Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Steve Edwards wrote: On Wed, 23 Jun 2010, Gordon Henderson wrote: Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. I'd like to have a look, but can't - I think there may be issues with your registrar for your domain - from where I am, there are no glue records for the nameservers, therefore I can't look it up... Looks like it was last edited just over 4 weeks ago, so maybe some caches are starting to time-out... From whois: Domain servers in listed order: DOMAIN0.SEDWARDS.COM DOMAIN1.SEDWARDS.COM You need to supply the IP address of the nameservers (the glue records) if they're inside your own domain... I think I have the name servers configured correctly. I think you were having difficulty because I was blocking everything from 195.0.0.0/8 Please try again. I have and get the same results. DNS glue records are held by the registrar on the gTLD name servers, not your own servers - so (even though I can't access them), I should be able to see the IP addresses for your 2 name servers (DOMAIN[01].SEDWARDS.COM). The output of 'whois' should provide me with those IP addresses, but it's not. See: http://en.wikipedia.org/wiki/Domain_Name_System#Circular_dependencies_and_glue_records E.g. do a whois on my domain, drogon.net and you'll see ns1.drogon.net195.10.225.68 which indicates the glue record is in-place for ns1.drogon.net - the glue is needed because otherwise no-one would be able to find ns1.drogon.net unless they already knew it's IP address - which they won't without the glue in the gTLD servers. Same for your nameservers - no-one can find domain0.sedwards.com unless they know it's IP address, and they can't find that IP address because they don't know the IP address of your nameservers - a circular dependancy that can only be broken by providing the IP address as glue in the gTLD server. This are probably working for some people right now because of caching going on - I suspect you made a change just over 4 weeks ago and that's a typical cache-time out for a lot of systems. Your site is going to drop off the Internet fairly soon unless you get the glue records in-place. And I wasn't accessing from 195/8, but from 81/8. (Although I've tried from both places) Your filtering is far to wide-spread - you can't invite people to view things when you're blocking off a third of the Internet - including most of Europe. Well, you can, but then people are just going to whinge. That's as bad as what Earthlink or was it Verizon did a while back when they decided to reject all email from Europe on the flawed basis that more spam comes from Europe than the US. (It doesn't) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. A more overriding problem for me is how do we know what *destinations* to filter so this idea of war dialing a toll number is something we can cutoff before it gets to our upstream provider? Is there some collected list of toll prefixes that I can filter on? How did they guess the SIP username and password? That's what I'm more concerend about... Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
you can start by simply telling us what is the purpose of your server.. and does it have long distance of overseas?? do you use Numeric usernames? simple passwords? passwords the same as your username? this way you can offer more info so we can help you.a quick answer will be.. opening a few and blocking ALL is easier.. as you can have upto 400 prefix to block .. unless you call world wide.. then you will have to block the countries you don't call .. another option.. make your usernames more complex.. letters and numbers.. an additional option is to use fail2ban with Asterisk support.. it will block the IP after the number of attempts you set in the configs. a client of mine wanted simple usernames and passwords to be setup using the keypad on the ipphones.. two months ago they had the same problem you faced.. 400$ to Zimbabway .. and later on 1200$ to Zimbabway.. their provider have a limit of 30 minutes per call .. so the caller had to redial.. unless it's automated.still you can provide us with more info.Regards -- Tarek Sawah Integrated Digital Systems CCNA, MCSE, RHCE, VoIP USA: +1 386 492 9993 Date: Wed, 23 Jun 2010 16:08:51 + From: j...@sunfone.com To: asterisk-users@lists.digium.com Subject: [asterisk-users] one for your filters Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. A more overriding problem for me is how do we know what *destinations* to filter so this idea of war dialing a toll number is something we can cutoff before it gets to our upstream provider? Is there some collected list of toll prefixes that I can filter on? Cheers, j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users _ The New Busy is not the old busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_3-- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
