Any and all non-support discussions
Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N
by tarundas » Fri Aug 26, 2011 3:49 am
What is this ? And what they want ?
- Code: Select all
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 2 Time(s)
Failed logins from:
61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
110.45.138.170: 75 times # ( Korea)
114.112.184.150: 344 times # (China)
Illegal users from:
61.136.68.83 (83.68.136.61.ha.cnc): 32 times
110.45.138.170: 27 times
114.112.184.150: 187 times
Users logging in through sshd:
root:
59.93.xxx.xxx: 12 times # ( That's me! from home)
Received disconnect:
11: Terminating connection : 2 Time(s)
SFTP subsystem requests: 13 Time(s)
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)
---------------------- SSHD End -------------------------
-
tarundas
-
- Posts: 62
- Joined: Wed Nov 25, 2009 3:02 pm
- Location: Calcutta
by williamconley » Fri Aug 26, 2011 9:09 am
they want to steal your babies.
use yast firewall to lock out EVERYONE from ALL ports unless they are on an authorized IP address. add authorized IP addresses (both tcp and udp for each address) in custom (at the bottom of the yast firewall settings).
remember that it is easy to lock yourself out, so be IN the office when you set it up. this requires turning OFF all allowed services (and Advanced allowed services).
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by boybawang » Sat Aug 27, 2011 3:48 am
you can explore using Fail2ban
-
boybawang
-
- Posts: 989
- Joined: Sat Nov 14, 2009 1:18 pm
- Location: Dumaguete City, Negros Oriental, Philippines
-
by williamconley » Sat Aug 27, 2011 12:06 pm
boybawang wrote:you can explore using Fail2ban
true.
yast firewall is built in, but has "lockdown" or "open" as possibilities, whereas fail2ban can "learn" and lockout offenders. but it can also lock out good guys who put the wrong entry into their soft phone for registration (which can result in locking out an entire ROOM of agents, so be careful with ANY dynamic security system!).
A couple others:
Advanced Policy Firewall
Brute Force Detection
Denial of Service Deflate
Rootkit Detection
Some instructions here, but use google for more help:
http://www.topwebhosts.org/tools/apf-bf ... ootkit.php
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by tarundas » Sat Aug 27, 2011 2:08 pm
Really?
I thought they already have more babies than any other place -LOL
( China, Birth rate 31.67 births/1,000 population) actual
Thank you William
Well, What resources they can steal/hack? Our public IP is mapped with voip provider and we dial 3 shifts so someone (admins) is always watching the campaigns and 'real time summery' so our voip minutes are safe I hope. They want our leads ? or Campaign details? I am just curious !
Thank you again for your replies William and boybawang. I will try those firewalls and will post back the results. But it will take some time as I am not familiar with them at all.
Last edited by
tarundas on Sat Aug 27, 2011 2:47 pm, edited 1 time in total.
-
tarundas
-
- Posts: 62
- Joined: Wed Nov 25, 2009 3:02 pm
- Location: Calcutta
by williamconley » Sat Aug 27, 2011 2:47 pm
having someone watch a screen that "outside vicidial" (manual calls) do not show up on will not "protect your minutes". If they get into your box the odds are that they will cap $2k before you "catch on" unless you have some monetary system in place to stop them (for instance: you cannot make international calls ...).
we have several clients who came to us specifically for the "lockdown" after losing roughly $2k, and several more who came to us because the "failed" calls and/or failed login attempts disrupted the vicidial system enough to render it unusable (DenialOfService, DOS, resulting from Brute Force login/registration attempts).
Lock it down NOW.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by tarundas » Sat Aug 27, 2011 3:18 pm
OOOPS!!! I missed that point. yes I got it.
Thank you William. You are the lifeline of vicidial community.
-
tarundas
-
- Posts: 62
- Joined: Wed Nov 25, 2009 3:02 pm
- Location: Calcutta
by williamconley » Sat Aug 27, 2011 4:06 pm
Nah. I'm just an arrogant noisy guy. Ask my kids.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by sobek » Mon Aug 29, 2011 3:22 am
Off cours firewalls are the most important but after I forgot to turn on firewall after some testing one thing that saved my minutes was a dial plan that was allowing calls only to my country with 9 digits.
