vicidial.org

[outofnecessity]

First of all, what a way to introduce myself.
Secondly, thank you to this forum and the whole vicidial community for a wonderful system that allows so many out there to use a powerful call center enterprise app without the enterprise budget!

So I've been working my way up through IT, and one of my fears had always been VOIP. I started to learn a bit about asterisk when it first came out, but I was like 17 and didn't care. Now ten years later I'm balls deep in VOIP out of necessity. I somehow landed this job from a recommendation from a friend because this company had lost their tech. So I came out of nowhere, breaking root on their servers because they didn't trust the last guy working on it. And there I am, scared out of my mind with the one thing I knew little abiut, VOIP.

I've had experience for years with Linux and webdesign, and all that side of tech, but this was a new chalkenge.

Anyway, vicidial is what they used and I had to do what I had to do, learn it.

So now months of steadiness and everything under control and finally learning how extensions work, sip, the asterisk server, etc.

And today we go to re up our minutes and within an hour we burned through 309 dollars.... I was at a lost. And so was the carrier. Until their tech sent us our car log.. and we had thousands of calls to the artic north... yeah, the middle of nowhere canada.

From there, thanks to the wealth of information archived in these forms I figured to check the logs, and finally found the weaklink, a test extension on our system setup by the previous guy with the strong password of "test"...

Looking at the log I saw the attackers trying various extensions and pass codes to get through. If we were not set up as prepaid, we wouldn't of found out of this until our next invoice and would of been liable for thousands... it's crazy.

I just wanted to share my experience with the forum,
introduce myself and say hi!

Sorry if this post is potato quality as its from my phone.

Also I was curious if someone could explain this log entry...

[Dec 28 07:49:23] NOTICE[12799] chan_sip.c: Registration from 'X.X.X.X 322 1234<sip:200@X.X.X.X>' failed for 'X.X.X.X' - No matching peer found

I get most of it, it's from our attackers, the last ip address is from the attacker, the second , with the preceding @ is the sip registration attempt to our server.

But what is that first IP address? Is it a hop through the I ntetnet? The ip address is from some backbone isp from Pennsylvania. Can someone she'd some light?

I am just curious, I saw the originating ip being from overseas, just curious as to that first ip address and what it is from I relation to the sip registration process.

Thanks for listening. .it rather reading, my ramble.

[williamconley]

White List Lock your server.

http://www.viciwiki.com/index.php/Whitelist

After you are done, only those that YOU have specifically allowed (via IP address) will have access to your server. You may need to reboot if you've already been sip attacked.

And for insurance, change all your passwords (phone registrations, users, ssh, ftp if you're using it).

Dynamic Good Guys is one way to make it smoother and easier to administer after you lock it down (free, we published it years ago). http://www.viciwiki.com/index.php/DGG

[outofnecessity]

Cool, thanks for the heads up. I'm now setting all users with a unique complicated password. And removing or disabling unused sip exentions. I'm configuring fail2ban and have locked down our network. This morning we were being brute forced attacked for 5 hours non stop. Its one of those things I told myself, nah, what are the chances?

[vccsdotca]

In case you're still wondering, the chances should be impossible with your inclusion of fail2ban they should be blocked after 3 attempts or as per your jail.conf. It's best to test your fail2ban out either way to ensure its working (ie; ban yourself).

[GDelkos]

hello there
deny host is also a good choice and ofc whitelist!
its always a good method (IMHO) to setup a honeypot server (a server setup so you can check if ur security settings are good enough).
as soon as port scanners see vici (open ports like 5060) they gonna attack you day and night!
i have a list of banned ips from china and other suspicious places populating all day long!
a small tip...why allow these ips have access since you already know the ones you need to let pass.