Moderators: enjay, williamconley, Staydog, mflorell, MJCoate, mcargile, Kumba
The one downside is the grace time between when an agent initially logs in to the web interface and when they will be able to connect their soft phone.
williamconley wrote:Honestly, I'm not on board with open port 80 to the world. I would be ok with that as an "option" that's easily deactivated either when not needed or in times of turmoil ("are we being attacked?"). Default either way is good, as long as pure whitelist is an option out of the box.
I'd love to hear input on that topic.
williamconley wrote:The one downside is the grace time between when an agent initially logs in to the web interface and when they will be able to connect their soft phone.
This has the potential to be an ongoing support call generator.
What is the cause of the delay?
From what we have found the web interface is not how most ViciDial systems are compromised.
If you attempt to login as the same user more then 10 times it will block that user's ability to log in from any IP address for 15 minutes. This makes it pretty unattractive for brute force.
Any sort of HeartBleed or other such protocol attacks will still be vulnerable at an obscure port that apache is serving as well.
williamconley wrote:Any sort of HeartBleed or other such protocol attacks will still be vulnerable at an obscure port that apache is serving as well.
While heartbleed itself has been patched, you are right to suggest that there will likely be another similar vector some day. However: If someone finds a way to hack into our servers through the 404 page, we'll be the smallest group to be attacked at the back end of the spectrum while we turn off even the 404 page on all our servers until that, too is patched
Heartbleed had nothing to do with the HTML page being served.
vkad wrote:I agree with Kumba and what you can do is enforce stronger passwords through the backend for SIP Registration.
vkad wrote:Also, enforce non-numeric phone extensions.
vkad wrote:Also timeblock any ip that logs-in with incorrect login after certain attempts.
vkad wrote:Keep increasing the time if they keep retrying. It will be forever before they can break in through the web interface, unless they know about the potential username or password.
williamconley wrote:vkad wrote:I agree with Kumba and what you can do is enforce stronger passwords through the backend for SIP Registration.
Strong passwords is often an invitation to longer attacks. This results very often in a Denial of Service condition resulting from Brute Force attacks on the passwords (especially the strong ones).
The denial of service attacks can only be stopped through blacklisting. I don't believe it can be helped if you have a really avid attacker from china or russia. If they want to to take you down, they will do their best, but their is no point in dos if their isn't a chance of attack.
If it is known publicly that passwords are stronger in vicidial, then it doesn't make sense to brute force that server. A lot wouldn't try to brute force something they know is going to be very hard to break. If their aim is to just bring your servers down, they will dos attack you regardless.vkad wrote:Also, enforce non-numeric phone extensions.
Artificial constraints piss off clients. I agree that they should be alphanumeric, but a lot of clients don't agree and require (not want: require) numeric extensions to match the user id. These are paying clients (often with good-sized bankrolls). One does not tell them no "because I know better than you". Especially when whitelisting resolves the issue.
Good point. Well, I only use it for a few friends call centers and I do it for free, so couldn't see that point of view, but it makes perfect sense.vkad wrote:Also timeblock any ip that logs-in with incorrect login after certain attempts.
When agents in a call center share an IP, that becomes problematic. So grey lists. But still doesn't solve the problem when a rotating IP attack occurs. Then ONLY a whitelist solution will solve the problem. This is often a sticking point with many rooms. Until their first rotating IP brute force attack. Then they stop discussing it and just go with whitelist. And we're done with that client.
Rotating IP attacks can be blacklisted with global blacklists which if shared amongst vicidial users can be fairly easy to build. Like truecaller, but for building blacklists.
Whitelist is great for situations when you know that your agents connect through specific static IPs. But for dynamic IPs there needs to be a block.vkad wrote:Keep increasing the time if they keep retrying. It will be forever before they can break in through the web interface, unless they know about the potential username or password.
Like ... 6666? or admin? Let's not forget some of those risky visible text files that still creep up every now and then (and let's not overlook custom code written by someone not expecting an attack during coding ...).
Note that if you leave your web open, you'll get daily hits from random IPs looking for web pages that don't exist. Right now, that's not a big deal since most don't check for any Vicidial risks. But when that moment comes (in general or just because of an ex-employee or someone you pissed off in the phillipines), you'll really wish you were whitelisted.
Only blacklist the IP that the attack or the scan came from. Dynamic IPs have to be dealt with what I said. Static IPs could and potentially should be whitelisted.
