cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
avayaguy
New Contributor II

scanning and attempted sip hacking

I know this has been posted before, but I think this is a rather unique situation.  one of my providers is a provider of providers if you will, in that they route through many carriers.  So when I try to create an access list for them to block this from happening:

Tx: UDP src=192.192.192.192:5060 dst=192.227.153.226:56221

07:00:15.533 SIP.STACK MSG         SIP/2.0 404 Not Found

07:00:15.534 SIP.STACK MSG         From: <sip:102@192.192.192.192,>;tag=1160685063

07:00:15.534 SIP.STACK MSG         To: <sip:927498772915350@192.192.192.192>;tag=4d0f5a28-7f000001-13c4-38199-903c494b-38199

07:00:15.534 SIP.STACK MSG         Call-ID: 1763559016-137564200-1924688624

07:00:15.534 SIP.STACK MSG         CSeq: 1 INVITE

07:00:15.534 SIP.STACK MSG         Via: SIP/2.0/UDP 0.0.0.0:56221;received=192.227.153.226;branch=z9hG4bK1374599745

07:00:15.534 SIP.STACK MSG         Supported: 100rel,replaces

07:00:15.535 SIP.STACK MSG         Allow: ACK, BYE, CANCEL, INFO, INVITE, NOTIFY, OPTIONS, PRACK, REFER, REGISTER

07:00:15.535 SIP.STACK MSG         User-Agent: ADTRAN_Total_Access_908e_3rd_Gen/R11.4.4.E

07:00:15.535 SIP.STACK MSG         Content-Length: 0

I block all of the carriers behind my carrier.  I have the roughly 6 or 7 ip addresses with which to block them and it takes system down.

any other ideas?  Carrier is anveodirect

these guys are constantly trying to route calls through my system.  my carrier uses dnis for authentication.

0 Kudos
1 Reply
avayaguy
New Contributor II

Re: scanning and attempted sip hacking

can someone have a glance at this config i wrote up, see if this looks like a better solution for locking this down.  looks like 5060-5069 was needed for sessions to properly go through, i left the show run voice portion of it out so it would be easier to read. 5.4.3.2 outside 1.2.3.4 inside.  Thanks in advance!

hostname "MYADTRANADTRAN"

enable password encrypted

!

license key esbc-trial

!

clock timezone -6-Central-Time

!

ip subnet-zero

ip classless

ip routing

ipv6 unicast-routing

!

!

domain-proxy

name-server 8.8.8.8 4.2.2.2

!

!

no auto-config

auto-config authname adtran encrypted password

!

event-history on

no logging forwarding

no logging email

!

service password-encryption

!

username "admin" password encrypted "000c"

username "enable" password encrypted "000"

!

!

ip firewall

ip firewall stealth

no ip firewall alg msn

no ip firewall alg mszone

no ip firewall alg h323

!

!

!

!

!

!

!

!

no dot11ap access-point-control

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

!

qos map Voice 10

  match dscp 46

  priority 800

!

qos map eth0/1QosWizard 20

  match dscp 46

  shape average 4194304

qos map eth0/1QosWizard 21

  match ip list acleth0/1QosWizSignal21

  set dscp 26

!

!

!

!

interface eth 0/1

  description outside

  ip address  5.4.3.2 255.255.255.248

  ip access-policy Public

  media-gateway ip primary

  traffic-shape rate 1000000

max-reserved-bandwidth 100

  qos-policy out eth0/1QosWizard

  no shutdown

!

!

interface eth 0/2

  description inside

  ip address  1.2.3.4 255.255.255.0

  ip access-policy Private

  media-gateway ip primary

  no shutdown

!

!

!

!

interface t1 0/1

  shutdown

!

interface t1 0/2

  shutdown

!

interface t1 0/3

  shutdown

!

interface t1 0/4

  shutdown

!

!

interface fxs 0/1

  no shutdown

!

interface fxs 0/2

  no shutdown

!

interface fxs 0/3

  no shutdown

!

interface fxs 0/4

  no shutdown

!

interface fxs 0/5

  no shutdown

!

interface fxs 0/6

  no shutdown

!

interface fxs 0/7

  no shutdown

!

interface fxs 0/8

  no shutdown

!

!

interface fxo 0/0

  shutdown

!

!

!

!

!

!

!

!

ip access-list standard admin-list

  permit 1.2.3.4.0 0.0.0.255

  permit 1.2.3.4 0.0.0.255

!

ip access-list standard sip-access-list

  permit host 5.4.3.2

  permit 1.2.3.4 0.0.0.255

!

!

ip access-list extended acleth0/1QosWizSignal21

  permit udp any  any eq 5060-5069

!

ip access-list extended Admin

  permit tcp any  any eq ssh

  permit tcp any  any eq https

!

ip access-list extended BLOCK

  deny   ip 5.62.0.0 0.0.255.255  any    log

!

ip access-list extended MatchAll

  permit ip any  any

!

ip access-list extended SIP

  permit udp any  any eq 5060-5069

!

!

!

!

ip policy-class Private

  allow list MatchAll self

  nat source list MatchAll interface eth 0/1 overload

  allow list MatchAll self

  nat source list MatchAll interface eth 0/1 overload

!

ip policy-class Public

  allow list SIP self

  allow list Admin self

!

!

!

ip route 0.0.0.0 0.0.0.0 1.2.3.4

!

no tftp server

no tftp server overwrite

no http server

http session-limit 1

http secure-server

no snmp agent

no ip ftp server

no ip scp server

no ip sntp server

!

http ip access-class admin-list in

http ip secure-access-class admin-list in

!

!

!

!

!

!

!

sip

sip udp 5060

no sip tcp

!

!

!

voice feature-mode network

voice transfer-mode local

voice forward-mode network

!

!

!

!

!

!

!

!

!

!

!

!

voice codec-list CodecList

  codec g711ulaw

  codec g729

!

voice codec-list CodeList

!

voice codec-list G711u

  codec g711ulaw

!

!

!

voice trunk T01 type sip (voice trunk config starts here it is fine….. removed)

 

voice trunking end

!

!

!

!

!

!

!

!

!

sip privacy

!

sip access-class ip "sip-access-list" in

!

!

!

!

!

!

!

!

!

!

no sip prefer double-reinvite

!

!

!

!

!

!

ip rtp symmetric-filter

ip rtp media-anchoring

!

!

ip rtp quality-monitoring

ip rtp quality-monitoring udp

ip rtp quality-monitoring sip

!

line con 0

  no login

!

line telnet 0 4

  login

  password encrypted 444

  shutdown

line ssh 0 4

  login local-userlist

  no shutdown

  ip access-class admin-list in

!

!

ntp source ethernet 0/2

ntp peer 216.239.35.4 source ethernet 0/1 prefer

!

!

!

end

MYADTRANADTRAN#

MYADTRANADTRAN#

MYADTRANADTRAN#