vicidial.org

[bbakirtas]

VERSION: 2.4-309a
BUILD: 110430-1642
Goautodial 2.0


extensions_custom
[from-internal]; thankuohoh
exten => _.,1,Macro(user-callerid,LIMIT,EXTERNAL,); thankuohoh
exten => _.,n,Set(MOHCLASS=${IF($["${MOHCLASS}"=""]?default:${MOHCLASS})}); thankuohoh
exten => _.,n,Set(_NODEST=); thankuohoh
exten => _.,n,Macro(outisbusy,); thankuohoh

i think portmap

[muyousif]

You server is being hacked. Remove this dialplan from extensions_custom.conf file as soon as possible and also make sure your server is not exposed to internet.

[williamconley]

Whitelist your server so it can only be contacted by authorized IPs. IPTables is already in the OS, best firewall there is IMHO.

[hansg]

Hi William,

When I do whitelist only following the guide below, Agents can log in to the server and place calls. I can see the calls being answered in the asterisk CLI but the call never shows on the Realtime Main Report or reaches an agent. Do you know why this is. As soon as I disable the firewall calls flow through fine.

http://striker24x7.blogspot.co.uk/2014/ ... cript.html

Thanks

Scratch Install ViciDial
Cloud Server - Dual Core - 2GB DDR3 - 80GB SSD
VERSION: 2.12-555a
BUILD: 160508-1948

[williamconley]

You just asked me to troubleshoot a whitelist system built by Striker.

Our whitelist system has been published on this forum several times. It also permanently resides on ViciWiki.com, and is called "Dynamic Good Guys" firewall. However: Ours is designed specifically for OpenSuSE.

We have installed it on several other OSs, of course, but this requires *first* setting up the whitelist using the same method OpenSuSE does for a whitelist ...

Code: Select all

# Generated by iptables-save v1.4.21 on Tue Oct 25 01:50:00 2016
*raw
:PREROUTING ACCEPT [44244477:9114438152]
:OUTPUT ACCEPT [35069589:7294842704]
-A PREROUTING -i lo -j CT --notrack
-A OUTPUT -o lo -j CT --notrack
COMMIT
# Completed on Tue Oct 25 01:50:00 2016
# Generated by iptables-save v1.4.21 on Tue Oct 25 01:50:00 2016
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [18388137:4046771183]
:forward_ext - [0:0]
:input_ext - [0:0]
:reject_func - [0:0]
-A INPUT -s 71.115.163.10/32 -j ACCEPT
-A INPUT -s 71.122.99.99/32 -j ACCEPT
-A INPUT -s 71.122.99.155/32 -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A INPUT -p icmp -m conntrack --ctstate RELATED -j ACCEPT
-A INPUT -j input_ext
-A INPUT -m limit --limit 3/min -j LOG --log-prefix "SFW2-IN-ILL-TARGET " --log-tcp-options --log-ip-options
-A INPUT -j DROP
-A FORWARD -m limit --limit 3/min -j LOG --log-prefix "SFW2-FWD-ILL-ROUTING " --log-tcp-options --log-ip-options
-A OUTPUT -o lo -j ACCEPT
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -m recent --rcheck --name GOOD --mask 255.255.255.255 --rsource -j ACCEPT
-A input_ext -p tcp -m tcp --dport 81 -j ACCEPT
-A input_ext -m pkttype --pkt-type multicast -j DROP
-A input_ext -m pkttype --pkt-type broadcast -j DROP
-A input_ext -p tcp -m limit --limit 3/min -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p icmp -m limit --limit 3/min -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -p udp -m limit --limit 3/min -m conntrack --ctstate NEW -j LOG --log-prefix "SFW2-INext-DROP-DEFLT " --log-tcp-options --log-ip-options
-A input_ext -j DROP
-A reject_func -p tcp -j REJECT --reject-with tcp-reset
-A reject_func -p udp -j REJECT --reject-with icmp-port-unreachable
-A reject_func -j REJECT --reject-with icmp-proto-unreachable
COMMIT
# Completed on Tue Oct 25 01:50:00 2016


With this as a "base" our DGG firewall system can be used to manage the "GOOD" file. However, without our system all you need to do for whitelisting individual IPs is modify them as shown above (the ones with the /32 in them).

You MUST (in Striker's firewall or ours) enable ALL IPs from the carrier. This includes the "media only" IPs (which the provider should give you). If the provider does not give you all the media IPs, you can test your connections with "iftop" and get the IPs from there. And add them.