@x.x.x.x
40 Lun Oct 21 11:31am x.x.x.x@x.x.x.x 100 100@x.x.x.x
41 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
42 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
43 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
44 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
45 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
46 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
47 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
48 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x
49 Lun Oct 21 11:30am x.x.x.x@x.x.x.x 100 100@x.x.x.x

[Yealink Support]

Hi gustavoy,

Do you tell me the version and model of your phone?
Your issue seems that the hacker find your ip address of phone and call to you.
You can do follow steps to avoid this kind of issue.
1. We have added ip allow list in the v70 version and V71 version, some in V61 version.(I upload a screenshot in the attachment. Enter webpage->Features->Romote Control->Action URI allow IP List)
So please upgrade your phone to the latest version and there must be have this setting.
And fill your ip address of sip server in the allow ip address.


2. Disable the allow ip call.(Enter webpage->Features->General Information->Allow IP Call)

3. If you can find the logs in your voice gateway, you can define the ip in your voice gateway.

Please try again.
Thanks

[gustavoy]

Hi phone are t22 with firmware 7.70.0.140

Thanks

(10-23-2013 04:43 PM)Yealink Support Wrote:  Hi gustavoy,

Do you tell me the version and model of your phone?
Your issue seems that the hacker find your ip address of phone and call to you.
You can do follow steps to avoid this kind of issue.
1. We have added ip allow list in the v70 version and V71 version, some in V61 version.(I upload a screenshot in the attachment. Enter webpage->Features->Romote Control->Action URI allow IP List)
So please upgrade your phone to the latest version and there must be have this setting.
And fill your ip address of sip server in the allow ip address.


2. Disable the allow ip call.(Enter webpage->Features->General Information->Allow IP Call)

3. If you can find the logs in your voice gateway, you can define the ip in your voice gateway.

Please try again.
Thanks

[Yealink Support]

Hi gustavoy,

How is the issue now?

[gustavoy]

Seems to be resolved ill let you know if we recieve any more attempts. Thanks for your prompt response

(10-24-2013 02:39 PM)Yealink Support Wrote:  Hi gustavoy,

How is the issue now?

[rfrantik@rfcinc.com]

We had to put a phone on a public IP and had the same issue... setting the server IP in Action URI and disabling the Allow IP Call fixed our issue. Thanks.

[saulgoodwin]

Great advice, thank you.
Fixed problems for Yealink T22P and T26P.

[ArthurDent]

(10-23-2013 04:43 PM)Yealink Support Wrote:  Hi gustavoy,

Do you tell me the version and model of your phone?
Your issue seems that the hacker find your ip address of phone and call to you.
You can do follow steps to avoid this kind of issue.
1. We have added ip allow list in the v70 version and V71 version, some in V61 version.(I upload a screenshot in the attachment. Enter webpage->Features->Romote Control->Action URI allow IP List)
So please upgrade your phone to the latest version and there must be have this setting.
And fill your ip address of sip server in the allow ip address.


2. Disable the allow ip call.(Enter webpage->Features->General Information->Allow IP Call)

3. If you can find the logs in your voice gateway, you can define the ip in your voice gateway.

Please try again.
Thanks

Hi,

I tried the above and still getting calls from 1000 number. Is there not a way we can lock the phone down to only accept calls from a specific IP address or DNS name?

Also not sure what you mean in part 3.

Many thanks,

[Wilson_Yealink]

Hi ArthurDent,

Please try below steps:
1. Upgrade the firmware to the latest version(V73). You can get the firmware from below links:
V73 Beta2 Version Firmware And Release Notes of Version 73 Release

2.You can try to add below syntaxs to your cfg template(M7 template) and auto-provisioning it.

Code:

#!version:1.0.0.1
#The x of the parameter "account.x.sip_trust_ctrl " ranges from 1 to max accounts.
​#You need to confirm which line you used.
account.x.sip_trust_ctrl=1

When you want to enable this sip trust control for account 1, fill 1 to “account.1.sip_trust_ctrl”.
Then SIP messages from other servers will refuse by the phone.

If you don't know how to do auto provision, please click below link to download the file which including the video, CFG file and software.
siptru-autoprovision

thanks

[gmaio]

Hi everyone,
I have the same problem of SPAM IP calls coming from ghost numbers as 82,83, 1001, etc.. on only one phone in the company. I know that could sound a bit strange but I have 15 Yealink SIP-T32G in our offices and only one is affected by these spamming calls. I've already updated just yesterday its firmware to ver 32.70.1.33 and its hardware version is reported to be 22.3.2.32.0.0.0. I've already changed the server SIP port and the Outbound proxy server port to 5070. The local SIP port is 5060.
I would like to configure the affected phone (and the others as well) in order to accept only calls coming from the PBX SERVER which is external and Asterisk based. How can I properly configure my SIP-T32G phones to eliminate these spam calls? I've already tried to follow some tutorials I've found in this forum and also on other web sites but they are all intended for different phone models.
Moreover, the company voip telephone network use a dedicated modem/router Cisco Linksys X3000 and a dedicated ADSL. Is there a way to filter the ghost calls at router level in order to protect all the company voip network?
Thanks in advance for any advice on the matter.