Page 1 of 1

Disappointed in the system

PostPosted: Wed May 11, 2011 10:58 pm
by otel2
Hi

I'm quite disappointed in the Vicidial/Go auto dial system.
It started off well, and I was experiencing some issues, but it was resolvable.

The sad part came in when my Webhost called me saying that my newsly install goautodial server was experiencing unusually high amounts of traffic since Sunday 8th May. He emailed me the graphs and I noticed that the server was sending and receiving upto 30gb of SIP packets per day!!

I was billed for the few days of traffic, of which I have no clue where its coming from. The server is on a public IP.

I Shutdown the server remotely.

Is this the end of my partnership with Go Autodial/vicidial?

I'm not sure... but this is a serious problem which I did not anticipate.

I must say that I am sad...very sad...

PostPosted: Thu May 12, 2011 7:00 pm
by gardo
Looks like your server is being attacked via SIP brute force. Or it may already been compromised if you haven't changed the defaults passwords. Changing the default passwords should be the first step when you put any open source system online. I recommend you do some reading first so you know what to do to properly secure your system online.

PostPosted: Thu May 12, 2011 9:20 pm
by williamconley
Use IPTables to build a pure "whitelist only" system for your server. then ONLY allowed computers can see your server, and quite specifically noone in china.

here is a sample file that can be loaded via "iptables-restore" at startup which can be easily modified for newly added "whitelist" entries (see the list of "ACCEPT" entries near the top?)

Code: Select all
# Generated by iptables-save v1.4.8 on Thu May 12 22:11:52 2011
*raw
:PREROUTING ACCEPT [9158438:1718213972]
:OUTPUT ACCEPT [8602482:1774225763]
-A PREROUTING -i lo -j NOTRACK
-A OUTPUT -o lo -j NOTRACK
COMMIT
# Completed on Thu May 12 22:11:52 2011
# Generated by iptables-save v1.4.8 on Thu May 12 22:11:52 2011
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [219:8772]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -s 115.115.155.115/32 -j ACCEPT
-A INPUT -s 115.115.155.115/32 -j ACCEPT
-A INPUT -s 115.115.155.115/32 -j ACCEPT
-A INPUT -s 115.115.155.0/24 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m state --state RELATED -j ACCEPT
-A INPUT -i eth0 -j input_ext
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A OUTPUT -m state --state NEW,RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-OUT-ERROR " --log-tcp-options --log-ip-options
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --rsource -j ACCEPT
-A input_ext -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A input_ext -p tcp -m limit --limit 3/min -m tcp --dport 81 --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-ACC-TCP " --log-tcp-options --log-ip-options
-A input_ext -p tcp -m tcp --dport 113 -m state --state NEW -j reject_func
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m state --state NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Thu May 12 22:11:52 2011
be sure you are IN the office so you can physically touch the console in case you lock yourself out. replace 115.115.155.115/32 with your own ip address (and /32 to designate "one ip") and modify the lines directly below it to allow other offices, houses, etc.

Save the above sample (with revisions) to a file named "whitelist" and execute:
Code: Select all
iptables-restore < whitelist


This method auto-allows any server which your system reaches out to. Unfortunately this includes anyone who has successfully registered a phone (even if they are a bad guy) because asterisk WILL reach out to them to re-register. So you'll have to kill your asterisk registry memory as well if that has happened, and probably reboot to be sure:
Code: Select all
asterisk -rx "database deltree SIP/Registry"