In one hour they tried 4196 combinations to dial out.
-
sobek
-
- Posts: 11
- Joined: Tue Jun 08, 2010 1:33 pm
by williamconley » Mon Aug 29, 2011 6:59 pm
Under 10k. An amateurish attempt.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by middletn » Tue Sep 06, 2011 4:50 pm
It's a real problem. We had some guy in china probe all our vicidial servers over the last few days, fail2ban caught them, but it's becoming a real pain in the A*** It's not a vicidial issue though, more Asterisk being a little too helpful.
-
middletn
-
- Posts: 34
- Joined: Fri Apr 18, 2008 3:27 pm
by williamconley » Tue Sep 06, 2011 6:31 pm
Problem being that fail2ban may catch them, but that often does not stop the DOS result (your firewall dropping packets still fills your "inbound traffic limit"). So having rejected the packets from the beginning would likely have caused them to NOT attack in the first place.
I have actually had situations when I had to turn on traffic shaping and limit the bandwidth on the attack to regain use of the server ... until after the attack, then set the system to stealth (drop all unauth packets) before the next attack which USUALLY stops the next attack before it starts. I've had a couple occasions where this process took a couple days. ouch.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
by ctc_olsen » Wed Apr 09, 2014 9:39 am
- Code: Select all
--------------------- SSHD Begin ------------------------
SSHD Killed: 1 Time(s)
SSHD Started: 2 Time(s)
Failed logins from:
61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
110.45.138.170: 75 times # ( Korea)
114.112.184.150: 344 times # (China)
Illegal users from:
61.136.68.83 (83.68.136.61.ha.cnc): 32 times
110.45.138.170: 27 times
114.112.184.150: 187 times
Users logging in through sshd:
root:
59.93.xxx.xxx: 12 times # ( That's me! from home)
Received disconnect:
11: Terminating connection : 2 Time(s)
SFTP subsystem requests: 13 Time(s)
**Unmatched Entries**
pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)
---------------------- SSHD End -------------------------
Sorry to bump this up but what command is this? Or do we need to install something first?
VERSION: 2.4-309a BUILD: 110430-1642 (Upgrade from CE 2.0,ISO) | Asterisk 1.4.27.1-1 | VmWare vCenter Server Ver 4.1.0| No additional software | No Digium/Sangoma Hardware
-
ctc_olsen
-
- Posts: 65
- Joined: Tue Jul 24, 2012 7:34 am
by geoff3dmg » Thu Apr 10, 2014 3:17 am
That looks like the output from a piece of software called 'Logwatch'. It analyses your server logs and sends you an email report of anything it deems interesting.
Vicibox 5.03 from .iso | VERSION: 2.10-451a BUILD: 140902-0816 | Asterisk 1.8.28.2-vici | Multi-Server | Amfeltec H/W Timing Cards | No Extra Software After Installation | Dell PowerEdge 1850 | Pentium 4 'Prescott' Xenon Quad @ 3.40GHz
-
geoff3dmg
-
- Posts: 403
- Joined: Tue Jan 29, 2013 4:35 am
- Location: Lancashire, UK
-
by williamconley » Tue Jun 10, 2014 1:51 am
Whitelist your firewall system. Do not rely on automated systems to "catch" the problem. No one should be on your system unless you have expressly authorized their IP address to be there. This is not a Public Web Server, it's a dialer. In the old days there wouldn't even be any access outside the ROOM much less outside the country.
That being said, we have Dynamic Good Guys for Vicibox, which can be adjusted for GoAutodial ... but I recommend just installing Vicibox and using it there. You CAN back up your DB, install Vicibox, install your DB and then upgrade your DB to match your new Vicidial code. Then install DGG and you have a fresh new system that's secure.
http://www.viciwiki.com/index.php/DGGhttp://www.viciwiki.com/index.php/Whitelist (if you just want a "lockdown")
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
-
williamconley
-
- Posts: 20258
- Joined: Wed Oct 31, 2007 4:17 pm
- Location: Davenport, FL (By Disney!)
-
Return to General Discussion
Who is online
Users browsing this forum: No registered users and 64 guests