Home » Asterisk Users » Intruder
Asterisk Users 5 Comments

I am in the Asterisk CLI and can see an unidentified caller trying the make calls out of the asterisk system. How do I stop them? How do I identify them and how can I see how the go in?

This is an example of what I would see:

NOTICE[4098]: chan_sip.c:20063 handle_request_invite: Call from ” to extension ‘90111235551212’ rejected because extension not found.


5 thoughts on - Intruder

  • Hi Felix,

    you have several things to check:

    netstat -a -n –udp –tcp

    will show you connections and connection attempts on network layer level. You have to look for incoming connections to port 5060 and if the call has been established for connections on your rtp ports. (see rtp.conf). If you can see connections not supposed to be there: thats your intruder 😉

    I suggest you disable guest calls and you configure a default context in which dialed extensions can’t be routed to charged destinations.

    allowguests=no defaultcontext

  • Hi Felix,

    ngrep -W byline port 5060|grep -B1 “INVITE sip”


    Am 16.11.2012 17:50, schrieb Ruben R

  • I created my own Whitelist and Blacklist system. When I make an outgoing call, the number is automatically added to my Whitelist database and I can add numbers to the Blacklist manually or by pressing the *. You can use this for incoming/outgoing calls however you want to setup your extensions.

    If a Whitelisted caller is calling, I change the Caller(name) Whitelist so I know it’s ok to answer. If a Blacklisted caller is calling, I play a message and hangup.

    I get a lot of 8** calls from solicitors so here is my dialplan and database:
    I pass the call to these Macros before it reaches anyone and I can block calls by date time too.

    Mysql Blacklist Database blacklistid, callerid_from, callerid_to, description, times, days, months, playback
    35, ‘%8775160592’, ‘%’, ‘Solicitor keeps calling, ‘*’, ‘*’, ‘*’,
    32, ‘%’, ‘%2134271’, ‘Kids Friends cant call after midnight and before
    8am’, ’00:00-08:00′, ‘*’, ‘*’,

    ………. exten => _X!,n,Macro(blacklist,${CALLERID(num)},${EXTEN})
    exten => _X!,n,Macro(whitelist,${CALLERID(num)},${EXTEN})
    exten => _X!,n,Set(DB(global/lastcallerid)=${CALLERID(num)})
    exten => _X!,n,Goto(incoming,start,1)

    exten => s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
    exten => s,n,MYSQL(Query resultid ${connid} SELECT blacklistid, callerid_from, callerid_to, times, days, months, playback FROM blacklist WHERE ‘${ARG1}’ LIKE callerid_from AND ‘${ARG2}’ LIKE callerid_to)
    exten => s,n,MYSQL(Fetch fetchid ${resultid} blacklistid callerid1
    callerid2 times days months playback)
    exten => s,n,MYSQL(Clear ${resultid})
    exten => s,n,MYSQL(Disconnect ${connid})
    exten => s,n,GoToIf($[“${blacklistid}” = “”]?call,1:time,1)

    exten => time,1,GotoIfTime(${times},${days},${months}?fail,1:call,1)

    exten => fail,1,NoOp(Blacklisted ${callerid1} to ${callerid2})
    exten => fail,n,GoTo(blacklisted,s,1)

    exten => call,1,NoOp(Not Blacklisted ${ARG1} to ${ARG2})

    exten => s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
    exten => s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO blacklist
    (callerid_to, callerid_from, description) VALUES
    exten => s,n,MYSQL(Disconnect ${connid})

    exten => s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
    exten => s,n,MYSQL(Query resultid ${connid} SELECT whitelistid, callerid_from, callerid_to, description FROM whitelist WHERE ‘${ARG1}’
    LIKE callerid_from AND ‘${ARG2}’ LIKE callerid_to)
    exten => s,n,MYSQL(Fetch fetchid ${resultid} whitelistid callerid1
    callerid2 description)
    exten => s,n,MYSQL(Clear ${resultid})
    exten => s,n,MYSQL(Disconnect ${connid})
    exten => s,n,GoToIf($[“${whitelistid}” = “”]?not,1:is,1)

    exten => is,1,NoOp(Whitelisted ${ARG1} to ${ARG2})
    exten => is,n,Set(CALLERID(name)=${description})

    exten => not,1,NoOp(Not Whitelisted ${ARG1} to ${ARG2})
    exten => not,n,Set(CALLERID(name)=Unknown)

    exten => s,1,MYSQL(Connect connid ${db_host} ${db_user} ${db_pass}
    exten => s,n,MYSQL(Query resultid ${connid} INSERT IGNORE INTO whitelist
    (callerid_to, callerid_from) VALUES (‘%’,’${ARG2}’))
    exten => s,n,MYSQL(Disconnect ${connid})

    exten => s,1,Set(CALLERID(name)=Blacklisted)
    exten => s,n,Wait(3)
    exten => s,n,Playback(${playback})
    exten => s,n,HangUp()

    If you want to add a KEY to your dialplan to add to blacklist or whitelist:

    exten => roy,*,Macro(blacklist-add,%,${DB(global/lastcallerid)})
    exten => roy,#,Macro(whitelist-add,%,${DB(global/lastcallerid)})

    Co-op Vacation Rentals
    15218 Summit Ave Suite #300-354
    Fontana, CA 92336
    Phone/Fax (855) 760-COOP (2667)

  • Am 16.11.2012 um 18:08 schrieb Michael L. Young:

    Hi Michael,

    the security logging in Asterisk 11 was a nice tip. I tried it, but unfortunately it doesn’t work over syslog for me, only console and file logging. Do you know if that is on purpose?

    In AstLinux we have our own kind of Fail2ban solutions which parses the syslog.