Re: [AusNOG] High number of inbound automated Chinese language calls on AAPT CTS

2017-10-26 Thread Michael Junek 
I havent seen anything specific come through on our AAPT CTS service today, 
however I'll keep an eye out.


I did just get a random call through on a new SfB hunt group that's being 
configured, however that appeared to be a Sydney CLI, rather than a random one.


Michael





From: AusNOG  on behalf of Matt Perkins 

Sent: Friday, 27 October 2017 15:33
To: jay binks; AusNOG@lists.ausnog.net
Subject: Re: [AusNOG] High number of inbound automated Chinese language calls 
on AAPT CTS

Hi Jay,
 Unwelcome Communications procedure only work when you have the source numbers. 
It's hard to give the CTS provider ~10,000 source numbers ;) They are trying 
however to chase it up.  No it's not coming from a sip gateway. This equipment 
is not on the internet.

Matt.


On 27/10/17 3:22 pm, jay binks wrote:
There are methods for dealing with unwelcome or nuisance calls.
It's not always effective, but its worth a try.

If your calls fit the definition of an "UNWELCOME COMMUNICATIONS" you may be 
able to utilise http://www.commsalliance.com.au/Documents/all/codes/c525.

The OP may have a claim to this with 3000 calls within 4 hours.
Contact your CSP.  "C/CSPs must assist end users in receipt of unwelcome 
messages where it is reasonably possible to do so "

They may only pass the complaint on to the originating carrier, but you might 
get lucky.

The other thing I initially thought of when I saw this ( but it seems like its 
probably not the case after reading other peoples accounts ).
Make sure your SIP equipment only accepts SIP from your SIP provider. Sometimes 
you find people scanning your network, doing this sort of thing.

Good luck !

Jay

On 27 October 2017 at 14:12, Matt Perkins 
mailto:m...@spectrum.com.au>> wrote:
The volumes we are getting are stunning if it's not targeted at AAPT.  as it 
appears it's not from some of the on/off list responses. We have had over 3000 
calls in the last 4 hours. This has been going on for almost 4 days.


Matt.



On 27/10/17 2:51 pm, tom.minc...@csiro.au wrote:
We are getting runs of these to a Sydney and a Melbourne site. We are Telstra 
inbound.



On Fri, Oct 27, 2017 at 1:55 PM +1100, "Andrew Yager" 
mailto:and...@rwts.com.au>> wrote:

Hi Matt,

We have seen multiple instances of this over the last couple of months to 
different number blocks.

It's usually a Mandarin message claiming to be from the ATO.

Have logged a few complaints on a few of them; have not got anywhere useful 
because each number is called "once" and doesn't meet the threshold for a 
nuisance claim.

If any of my upstreams want to care though… I'm happy to provide more details… 
:) (nudge… nudge…)

Andrew


On 27 October 2017 at 13:34, Matt Perkins 
mailto:m...@spectrum.com.au>> wrote:
Here's some Friday fun.

Are there any people with AAPT CTS that are receiving very high volumes (500 an 
hour)  of a Chinese language automated message. Numbers dialed in appear to be 
random within a routed ranges they also appear to be using random calling id's 
some start with 028009XX. Im told that the message says it's from the Chinese 
consulate and ask you to push zero.  I suspect they are trying to determine 
which numbers have Chinese language speakers answer for some later scam. But 
only appears to be on AAPT CTS. We have CTS with a few other carriers and 
seeing nothing on those inbound.

Interested to see if others are receiving same.

Matt.