You can look at it a few different ways. Use one or more methods: 1. If you are allowing SIP phones to register from anywhere (inside and outside your network), make sure all the extensions have VERY strong passwords (12 characters or more of absolute jibberish). 2. Use deny/permit for those extensions that will only be registered inside your network. Those trying from the outside will never succeed. 3. Restrict the type of calls those extensions can make. If noone should ever call international numbers, don't put it as an option. Using _91NXXNXX and _9NXX (Assuming US - sorry) limits the ability of the extension. There is only one person in our organization that would ever make international calls, so I added a context where he is the only one that can make those calls. And, even then, I made sure that extension can't call places where he shouldn't call (Cuba, etc) AND that extension can't register from outside our network. Using the default Asterisk settings is great for making sure that things are working the way you want, but only after securing your Asterisk server will it work the way you need. Hope that helps. Good luck. -- Dean Hoover On 6/23/2010 11:08 AM, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. A more overriding problem for me is how do we know what *destinations* to filter so this idea of war dialing a toll number is something we can cutoff before it gets to our upstream provider? Is there some collected list of toll prefixes that I can filter on? Cheers, j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Gordon Henderson wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. A more overriding problem for me is how do we know what *destinations* to filter so this idea of war dialing a toll number is something we can cutoff before it gets to our upstream provider? Is there some collected list of toll prefixes that I can filter on? How did they guess the SIP username and password? That's what I'm more concerend about... Gordon I'm still trying to figure that out. Our SIP usernames are seven digit phone numbers, so not really difficult to guess, but the passwords are 7 char alpha-numeric strings, auto generated. We don't at present restrict people to their addresses, as some are dynamic. j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Tarek Sawah wrote: you can start by simply telling us what is the purpose of your server.. and does it have long distance of overseas?? do you use Numeric usernames? simple passwords? passwords the same as your username? this way you can offer more info so we can help you.a quick answer will be.. opening a few and blocking ALL is easier.. as you can have upto 400 prefix to block .. unless you call world wide.. then you will have to block the countries you don't call .. another option.. make your usernames more complex.. letters and numbers.. an additional option is to use fail2ban with Asterisk support.. it will block the IP after the number of attempts you set in the configs. a client of mine wanted simple usernames and passwords to be setup using the keypad on the ipphones.. two months ago they had the same problem you faced.. 400$ to Zimbabway .. and later on 1200$ to Zimbabway.. their provider have a limit of 30 minutes per call .. so the caller had to redial.. unless it's automated.still you can provide us with more info.Regards -- Tarek Sawah Well we run local dial tone service in the US Virgin Islands. So our customers are connecting with ATA's, various models of Polycom phones, and SIP trunks from a custom PBX we sell to hotels and businesses. They connect from dynamic addresses most of the time, so we cannot apply any IP based filters to their accounts, though we may be able to restrict them to certain IP blocks. I'd rather not, since the upkeep would be quite a hassle, and would remove their ability to take their ATAs traveling. Our SIP usernames are their seven digit phone numbers, which may have been a bad choice, but most of the brute force attacks we have witnessed are trying combinations of 3 digit extension numbers. I haven't seen anyone try a brute force attack with 7 digits. The passwords are seven char auto-generated alpha-numeric gibberish, and it seems rather unlikely to me that this account was broken by brute force trial and error. I'm still investigating other methods... like perhaps they broke into my server first and found the provisioning files. That would be bad. All of that aside - I know there are various things I can do to tighten up our SIP security. My question was more geared towards what do people do to keep their customers or employees from dialing toll numbers worldwide? I cannot restrict my customers to calling a set of countries. But I would feel justified in blocking toll numbers that I don't have a way of billing back. I just don't know where to start to build such a filter list. Surely other ITSPs have had to deal with this issue - fraud situations or not. The US is easy - all toll numbers start with 1-900 (I think :). Other countries are not so straightforward I understand. Has anyone else tackled this problem? Thanks, j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Steve Edwards wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. Nice! I am now one of your grateful subscribers ;) Cheers, j -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On 23 Jun 2010, at 18:39, Steve Edwards wrote: Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list Would advise people in the UK do not use that list... 82.0.0.0/8 would block a reasonable chunk of my users for starters.. Steve -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On 23 Jun 2010, at 19:26, Steve Howes wrote: On 23 Jun 2010, at 18:39, Steve Edwards wrote: Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list Would advise people in the UK do not use that list... 82.0.0.0/8 would block a reasonable chunk of my users for starters.. Infact, your list includes 88 subnets that are /8's. I can't find an IP address on any server I manage in the UK that isn't covered by it. Thats just over a third of the internet.. Perhaps this list is only advisable for those in the US/wherever you are? S -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
