vicidial.org

[Leckbush]

Hi upon checking the login attempts on ssh on our vicidial, I notice this:

(Too many failed login attempts)

admin ssh:notty 5.188.10.156 Thu Nov 8 23:06 - 23:06 (00:00)
default ssh:notty 139.199.181.192 Thu Nov 8 22:56 - 22:56 (00:00)
ftpuser ssh:notty 104.236.101.68 Thu Nov 8 22:33 - 22:33 (00:00)
martin ssh:notty 14.116.208.189 Thu Nov 8 22:13 - 22:13 (00:00)
webmaste ssh:notty 179.104.251.207 Thu Nov 8 22:06 - 22:06 (00:00)
admin ssh:notty 5.188.10.156 Thu Nov 8 21:43 - 21:43 (00:00)
pi ssh:notty 114.5.81.67 Thu Nov 8 21:24 - 21:24 (00:00)
pi ssh:notty 114.5.81.67 Thu Nov 8 21:24 - 21:24 (00:00)
openvpn ssh:notty 104.236.183.178 Thu Nov 8 07:28 - 07:28 (00:00)
ftpuser ssh:notty 205.ip-54-37-205 Thu Nov 8 07:23 - 07:23 (00:00)
test ssh:notty 192.144.139.214 Thu Nov 8 07:04 - 07:04 (00:00)
admin ssh:notty 69.57.235.78 Thu Nov 8 07:00 - 07:00 (00:00)
postgres ssh:notty 200.46.254.107 Thu Nov 8 06:35 - 06:35 (00:00)
admin ssh:notty 62.ip-145-239-76 Thu Nov 8 06:34 - 06:34 (00:00)
public ssh:notty 49.248.167.102 Thu Nov 8 05:54 - 05:54 (00:00)
postgres ssh:notty 220.116.47.116 Thu Nov 8 05:47 - 05:47 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)

Is someone trying to access the vici thru ssh? CAn I just turn off the remote ssh login? if I can turn it off without affecting any other component on call operation, how can I do it?

[thephaseusa]

Assuming you are running vicibox opensuse:

systemctl stop sshd
systemctl disable sshd

Verify:

ssh localhost

[Leckbush]

Yes, we're running vicibox opensuse. So I can turn of ssh without affecting calls or the system for calls right? Sorry Im newbie.

[thephaseusa]

Yes vicidial doesnt need ssh.
John

[Leckbush]

Okay thanks, I turn off sshd on our server. But before I turn it off, i see some logs says that:

"Received disconnect from x.x.x.x(china) 11(port11 i guess) PREAUTH" - A bunch of this, i know its a bruteforce

and also this one

"input_userauth_request: invalid user backup" and after a
"Received disconnect from x.x.x.x 11: BYE BYE PREAUTH"

Do you think we're safe now from attack by turning off ssh?

Note:
Our dialer is accessible via remote using a static IP provided by our ISP (we set it up like this when out Vicidial Technician/IT is to fix some config on vici thru webGUI)

Password we use are strong combination of letters,number,symbols.

We have fail2ban install on the server (opensuse)

[thephaseusa]

Yes like you said I believe those were brute force ssh attacks.
You turned off sshd. Now close port 22 in the firewall too.
/etc/sysconfig/SuSEfirewall2
Find where 22 is allowed delete it then restart the firewall with
systemctl restart SuSEfirewall2
Or remove port 22 in yast firewall

If you had a strong password like you describe I doubt if they gained entry. But i would tempted to take a good look at logs and logins.

You installed with vicibox 7.0.3
Are you using a whitelist firewall?
Dynamic Good Guys is highly recommended for locking down vicidial servers before vicibox 8.1.2 which has built in white, dynamic, and black list firewalls, and a portal to add users IP addresses to your white/dynamic firewall.
DGG is easy and fast to install, and completely free of charge. Get it working on your vicidial boxes and that’s one less thing to worry about)))

JM

[Leckbush]

Well I do close sshd last week. But I open it now but because I need to remote ssh the server from different part of the building, However I do disable the forwarding of port 22 on our gateway. I tried connecting from external ssh client to our server but it doesnt connect, so I guess its good.

But I see still a vulnerability, which is the backdoor. Is there any how to set the sshd on opensuse/vicibox to only listen on specific ip?

Yes we do use strong password as its a policy on our IT department.

Yes we do have whitelist of IP's from outside the Internal network, those that we're whitelisted are the IP of our VOIP Provider nothing else.