LAN access entries in router log

I have started to get daily entries like this in my router's log relating to my Cisco SP122 ATA:

[LAN access from remote] from 51.75.147.31:5168 to 192.168.0.222:5061 Sunday, Dec 13,2020 00:53:14
[LAN access from remote] from 103.145.13.18:5311 to 192.168.0.222:5061 Saturday, Dec 12,2020 17:53:36
[LAN access from remote] from 103.145.13.63:5236 to 192.168.0.221:5061 Thursday, Dec 10,2020 23:34:04

I am a bit puzzled by this as the dect base station plugged in to the ATA is not powered on so the log is not referring to calls initiated here and if I call my voip number there is no log entry so what are these entries? The ip addresses do look suspicious as they don't seem to relate to my sipgate account.
As a diagnostic step I have changed the ip address of the ATA and its password too but this has not made a difference as I still get 2 or 3 entries per day.
How safe from hacking are these ATAs? Can access to my LAN be made through them in any way? I am surprised that my Router firewall is allowing this through.

Does anyone have any insights please.

My router log shows denied entries from 217.10.79.23:5060 which is Sipgate (I have Sipgate VOIP a/cs) and
162.142.125.20 which is a company called Censys. I was not aware of them. There are others.

I think these are just the normal part of the Internet and the way SIP works, someone has discovered your SIP device and is trying to SPIT (SPAM over Internet Telephone) you with calls. SIP is designed to accept any call to it's IP address to allow peer-to-peer calling without needing a server sat in between but we tend not to use it that way now. Most ATAs will automatically block calls from IP addresses different from the SIP registration server and that is what the Cisco is doing. You could add a firewall rule to only accept connections from the range of servers your provider uses and stop them there.

See https://basichelp.sipgate.co.uk/hc/en-gb/articles/20... for more info

Yes you could well be right. Its just that I have had the voip account for a year but have only used it perhaps four times so it is going to be difficult to discover my number as it is not listed anywhere except on Sipgate's system. Perhaps there is a leak there as it has only just started happening.
I am going to keep an eye on it to try and understand what is happening because when I receive an unanswered call the remote access is logged but to a much higher port number. When I call the voip number with no phone connected nothing is logged at all even if I leave a voicemail and this is when I am getting these remote access logs from some dodgy ip addresses when there is no active phone connected.

BTW your link did not work, there is no article 20 as there are only 12 but I assume you were pointing to the Security article which I read but had already covered all their points in my setup.

Those IP addresses are known ones for abusive activity, basically they port scan IP addresses and see what's open that they might be able to exploit. See https://www.abuseipdb.com/ They have just found your IP and those ports at random, not a targeted thing, we all get them scanning our IP addresses, usually they don't get logged so we live in ignorance

I suspect your Firewall/router has a port mapping through to port 5061, this allows the probe to get across your firewall which is then logging that access (perhaps because it is set to log it), but if you don't have the device on it will just see a closed or blocked port anyway and can't do anything. The danger if you have the device connected is the device might have security vulnerabilities that can be exploited, depending on how good the firmware is and how quickly the manufacturer fixes problems. I would say the risk is quite low so I wouldn't panic.

Usually you don't need to add any firewall rules for SIP phones as they go outbound and that opens their own ports and that means random IP addresses don't get any access, if you do open ports or need to then the best thing to do is only allow the mapping for source IP addresses that are Sipgate's IP addresses, although some routers/firewalls don't allow that.

As for access to your LAN then if the device isn't connected there is no path to your LAN, the probe gets nothing in return. If the device is connected then potentially if there is a security vulnerability on the ATA someone could install some software onto it that then runs being able to see your LAN as it is on the device, or maybe they are able to extra the SIP username and password and use that to try and log into other services under the assumption you might have used the same credentials elsewhere. The odds are very low though but better to use the Firewall to stop access.

Edited by E300 (Tue 15-Dec-20 13:30:04)

In reply to a post by jaba:

I have started to get daily entries like this in my router's log relating to my Cisco SP122 ATA:

[LAN access from remote] from 51.75.147.31:5168 to 192.168.0.222:5061 Sunday, Dec 13,2020 00:53:14
[LAN access from remote] from 103.145.13.18:5311 to 192.168.0.222:5061 Saturday, Dec 12,2020 17:53:36
[LAN access from remote] from 103.145.13.63:5236 to 192.168.0.221:5061 Thursday, Dec 10,2020 23:34:04

The first thing you should check is that the router doesn't have UPnP enabled. If it does, disable it. Do you have any port forwarding or any other kind of remote access enabled on your router?

I see frequent scan attempts from the 103.145.13.x IP range, mostly VoIP related; TCP 5038 (Asterisk Manager Interface), TCP 50802 (Avaya System discovery from Manager), TCP 5060 (SIP), TCP 81 (common HTTP alternative), TCP 443 (HTTPS), TCP 8089 (TR-069) and TCP 8443 (common HTTPS alternative).

