vicidial.org

HI

VERSION: 2.2.0-228|BUILD: 91211-1359|vicibox ubuntu|single server|no digium cards

Most of time someone hacking my server and trying to registere sip extensions .how they come to know this is vicibox with extension 1xxx,8xxx
see the below ,which was running continuesly in my asterisk cli

[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password
[Aug 30 11:59:23] NOTICE[5224]: chan_sip.c:11316 handle_request_register: Registration from '"112" <sip:112@xx.xx.xx.xx>' failed for '202.172.18.120' - Wrong password

that ip 202.172.18.120 is pointed to thailand .that culprit was it thailand
in another day someone hacked that was another server and hacked from UK

i need to know how they come to know this is asterisk server with this extension.

and i think the following configuration send my personal data
iax.conf
#include iax-vicidial.conf

;register => 1112223333:PASSWORD@iax.binfone.com
register => ASTloop:test@127.0.0.1:40569
register => ASTblind:test@127.0.0.1:41569

[vicihelp]
host=67.134.219.20 ;voip.vicidial-group.com
type=friend
context=opengateway
disallow=all
allow=gsm
allow=ulaw
permit=67.134.219.20/255.255.255.255
insecure=very


The only question is how they come to know this my public and that public ip is pointed to a vicibox server with these extensions etc.

1) if you have any domains pointed to your IP, remember that google and all the other search engines make a living making this information available.

2) if you have "it works!" on your web root OR have been silly and forwarded that document straight to your vicidial login ... you have just given google (and all the other search engines) permission to advertise your cool new server to the world.

We generally change the "base web root" document of the server to the client's Main Web Page. This redirects all traffic (search engine especially) to a site that is not going to be disturbed by web traffic and search engines. It also remove the "I'm a Vicidial Server!" notification from the web.

That doesn't stop bots searching for port 5060 or 4569 (that's what IPTables is for!)

So Install IPTables (or configure it if it's already installed) and restrict access to the server to ONLY your offices, the offices of your managers/clients, and your Carriers. Then noone will be able to play any more.

PS: thanks for including almost all of your specs on the first post! but do try to add "no extra software" or list the package (or just say "Several extra packages installed" and do remember that those packages could also be broadcasting for invasion!)