http://www.spamhaus.org/drop/ is a good resource that I use. ~ Andrew lathama Latham lath...@gmail.com * Learn more about OSS http://en.wikipedia.org/wiki/Open-source_software * Learn more about Linux http://en.wikipedia.org/wiki/Linux * Learn more about Tux http://en.wikipedia.org/wiki/Tux On Wed, Jun 23, 2010 at 1:39 PM, Steve Edwards asterisk@sedwards.com wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On 23 Jun 2010, at 18:39, Steve Edwards wrote: Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list On Wed, 23 Jun 2010, Steve Howes wrote: Would advise people in the UK do not use that list... 82.0.0.0/8 would block a reasonable chunk of my users for starters.. It is a bit of a blunt sword :) I constructed this list by checking who the class A address block was assigned to by ARIN. In this list, they are identified as belonging to: afrinic, apnic, jnic, lacnic, and ripe so you can pick and choose. Hopping on my soapbox... Security is best approached in layers and if you can, disallow all and allow by exception. I don't have any illusions that this is a panacea to online security issues, but I think it is a cheap outer layer with a great payback. On my home Asterisk email server, it blocks about 1.5 million packets a week. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: On Wed, 23 Jun 2010, Steve Edwards wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. Nice! I am now one of your grateful subscribers ;) I'd like to have a look, but can't - I think there may be issues with your registrar for your domain - from where I am, there are no glue records for the nameservers, therefore I can't look it up... Looks like it was last edited just over 4 weeks ago, so maybe some caches are starting to time-out... From whois: Domain servers in listed order: DOMAIN0.SEDWARDS.COM DOMAIN1.SEDWARDS.COM You need to supply the IP address of the nameservers (the glue records) if they're inside your own domain... (sorry to post this to the list, but I can't email you because of this - looks like you're still getting list traffic though!) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
Not sure what kind of provision server you have there. But do not use http as your provision protocol. Use https instead. Jian Jeff LaCoursiere wrote: On Wed, 23 Jun 2010, Tarek Sawah wrote: you can start by simply telling us what is the purpose of your server.. and does it have long distance of overseas?? do you use Numeric usernames? simple passwords? passwords the same as your username? this way you can offer more info so we can help you.a quick answer will be.. opening a few and blocking ALL is easier.. as you can have upto 400 prefix to block .. unless you call world wide.. then you will have to block the countries you don't call .. another option.. make your usernames more complex.. letters and numbers.. an additional option is to use fail2ban with Asterisk support.. it will block the IP after the number of attempts you set in the configs. a client of mine wanted simple usernames and passwords to be setup using the keypad on the ipphones.. two months ago they had the same problem you faced.. 400$ to Zimbabway .. and later on 1200$ to Zimbabway.. their provider have a limit of 30 minutes per call .. so the caller had to redial.. unless it's automated.still you can provide us with more info.Regards -- Tarek Sawah Well we run local dial tone service in the US Virgin Islands. So our customers are connecting with ATA's, various models of Polycom phones, and SIP trunks from a custom PBX we sell to hotels and businesses. They connect from dynamic addresses most of the time, so we cannot apply any IP based filters to their accounts, though we may be able to restrict them to certain IP blocks. I'd rather not, since the upkeep would be quite a hassle, and would remove their ability to take their ATAs traveling. Our SIP usernames are their seven digit phone numbers, which may have been a bad choice, but most of the brute force attacks we have witnessed are trying combinations of 3 digit extension numbers. I haven't seen anyone try a brute force attack with 7 digits. The passwords are seven char auto-generated alpha-numeric gibberish, and it seems rather unlikely to me that this account was broken by brute force trial and error. I'm still investigating other methods... like perhaps they broke into my server first and found the provisioning files. That would be bad. All of that aside - I know there are various things I can do to tighten up our SIP security. My question was more geared towards what do people do to keep their customers or employees from dialing toll numbers worldwide? I cannot restrict my customers to calling a set of countries. But I would feel justified in blocking toll numbers that I don't have a way of billing back. I just don't know where to start to build such a filter list. Surely other ITSPs have had to deal with this issue - fraud situations or not. The US is easy - all toll numbers start with 1-900 (I think :). Other countries are not so straightforward I understand. Has anyone else tackled this problem? Thanks, j -- Jian Gao IT Technician SJ Geophysics Ltd. http://www.sjgeophysics.com jian@sjgeophysics.com mailto:jian@sjgeophysics.com Tel: (604)582-1100 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