--
/* Matt Perkins
Direct 1300 137 379Spectrum Networks Ptd. 
Ltd.
Office 1300 133 299
m...@spectrum.com.au
   Level 6, 350 George Street Sydney 2000
Spectrum Networks is a member of the Communications Alliance & TIO
*/

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



--
Andrew Yager, CEO (BCompSc, JNCIS-SP, MACS (Snr) CP)
Real World Technology Solutions - IT People you can trust
Voice | Data | IT Procurement | Managed IT
rwts.com.au | 1300 798 718

[https://docs.google.com/uc?export=download&id=0B4fBbZ0cwq-1VngxVGtrdUhtOGM&revid=0B4fBbZ0cwq-1TVBoa3BkVzU0WmtuR1p6ZlBjRXZLWkw0K1E4PQ]
Real World is a DellEMC Gold Partner

This document should be read only by those persons to whom it is addressed and 
its content is not intended for use by any other persons. If you have received 
this message in error, please notify us immediately. Please also destroy and 
delete the message from your computer. Any unauthorised form of reproduction of 
this message is strictly prohibited. We are not liable for the proper and 
complete transmission of the information contained in this communication, nor 
for any delay in its receipt. Please consider the environment before printing 
this e-mail.


--
/* Matt Perkins
Direct 1300 137 379Spectrum Networks Ptd. 
Ltd.

Re: [AusNOG] NBN Layer 2 PtP

2017-11-10 Thread Michael Junek 
Perhaps using a pair of MikroTik routers and setting up an Ethernet over IP 
tunnel?

Obviously no QoS and the like but at least you've got a L2 connection.


From: Peter Tiggerdine 
Sent: 11 Nov 2017 5:05 pm
To: Lee Allemand
Cc: ausnog@lists.ausnog.net
Subject: Re: [AusNOG] NBN Layer 2 PtP

What's the technical requirement for layer2 outside the datacenter? I suspect 
there is a better way.

Regards,

Peter Tiggerdine



On Nov 10, 2017 11:25, "Lee Allemand" 
mailto:lallem...@christiecorporate.com.au>> 
wrote:
Thanks Nathan,

Might have a chat to Telstra wholesale, the site is NBN FTTP and is really the 
only option at this point.

Warm Regards,
Lee Allemand
IT Support

Christie Group
Level 1, 320 Adelaide St
Brisbane QLD 4000
Desk: 07 3905 9020
Mobile: 0434 777 892

From: Nathan Brookfield 
[mailto:nathan.brookfi...@simtronic.com.au]
Sent: Friday, 10 November 2017 11:22 AM
To: Lee Allemand 
mailto:lallem...@christiecorporate.com.au>>;
 'ausnog@lists.ausnog.net' 
mailto:ausnog@lists.ausnog.net>>
Subject: RE: NBN Layer 2 PtP

Hi Lee,

This isn’t a product as such, Telstra can provide you a dedicated 50/50 but 
only on FTTP and it’s quite expensive due to the traffic class.  In 99% of 
cases you would be MUCH better off price and delivery wise to use an Ethernet 
service from Telstra/AAPT/Vocus etc instead.

Kindest Regards,
Nathan Brookfield (VK2NAB)

Chief Executive Officer
Simtronic Technologies Pty Ltd

Local: (02) 4749 4949 | Fax: (02) 4749 4950 | Direct: (02) 4749 4951
Web: http://www.simtronic.com.au | E-mail: 
nathan.brookfi...@simtronic.com.au

CONFIDENTIALITY & PRIVILEGE NOTICE

The information contained in this email and any attached files is strictly 
private and confidential. The intended recipient of this email may only use, 
reproduce, disclose or distribute the information contained in this email and 
any attached files with Simtronic Technologies Pty Ltd’s permission. If you are 
not the intended recipient, you are strictly prohibited from using, 
reproducing, adapting, disclosing or distributing the information contained in 
this email and any attached files or taking any action in reliance on it. If 
you have received this email in error, please email the sender by replying to 
this message, promptly delete and destroy any copies of this email and any 
attachments.

It is your responsibility to scan this communication and any files attached for 
computer viruses and other defects and recommend that you subject these to your 
virus checking procedures prior to use. Simtronic Technologies Pty Ltd does NOT 
accept liability for any loss or damage (whether direct, indirect, 
consequential, economic or other) however caused, whether by negligence or 
otherwise, which may result directly or indirectly from this communication or 
any files attached.