The only way to stop a dos attack is to survive a dos attack. You keep blocking and blacklisting the IPs. You can't really win against large botnets without having a shared regularly updating (maybe list with a feedback loop) blacklist.
I may be a little over the top. But we published Dynamic Good Guys a decade ago for free for a reason. I've battled DOS attacks to keep servers online (during the attacks) so 200 agents don't have to get sent home without pay that day (DOS attacks can only be resolved by changing your IP, and then only if they attack does not follow you due to your domain name, which all your agent also use). Whitelist was my answer to avoid that. It works.
vkad wrote:The denial of service attacks can only be stopped through blacklisting.
vkad wrote:Rotating IP attacks can be blacklisted with global blacklists which if shared amongst vicidial users can be fairly easy to build.
vkad wrote:Only blacklist the IP that the attack or the scan came from.
The only way to stop a dos attack is to survive a dos attack. You keep blocking and blacklisting the IPs.
thephaseusa wrote:... Here is my experience. ...
Kumba I think what you wrote there is the correct solution.
John M
vicidial has such a strong vulnerability
williamconley wrote:vicidial has such a strong vulnerability
Please don't make up words and attribute them to me.
My point is that an invitation to attack on a server that is the lifeblood of a company, and for which being "down" results in a loss of income for everyone in the building: An invitation to attack is unwarranted and in this case entirely unnecessary. Any server that does not require public access shouldn't have it. But any server with paychecks on the line definitely shouldn't have it. The loss from a single "oh, crap, they actually are attacking us!" moment completely counteracts any possible gains by making the server public.
IMHO.
Now if you want to discuss how "hardened" Vicidial is, that's a completely different conversation. One I prefer to avoid. By keeping everything whitelisted I've avoided that conversation for quite a while, thanks.
big corporate's requirements are vastly different to most of the vicidial users.
the system should be made to be inherently secure, however by hiding it from public sight to make it secure may, in fact, lead to vulnerabilities not being discovered or systems not being tested for the real world security
If a whitelist or other url redirection or port is implemented it is just a headache since most agents have dynamic IPs at homes and just adds to the training and admin
If you give them mydomain.com and let them log in through port 80 of you vicidial web server, there are 2 steps after that to get logged in.
williamconley wrote:Sorry, no time for the rest of the book right now: but i can respond to this:If you give them mydomain.com and let them log in through port 80 of you vicidial web server, there are 2 steps after that to get logged in.
DGG is a single web page with a random name on a port other than 80 because 80 is an attack vector.
You send this page to the agent and they use it as their desktop shortcut to log in. Nothing to remember. Without the link, they have no way into the server (along with everyone from China and all those guys you fired last month: No way to guess a password anywhere, nothing to attack unless they have the link).
They DO need their user/pass, but those can technically be put into the desktop shortcut as well, so *really* nothing to remember if you do that.
Next up: They have their user/pass provided by the link OR they type them (not too much to ask: user/pass). That information either proves correct, or the page refreshes with a "nope" message. Pretty standard and simple so far: one link ...user/pass.
IF they successfully guessed the proper user/password, the DGG magic happens: They are added to the firewall (in the background, invisible) and they are bounced to the full/normal "re-login" page with their user/pass/phone/phonepass pre-filled. They would then choose a campaign from the dropdown and hit login.
So:
1) Click on desktop shortcut
2) User/pass
3) submit
4) Choose campaign from dropdown.
5) Submit
2 is optional if you put the user/pass in the shortcut
4 will also require phone/phone pass if the user's entry (in Vicidial's "User" modify) does not have a phone/phone pass filled in.
The upgraded version will also pre-select the campaign into the dropdown if there's only one. Thus 3) would no longer be necessary.
So if you make sure the user has a phone/phone pass in their user record, and the user has a single authorized campaign based on their user group ... when the new system is published, it'll be 1(submit)(submit). Not gonna get much easier than that (unless we add a bit of javascript to remove the second "submit", lol).
kimberly1 wrote:How do we enable just a single login with the campaign login, and remove the phone login?
Thanks in advance for the help!
thephaseusa wrote:It populates the phone login but not the phone password.
thephaseusa wrote:If you bookmark the RE-Login page with everything filled out, then you wont have to enter any usernames logins or passwords again.
Return to ViciBox Server Install and Demo
Users browsing this forum: No registered users and 11 guests