I see no other ports scanned from that address range which leads me to suspect that the servers at those addresses are specifically looking for unprotected VoIP systems.

That raises the question; who do they belong to?

Bear with me on this.

A cursory glance shows;

inetnum:        103.145.13.0 - 103.145.13.255
netname:        CINTY-NL-02
descr:          CINTY EU WEB SOLUTIONS
country:        NL
admin-c:        CEWS1-AP
tech-c:         CEWS1-AP
status:         ASSIGNED NON-PORTABLE
mnt-by:         MAINT-CINTY
mnt-irt:        IRT-CINTY
last-modified:  2020-03-10T07:13:13Z
geoloc:         52.6921234 6.1937187
source:         APNIC

role:           CINTY EU WEB SOLUTIONS
address:        Nieuwkerksedijk 10, Goirle
country:        NL
phone:          +31668630452
e-mail:         [email protected]
admin-c:        JG1401-AP
tech-c:         JG1401-AP
nic-hdl:        CEWS1-AP
mnt-by:         MAINT-CINTY
abuse-mailbox:  [email protected]
remarks:        all abuse complaints must be sent to [email protected]
last-modified:  2020-03-10T07:05:00Z
source:         APNIC

% Information related to '103.145.13.0/24AS213371'

route:          103.145.13.0/24
descr:          CINTY EU WEB SOLUTIONS
origin:         AS213371
mnt-by:         MAINT-CINTY
last-modified:  2020-05-14T11:45:53Z
source:         APNIC

A cursory glance is precisely what the operators of that IP address range want you to do, and nothing else. A search for "Cinty EU web solutions" reveals no trading information and the website doesn't help either.

Geolocation information puts the admin contact very precisely in a residential street in Meppel, Netherlands but that doesn't match the given address of Nieuwkerksedijk 10, Goirle, Netherlands - 180km away. That physical address is for Daub Bakery Machinery and nothing to do with an internet provider so summat's amiss.

The address and geolocation data along with the name "Cinty EU" and the domain name cinty.eu are designed to make you think it's a European company and therefore safe. It's not.

Someone is trying very hard to hide whoever is behind these IP addresses so some deeper digging is required. The next thing we can look at is how traffic for these IP addresses is routed so we do a whois lookup of the AS number (AS213371);

organisation:   ORG-SQTR1-RIPE
org-name:       ABC Consultancy
org-type:       OTHER
address:        Netherlands
geoloc:         52.3702 4.8952
abuse-c:        SN8949-RIPE
mnt-ref:        SQUITTER-MNT
mnt-by:         SQUITTER-MNT
created:        2020-04-13T10:54:36Z
last-modified:  2020-12-09T11:34:20Z
source:         RIPE # Filtered

role:           ABC Consultancy
address:        Netherlands
abuse-mailbox:  [email protected]
nic-hdl:        SN8949-RIPE
mnt-by:         SQUITTER-MNT
created:        2020-04-13T10:51:05Z
last-modified:  2020-12-09T11:35:47Z
source:         RIPE # Filtered

Again we get some nice geolocation information putting this company 100m from one of my clients in the heart of Amsterdam. What can we find out about ABC Consultancy? Not very much because it's a bogus name. We have a little more luck with squitter.eu though as I previously reported the bogus Voniq.eu IP registration related to squitter.eu here.

So, those IP addresses are the responsibility of a Russian operation based in St. Petersburg - again probably a bogus physical address. The Russian details which were previously showing for squitter.eu (nothing EU about it) were updated a week ago so now show ABC Consultancy in the Netherlands.

In reply to a post by jaba:

How safe from hacking are these ATAs?

That depends on the firmware. Have you updated to the latest?

See Cisco VoIP adapters have critical security flaws.

In reply to a post by caffn8me:

In reply to a post by jaba:

How safe from hacking are these ATAs?

That depends on the firmware. Have you updated to the latest?

See Cisco VoIP adapters have critical security flaws.

In reply to a post by caffn8me:

In reply to a post by jaba:

How safe from hacking are these ATAs?

That depends on the firmware. Have you updated to the latest?

See Cisco VoIP adapters have critical security flaws.

Thanks for using your enquiring mind to establish that what I have suspected, is an attempt to hack me or my equipment at any rate. I had only got as far a ABC consulting and Squitter and both looked dubious as you have certainly demonstrated.

Is this the start of a new sunshine industry, hacking voip adapters. At the moment not too many are using voip but it must surely increase rapidly as BT stop selling copper connections.
Can they be a backdoor into routers and LANs?

Back to what is happening. Its a yes to latest firmware and no to PnP. One thing I did do yesterday was to disable SIP ALG and this changed things. The log entries are still frequent but different, 20 today, like this:

[Service blocked: ICMP_echo_req] from source 185.94.111.1, Wednesday, Dec 16,2020 18:33:37
Firewall: packet drop. 185.94.111.1 -->My.ip.address, Protocol ICMP, Message type 8.

other ips are; 62.172.102.76, 172.253.71.191, 23.108.65.85, 3.238.36.66.