Reachable from here. ( US -Comcast ) John Novack Dog is my Co-pilot Gordon Henderson wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: On Wed, 23 Jun 2010, Steve Edwards wrote: On Wed, 23 Jun 2010, Jeff LaCoursiere wrote: Some !...@$#@@# in the Czech Republic used one of our SIP accounts to place four thousand calls to what appears to be a toll number in Zimbabwe last night. Filter 82.150.165.5. Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. Nice! I am now one of your grateful subscribers ;) I'd like to have a look, but can't - I think there may be issues with your registrar for your domain - from where I am, there are no glue records for the nameservers, therefore I can't look it up... Looks like it was last edited just over 4 weeks ago, so maybe some caches are starting to time-out... From whois: Domain servers in listed order: DOMAIN0.SEDWARDS.COM DOMAIN1.SEDWARDS.COM You need to supply the IP address of the nameservers (the glue records) if they're inside your own domain... (sorry to post this to the list, but I can't email you because of this - looks like you're still getting list traffic though!) Gordon -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
Le 23/06/2010 21:28, Gordon Henderson a écrit : [...] I'd like to have a look, but can't - I think there may be issues with your registrar for your domain - from where I am, there are no glue records for the nameservers, therefore I can't look it up... Looks like it was last edited just over 4 weeks ago, so maybe some caches are starting to time-out... From whois: Domain servers in listed order: DOMAIN0.SEDWARDS.COM DOMAIN1.SEDWARDS.COM You need to supply the IP address of the nameservers (the glue records) if they're inside your own domain... (sorry to post this to the list, but I can't email you because of this - looks like you're still getting list traffic though!) Same here, also from Europe. -- Daniel -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
On Wed, 23 Jun 2010, Gordon Henderson wrote: Ouch. 82.0.0.0/8 is on my block list, available at: http://www.sedwards.com/class-a-block-list If you don't need to receive packets from far away places, it's a great start. I'd like to have a look, but can't - I think there may be issues with your registrar for your domain - from where I am, there are no glue records for the nameservers, therefore I can't look it up... Looks like it was last edited just over 4 weeks ago, so maybe some caches are starting to time-out... From whois: Domain servers in listed order: DOMAIN0.SEDWARDS.COM DOMAIN1.SEDWARDS.COM You need to supply the IP address of the nameservers (the glue records) if they're inside your own domain... I think I have the name servers configured correctly. I think you were having difficulty because I was blocking everything from 195.0.0.0/8 Please try again. -- Thanks in advance, - Steve Edwards sedwa...@sedwards.com Voice: +1-760-468-3867 PST Newline Fax: +1-760-731-3000 -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
I'm still trying to figure that out. Our SIP usernames are seven digit phone numbers, so not really difficult to guess, but the passwords are 7 char alpha-numeric strings, auto generated. We don't at present restrict people to their addresses, as some are dynamic. If they're randomly generated (which might not be the same as auto generated) then that *ought* to be a big enough namespace to provide reasonable resistance to cracking... 78 billion combinations at least (assuming upper-case alpha and numeric characters). Do your logs show a lot of failed registrations? A brute- force password-guessing attack ought to show up in this way (and is thus good fodder for a Fail2Ban auto-jailing). You should check your Asterisk configuration to make triple-sure that: (1) Inbound guest calls go only to a restrictive context which will allow calling of only your own specific extensions, and (2) You don't have DISA enabled on any extension... a short DISA passcode and a guessable DISA extension number could be an expensive vulnerability. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] one for your filters
I'm still trying to figure that out. Our SIP usernames are seven digit phone numbers, so not really difficult to guess, but the passwords are 7 char alpha-numeric strings, auto generated. We don't at present restrict people to their addresses, as some are dynamic. If the extension in question is one that is normally accessed via a SIP soft-phone of some sort, you should check the PC(s) on which this softphone is run for any sort of malware infection. There have been more than a few malware packages (viruses or trojans) which contain payloads that search the compromised system for various forms of authorization credentials. It's possible that this extension's password wasn't cracked by brute force, but was stolen from the soft-phone configuration file on a user's PC. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users