From: AusNOG [mailto:ausnog-boun...@lists.ausnog.net] On Behalf Of Lee Allemand
Sent: Friday, November 10, 2017 12:14 PM
To: 'ausnog@lists.ausnog.net' 
mailto:ausnog@lists.ausnog.net>>
Subject: [AusNOG] NBN Layer 2 PtP

Morning (Afternoon),

I’m after a point to point layer 2 over NBN, ideally from NextDC B1, would 
anyone be kind enough to point me to someone who can supply this?

Off list is preferred.

Thanks J

Warm Regards,
Lee Allemand


__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

__
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
__

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] IP Phone System

2018-02-09 Thread Michael Junek 
Hi Henry,

For open source your best bet is Asterisk. If you use one of the derivitives 
such as FreePBX, you'll even get a nice Web based front end for management 
rather than messing with configuration files.

From the paid solutions:
Skype for Business if you're a Microsoft shop.
Most other manufacturers produce IP based physical platforms,  Avaya, MiTel, 
Panasonic, NEC, Samsung, Alcatel. These range from physical hardware similar to 
virtual machine based software controllers.

There are also a range of hosted IP systems where the provider will drop a link 
into your office,  throw some phones on your desks and then all the  PSTN 
carriage as well as platform management are handled by them.

As so the suitability of any of the platforms,  this obviously depends on the 
size of your installation,  the in house skills you may have,  as well as the 
features you may require.

Michael



From: Henry Dola 
Sent: Saturday, 10 February 2018 2:42 am
To: aus...@ausnog.net
Subject: [AusNOG] IP Phone System

Hallo,

My institution is looking at installing an IP Phone system and we are welcome 
to ideas. Apart from Cisco and Shoretel are there any alternatives, open source 
especially.

Thanks,

Henry
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Vocus doody st power ?

2018-02-12 Thread Michael Junek 
Our wholesale voice services seem quite intermittent.

Very little inbound calls, outbounds are randomly getting rejecting with 503's 
relating to not enough licenses, and 403 forbidden/call rejected.






From: AusNOG  on behalf of David Bomba 

Sent: Tuesday, 13 February 2018 08:04
Cc: aus...@ausnog.net
Subject: Re: [AusNOG] Vocus doody st power ?

We have vocus fibre that is out.

On 13 February 2018 at 07:43, Jared Hirst | Servers Australia 
mailto:jared.hi...@serversaustralia.com.au>>
 wrote:
Interesting.

Yes. We just had a switch reboot.

[https://app.frontapp.com/api/1/noauth/companies/servers_australia_pty_ltd/seen/msg_11t980x/han_6dui81/88a523c6.gif]

Tue, 13 Feb at 7:41 am, 
mailto:b...@overthewire.com.au>> wrote:

Anyone else seeing power loss in Sydney Vocus doody st ?

Regards
Ben Cornish
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

[logo-sau-blue.gif]

Jared Hirst
Chief Executive Officer

Direct Phone: 0281158801
Phone: +61 2 8115 
Email: 
jared.hi...@serversaustralia.com.au

11/6 Reliance Drive
Tuggerah NSW 2259
www.serversaustralia.com.au
[http://info.serversaustralia.com.au/hubfs/Brand-2017/strip.gif]

How would you rate your experience with Servers Australia overall?
[NPS 0]   [NPS 1] 
  [NPS 2] 
  [NPS 3] 
  [NPS 4] 
  [NPS 5] 
  [NPS 6] 
  [NPS 7] 
  [NPS 8] 
  [NPS 9] 
  [NPS 10] 


Notice: This message may contain private and confidential information intended 
only for the recipients. If you have received this message in error please 
delete immediately and notify the sender. Any distribution or reproduction of 
this message is prohibited. The views & opinions expressed in this email are 
NOT necessarily those of Servers Australia.




___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Bouncing Cisco Equipment and "Smart Install"

2018-05-08 Thread Michael Junek 
Hi Michael,


When I recently deployed a few 9300's in our DC, this feature was disabled 
before bringing in external connectivity because one of our engineers here was 
aware of this vulnerability and removed it.