These guys are certainly persistent now they have discovered me even though I have changed my IP address twice they are just as frequent.And its only been plugged permanently since Saturday.

If I unplug the Cisco the logs are clean apart from DOS attacks every now and then which shows that the router firewall is working (I hope).
I am wondering about disabling IGMP proxying but I am not sure what that does and if I need it.
Staying positive voip still works and nothing bad has happened.

In reply to a post by Michael_Chare:

My router log shows denied entries from 217.10.79.23:5060 which is Sipgate (I have Sipgate VOIP a/cs) and
162.142.125.20 which is a company called Censys. I was not aware of them. There are others.

How many others do you get? Do you use an ATA too. There is not a lot you can do to lock them down more as they have to always be open to incoming calls.

Thanks for your input. Interesting, I will have to see if I can open port 5061 on my router to only the selected Sipgate ip addresses. I am not sure that is possible on my Netgate Router.

The ATA a Cisco SPA122 claims to be a router. It is setup in bridge mode and I cannot see anywhere to whitelist any addresses.

You'll probably need IGMP proxying enabled if you use a multicast streaming television service with a YouView, BT or SkyQ box setup or something similar. If you don't have a viewing box like these, disable it and see if anything breaks. Services to devices like an Apple TV / Roku / Amazon Firestick don't need it enabled.

It's good that switching off SIP ALG helped. One site I manage had a Netgear D7000 and I disabled SIP ALG without any adverse effects. The four Snom VoIP phones there work fine.

I don't like the Netgear routers because they lack the ability to do basic firewalling such as blocking or allowing specific IP addresses and ranges. Drayteks can do this but I usually use a dedicated firewall between the router and the LAN.

In reply to a post by jaba:

I have started to get daily entries like this in my router's log relating to my Cisco SP122 ATA:

[LAN access from remote] from 51.75.147.31:5168 to 192.168.0.222:5061 Sunday, Dec 13,2020 00:53:14
[LAN access from remote] from 103.145.13.18:5311 to 192.168.0.222:5061 Saturday, Dec 12,2020 17:53:36
[LAN access from remote] from 103.145.13.63:5236 to 192.168.0.221:5061 Thursday, Dec 10,2020 23:34:04

I am a bit puzzled by this as the dect base station plugged in to the ATA is not powered on so the log is not referring to calls initiated here and if I call my voip number there is no log entry so what are these entries? The ip addresses do look suspicious as they don't seem to relate to my sipgate account.
As a diagnostic step I have changed the ip address of the ATA and its password too but this has not made a difference as I still get 2 or 3 entries per day.
How safe from hacking are these ATAs? Can access to my LAN be made through them in any way? I am surprised that my Router firewall is allowing this through.

Does anyone have any insights please.

What ISP/Router combo do you have?

These guys are certainly persistent now they have discovered me even though I have changed my IP address twice they are just as frequent.And its only been plugged permanently since Saturday.

It isn't personal and not just you, these are automated bots and probing ports happens to all of us hundreds or thousands of times a day, there are legitimate probes by security companies and our ISPs checking for open ports and potential exploits happening, and those from people wanting to use the exploits. Usually these probes are dropped by a "Deny All" firewall rule that is never by default set to write a log of that attempt as the router would spend most of its CPU power managing the log.

This isn't a new probing of your IP address, just one that has happened to be drawn to your attention. It could go on indefinitely, or likely will stop after a while to be replaced by a different IP probing the port.

In reply to a post by danielhyde:

What ISP/Router combo do you have?

I am with BT as ISP since May this year, not using the Smart Hub but a Netgear DGND3700.
Since moving to BT from Uno I have noticed an increase, during the course of a week of roughly double the number of DOS attacks logged.
This maybe concidence or an indication of BT's range of IPs being an attractive target as the largest ISP.
I have switched the Cisco ATA off now as I do not need to use it for a while and I hope to have a daily log with a couple of entries instead of over 20.

Thank you for the warning.

In reply to a post by jaba:

In reply to a post by danielhyde:

What ISP/Router combo do you have?

I am with BT as ISP since May this year, not using the Smart Hub but a Netgear DGND3700.
Since moving to BT from Uno I have noticed an increase, during the course of a week of roughly double the number of DOS attacks logged.
This maybe concidence or an indication of BT's range of IPs being an attractive target as the largest ISP.
I have switched the Cisco ATA off now as I do not need to use it for a while and I hope to have a daily log with a couple of entries instead of over 20.

We've noticed before on ISP supplied routers that when a SIP ATA or Phone opens its connection to the SIP server it allows inbound connections from any IP.
We also found that Cisco devices drop these connection attempts automatically, but other brand devices get phantom calls.
When we replaced the routers with DrayTek routers there was no connection attempts made at all.