Solution 1:

It's a brute force, asterisk servers always get that kinda thing if connected to the public IP.

My solutions are :

  • Install fail2ban, fail2ban will set the iptables and reject ip with continous fail attempts to the asterisk
  • Disable guest sip login, put allowguest=no in the sip.conf
  • In case if you're using VPN, set the from sip external in your PBX
  • Set the [default] context to empty.

Solution 2:

This happens due to automated scanners, which probably are trying to bruteforce your passwords.

To get rid of such calls, you should disable anonymous users by placing the following options into the [general] section of your sip.conf

[general]
context=bogus
allowguest=no
alwaysauthreject=yes

Solution 3:

As you stated this is an issue with home/remote users primarily it is most likely they you would see two things. 1- This SIP invite they receives has nothing to do with you Asterisk server. I've seen the source IP be an unknown server, as well as the users own home public IP. 2- If the user picks up they will report hearing dead air.

I seen this mostly with users using SIP softphone clients, making it easier to collect SIP messages, and some low end IP-phones. Some IP phones include a check on the incoming SIP invite to confirm the request is from the same IP as the SIP registration. If the invite fails this check the device does not respond to an invalid invite.

I failed to bookmark a blog post I found where they posted several IPs of SIP scanners they found. However most home users do not have a network capable of blacklisting the IPs from list. If you do not have some fail2ban system on you asterisk server you should add that. You should also make sure your SIP credentials do not include the ISDN number of the user.

YOUR QUESTIONS:

  1. Do these calls originate from the home LAN of these employers? Most likely they are not, although the SIP message may indicate this. I guess there is a small chance that a infected hardware on their network could be trying to generate this, but more likely its just a bot scanning all public IPs.

  2. Does the Asterisk server play a role here? Your Asterisk server is most likely no generating these phantom calls. You should be able to look though your logs and confirm it is not.

  3. What can cause this? Is this malware on a laptop? Most likely a bot trying public IPs. Un-likely malware is the issue but though experience soft-phones are more likely to handle phantom SIP invites differently then IP-phones.

  4. Is it some harmeless process that connects to this phone and causes the phone to think a call is made? Usually this is more annoying then harmful. If you find the same thing happening on your Asterisk server you need to harden your server. A invite to a end user device would be harder to find a way to bill the user for service, although there has to be some reason why someone is spanning for these services to begin with.