It's enabled out of the box because the idea is that it's for zero-touch 
initial provisioning of the switch. The above engineer was working on a large 
infrastructure project for a govt department, which involved deploying 
approximately 600x 3850 switches. These were set up in a central system and 
when powered on, the configs were delivered, rather than having to console into 
every switch and deploy the configuration.


Michael





From: AusNOG  on behalf of Michael J. Carmody 

Sent: Wednesday, 9 May 2018 14:21
To: ausnog@lists.ausnog.net
Subject: [AusNOG] Bouncing Cisco Equipment and "Smart Install"

Hey All,

Just a feeler to see if anyone else is seeing this.

We have some Cisco switches we use as Layer 2/3 NTU's to talk to client 
equipment on the far ends of fibre links.

As of yesterday morning, all of these switches started a roughly 1-2 hour 
reboot outage.

All smartnet'ed, running latest recommended stable from cisco, and nothing in 
the logs other than a hard reset just occurred.

We have been additionally hardening the exposure of various interfaces (attacks 
were captured coming from resi ISP looking .mx domains), and it appears the one 
that has stopped the rot is disabling the "Smart Install" feature with a "no 
vstack" command, reload config from out config store and back to work...

TBH I didn't even know this protocol existed... a non-authenticated, on by 
default protocol that allows you to configure and image deploy on network 
equipment.

Like, its our own fault, but what the hell is this doing on by default?

Anyone else with Cisco or "Smart Install" equipment seeing an uptick in 
scanning/poking activity?

-Michael Carmody

(Ref: 
https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20170214-smi
 )
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Potential Optus outage

2018-06-24 Thread Michael Junek 
I've noticed a private Optus WAN links between our Melbourne DC and one of our 
customers dropped to 0% utilisation, with the Sydney peer taking all the 
traffic.

The client has had other connections of theirs on Optus also having issues.


M.






From: AusNOG  on behalf of Philip Loenneker 

Sent: Monday, 25 June 2018 16:24
To: Philip Loenneker; ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Potential Optus outage

BGP peers have now re-established, but traffic flows seem a little intermittent 
still. A colleague on Optus mobile had 4G issues as well.

Regards,
Philip Loenneker | Network Engineer | TasmaNet
40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
P: 1300 792 711
philip.loenne...@tasmanet.com.au
www.tasmanet.com.au

From: AusNOG [mailto:ausnog-boun...@lists.ausnog.net] On Behalf Of Philip 
Loenneker
Sent: Monday, 25 June 2018 4:08 PM
To: ausnog@lists.ausnog.net
Subject: [AusNOG] Potential Optus outage

Hi all,

We're having issues with an Optus 1G service terminating in a Melbourne DC.

3:24 was the first reported issue, and we currently have no traffic being 
received on the port. I've tried calling the Optus service desk a few times and 
keep having the call drop.

Optus Status pages show no issue.

We have other services so it's not crippling us or anything.

Anyone else having any issues with Optus this afternoon?

Regards,
Philip Loenneker | Network Engineer | TasmaNet
40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia
P: 1300 792 711
philip.loenne...@tasmanet.com.au
www.tasmanet.com.au

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Issues receiving from TPG Mail servers.

2018-07-22 Thread Michael Junek 
Given plenty of mail communication is still non-encrypted, having TLS1.0 is an 
improvement, granted 1.2 is the ultimate goal.

But shouldn't your public mail server be out of scope for PCI?

Surely it's not handling cardholder data, nor talking to a system that is, 
therefore should be excluded from the requirement?







From: AusNOG  on behalf of Bradley Silverman 

Sent: Monday, 23 July 2018 15:06
To: Mark Newton
Cc: ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

Hi Matt,

Really appreciate you sending me that email, I will definitely send an email 
through to there!

@Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on the 
server. Postifx/Exim/Dovecot are not exception to the rule, if we disable 
TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs aren't able 
to send mail to us.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
You're trying to exchange payment card information over email?

  - mark

On Jul 23, 2018, at 1:30 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Does anyone have a contact at TPG regarding their mail servers?

