vicidial.org

[solutinfo]

we're using vicidialnow 1.3 for outbound dialing with asterisk 1.2 With 2 servers (1 CORE 2 QUAND 4gig ram) for the vicidial and (1 CORE 2 QUAND 4gig ram 500gig Hdd
for Database.)with Eyebeam as a softphone with 10 seaters.
Connection to the Voip provider is an sip Trunk using the G729 codec ;
Below is our sip trung conf :
host=ourvoipprovider.
type=friend
context=from-trunk
username=our username
fromuser= our username
secret=our sercret
dtmfmode=rfc2833
qualify=600
disallow=all
allow=g729
insecure=very.

The probleme is that 2 days ago we could not make calls.and when connected to our voip provider server via SSH CLIENT after typing « asterisk –r »command ; we got the error message below and it keeps scrolling down and therefore unable to type further commands .

2010-06-26 13:14:20 ERROR[8210]: chan_sip.c:7632 register_verify: Peer '1' is trying to register, but not configured as host=dynamic
2010-06-26 13:14:20 NOTICE[8210]: chan_sip.c:12640 handle_request_register: Registration from '"1" <sip:1@m>' failed for '203.186.109.156' - Peer is not supposed to register
2010-06-26 13:14:20 ERROR[8210]: chan_sip.c:7632 register_verify: Peer '1' is trying to register, but not configured as host=dynamic
2010-06-26 13:14:20 NOTICE[8210]: chan_sip.c:12640 handle_request_register: Registration from '"1" <sip:1@myserverip>' failed for '203.186.109.156' - Peer is not supposed to register


I DID some tracing i found that the ip adresse '203.186.109.156’ is from AUSTRALIA ;

Is someone hacking my server ?

I was advised to install FAIL2BAN for further security ;

Hope you guide me ;help is highly appreciated.


[/b]

[gardo]

If you don't know anyone in Australia or have given SIP access to someone in Australia then most probably they're doing unauthorized access to your VicidialNOW server. I would recommend changing all the default passwords for starters. You can also block their IP address via Iptables.

[solutinfo]

Thank you GARDO;i've already changed all the necessary passwords as you recommanded.and about to learn how to block IPs using IPTABLE;Thank you again for your collaboration.

[williamconley]

better yet, change your iptables solution to only ALLOW the local subnet and your VOIP providers and your manager/owners home ips. then next week when a few chinese annoyances occur ... you'll never know.

[solutinfo]

thank you.
But what about when i don't have a static ip addresse. our callcenter and the manager home ip?
thank you again

[williamconley]

dynamic ips can be managed by the routers at those locations (most routers have dynamic ip capacity these days). so you'd experience a down time during the swtichover, but that usually only lasts a few minutes.

if you have a router that cannot handle it, of course, there is software that can be loaded into a pc at that location to handle the dynamic ip addressing.

[gerdaniels]

Hello,

Im experiencing a similar sip-hacking.
but with a peculiar difference
The Ip's

[Aug 24 13:06:48] NOTICE[31971]: chan_sip.c:16390 handle_request_register: Registration from '"116728"<sip:116728@PUBLIC.IP>' failed for 'FIREWALL INTERNAL ADDRESS' - No matching peer found

Im thinking in an internal virus/spam. But what about the Public IP....

Can anyone help me how to detect the source and how to stop, any guidance Ill appreciate. thank you.

[williamconley]

use www.domaintools.com/PUBLIC.IP to find the origin of the attack.

the owner of that one IP has leased it to someone ...

you can lock out the entire range of IPs that are owned by that one organization by disallowing them via IPTables or in your router

another method of course is to change the SIP port that you use if your carrier supports it (this will generally stop bots)

[gerdaniels]

thankyou, sorry I didnt mentioned, the PublicIp is mine also.
And the Firewall does NATing.

[williamconley]

you think you are being attacked from your own IP? not likely.

try iftop to see if you can identify a non-ntp and non-dns server that may be trying to attack you on port 5060 (iftop will show ports so you can limit your search to those contacting you on SIP)

of course you can also check the computer at the internal address and turn off its soft phone (or give it valid credentials)

[gerdaniels]

Thanks a lot, It guide me. Even though it was a firewall issue. Turning it more explicit solves and that by now I disabled de Public IP.

[Pynk Global]

I have had this same issue (multiple times) Over the last few months.
Doesnt matter what I change they seem to get back in.
For now I cant even kick them unless I turn off server for a few hrs.

Can someone please give a exact step by stem explanation on how to block their ip from IP_Tables.

Really giving me the shits.

Help appreciated.

[williamconley]

once a user succeeds in registering, you must remove them from the asterisk berkeley database or your server will reach out to them and allow them to register again.

i posted iptables specifics a few days ago. look through the forum, you'll likely find the post.

alternately: use a generic "deny all!" iptables setup, then add "allowed" ips for your sales floor (the entire subnet) plus your carrier, gateway, and dns services and ntp provider if you have one (and do NOT use a "pool" ntp service, use a specific governmental one or university one ... pools will get you attacked).

also remember to turn off "ping response" from your server in case your implementation of iptables overlooks that.