Ghost call


#1

Hi

I have ucm 6304A installed on network with sip trunk on port 5060. And im getting lots of ghost call how can i stop them. I do not see any settings like only allowed call from sip proxy only like that. How can i stop those kind call? Ghost call mean i get random number call like 1000,100,0000 and it does not even show on cdr of grandstream.


#2

What you need to do is simple, place a business grade, SPI router in front of the UCM and only allow known safe IP addresses to be able to see the UCM.

Let the UCM be a telephone system and place a router with SPI in front of it doing the role of border security.


#3

this happens when the doors are opened to any Public IP,
first of all you need to do the NATs in ACLs (e.g. https://www.computersec.it/2021/12/08/access-control-list/)
in this way, calls to UCM only arrive, for example, from the registered Trunk or from authorized remote telephones, which in any case should be set up on Remote Connect.
furthermore, by exposing RTP and SIP to all Public IPs, UCM is exposed to a serious security problem, practically anyone in the world can reach UCM.


#4

Chances are that if they do not show in the CDR, then they are not using the PBX.

Set up accept from SIP proxy only in the endpoint devices if using GS. Most other makes have something similar.

However, while this stops the ghost calls from ringing phones, they are still able to penetrate the network somehow.


#5

Having the pbx directly attached to the internet is a bad, and can be an expensive, mistake. In 2016 we learned our lesson when approx. 800$ worth of phone calls were made within a few minutes.

You need to add security to your front door.

Meanwhile I think your problem can be solved when you use TLS and enable and enforce SRTP until the new firewall is installed. @Everyone else, please confirm!


#6

That might be a band-aid, but it comes with a penalty. SRTP is CPU intensive and lowers the calling capacity by ~30%. I do not know if that is a problem or not. The simpler (which I always like as I am lazy) band-aid is the one I suggested - only let the phone respond to the SIP Proxy/Server.

The cure is the firewall protection as others have noted.


#7

SRTP and TLS is not the solution, in addition to what Larry has already written, the attacker must NOT get to the UCM at all. So the only solution is the Firewall with NATs made exclusively in ACLs.

At home I have to stop the thief outside the door, if the thief enters the door at 99% I have lost.


#8

I didn’t claim it as solution, I was suggesting it as a potential bandaid until the firewall arrived and was configured!

A properly configured fw is needed.


#9

how about for ht801 ata it will be same setting?


#10

Yes it is.