We are having issues with their mail servers using non-PCI compliant ciphers 
which is stopping our servers accepting mail from them.


Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Issues receiving from TPG Mail servers.

2018-07-22 Thread Michael Junek 
Actually going through the pain of it all right now.
Fortunately our QSA is a little pragmatic about these things and isn't one of 
those checklisty type people - and would certainly offer suggestions about it, 
especially if there is a documented business reason why something cannot be 
enacted.

The easiest way around it is to disable TLS completely on your mail server. 
Won't fail PCI then. And everyone will send to you unencrypted. Doesn't fix the 
security issue, but it certainly fixes the mailflow.





From: Rob Thomas 
Sent: Monday, 23 July 2018 15:27
To: Michael Junek
Cc: Bradley Silverman; Mark Newton; ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

> But shouldn't your public mail server be out of scope for PCI?

Here. ladies and gentleman, is a nerd that has never encountered the
insanity and conflicting information that is PCI.  Be quiet, we don't
want to scare it.

In all seriousness, yes, they will fail you if you have anything
listening on a machine that accepts TLS1.0 connections.  Or maybe they
won't. You don't know until you pay the $5k for the audit. And if they
DO fail you, you have to fix it. So I'm guessing that is where Bradley
is now. His PCI auditors have said 'No TLS1.0 on this server', and
that's the end of the discussion.

You don't get to reason with these people. They are accountants that
run scripts and have a checklist.  Common sense does not enter into
the equation.

--Rob
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Issues receiving from TPG Mail servers.

2018-07-22 Thread Michael Junek 
Addressing the issue at hand, can you set your MTA not to offer STARTTLS 
command in the EHLO towards the TPG IP addresses, to force them to use the 
unencrypted channel?


Surely others who have played with their TLS1.2 settings on their MTA's are 
having this issue as well with TPG; how would they have gotten around it?


M.





From: AusNOG  on behalf of Bradley Silverman 

Sent: Monday, 23 July 2018 15:40
To: Mark Newton
Cc: ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

@Michael - I agree that turning it off is the best way of solving it, the issue 
is we don't have the servers forcing TLS, that's TPG.

@Mark - These are shared hosting servers, think cPanel & Plesk. The one server 
is both mail, and website. Which means that the server has websites that accept 
credit card payments, and therefore is subject to PCI. Any system that is on 
that server is required to comply with PCI.

If the server was website only, then I'd agree 100% that it would be out of 
scope for PCI, but since the same server runs both email and websites for 
shared hosting customers, it is in scope.

We have zero issue with any other MTA, it is only these TPG MTA's that are 
forcing both TLSv1.0 and an old cipher. If they either turned off TLS or 
upgraded to TLSv1.2 they would be up to spec.

But we either have to make the decision to block TPG from being able to send to 
the 100,000s of email accounts we have, or make it so that none of our 
customers servers are PCI compliant. I'd rather speak to TPG and work with them 
to fix the underlying problem.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
But PCI Compliance only applies to the Cardholder Data Environment.

Why on earth would you have a mail server in the Cardholder Data Environment?

And if it isn't in the CDE: You can run whatever version of TLS you want, and 
it's none of PCI's business.

  - mark



On Jul 23, 2018, at 3:06 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Hi Matt,

Really appreciate you sending me that email, I will definitely send an email 
through to there!

@Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on the 
server. Postifx/Exim/Dovecot are not exception to the rule, if we disable 
TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs aren't able 
to send mail to us.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
You're trying to exchange payment card information over email?

  - mark

On Jul 23, 2018, at 1:30 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Does anyone have a contact at TPG regarding their mail servers?

We are having issues with their mail servers using non-PCI compliant ciphers 
which is stopping our servers accepting mail from them.


Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog




___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Issues receiving from TPG Mail servers.

2018-07-22 Thread Michael Junek 
On the PCI Audit side of things, however, I think the shared hosting such as 
CPanel servers will fail PCI based on requirement 2.2.1 regardless--


"

Implement only one primary function per server to prevent functions that 
require different security levels from co-existing on the same server. (For 
example, web servers, database servers, and DNS should be implemented on 
separate servers.)

"






From: AusNOG  on behalf of Bradley Silverman 

Sent: Monday, 23 July 2018 15:40
To: Mark Newton
Cc: ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

@Michael - I agree that turning it off is the best way of solving it, the issue 
is we don't have the servers forcing TLS, that's TPG.

@Mark - These are shared hosting servers, think cPanel & Plesk. The one server 
is both mail, and website. Which means that the server has websites that accept 
credit card payments, and therefore is subject to PCI. Any system that is on 
that server is required to comply with PCI.

If the server was website only, then I'd agree 100% that it would be out of 
scope for PCI, but since the same server runs both email and websites for 
shared hosting customers, it is in scope.

We have zero issue with any other MTA, it is only these TPG MTA's that are 
forcing both TLSv1.0 and an old cipher. If they either turned off TLS or 
upgraded to TLSv1.2 they would be up to spec.

But we either have to make the decision to block TPG from being able to send to 
the 100,000s of email accounts we have, or make it so that none of our 
customers servers are PCI compliant. I'd rather speak to TPG and work with them 
to fix the underlying problem.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
But PCI Compliance only applies to the Cardholder Data Environment.

Why on earth would you have a mail server in the Cardholder Data Environment?

And if it isn't in the CDE: You can run whatever version of TLS you want, and 
it's none of PCI's business.

  - mark



On Jul 23, 2018, at 3:06 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Hi Matt,

Really appreciate you sending me that email, I will definitely send an email 
through to there!

@Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on the 
server. Postifx/Exim/Dovecot are not exception to the rule, if we disable 
TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs aren't able 
to send mail to us.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
You're trying to exchange payment card information over email?

  - mark

On Jul 23, 2018, at 1:30 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Does anyone have a contact at TPG regarding their mail servers?

We are having issues with their mail servers using non-PCI compliant ciphers 
which is stopping our servers accepting mail from them.


Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog




___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Issues receiving from TPG Mail servers.

2018-07-22 Thread Michael Junek 
Just being the 'mean security consultant'  - the security level of each system 
could easily be argued - email would be considered low security for 
compatibility (which technically means that TLS1.0/SSL3 etc is acceptable) ; 
whereas the web servers are considered high security handling CHD, which means 
that they should covered under the full encrypted spec. It would also mean if 
that was considered, that 2.2.1 would apply, and seperation of function would 
be required.




From: Bradley Silverman 
Sent: Monday, 23 July 2018 15:56
To: Michael Junek
Cc: Mark Newton; ausnog@lists.ausnog.net
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

@Michael - That's what we are looking at doing, though it will be a pain. Not 
sure how to go about doing it with Exim & cPanel but will start looking into it.

Re 2.2.1, it won't fail if they have the same security level, which is what we 
are trying to accomplish by bringing TPG into spec. DNS is on separate servers, 
and the database connection isn't publicly accessible.

Really appreciate the help with this gents. Hopefully TPG get back in touch 
with me else we will have to investigate ways of blocking TLS handshakes from 
TPG.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 3:48 PM, Michael Junek 
mailto:mich...@juneks.com.au>> wrote:

On the PCI Audit side of things, however, I think the shared hosting such as 
CPanel servers will fail PCI based on requirement 2.2.1 regardless--


"

Implement only one primary function per server to prevent functions that 
require different security levels from co-existing on the same server. (For 
example, web servers, database servers, and DNS should be implemented on 
separate servers.)

"






From: AusNOG 
mailto:ausnog-boun...@lists.ausnog.net>> on 
behalf of Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>>
Sent: Monday, 23 July 2018 15:40
To: Mark Newton
Cc: ausnog@lists.ausnog.net<mailto:ausnog@lists.ausnog.net>
Subject: Re: [AusNOG] Issues receiving from TPG Mail servers.

@Michael - I agree that turning it off is the best way of solving it, the issue 
is we don't have the servers forcing TLS, that's TPG.

@Mark - These are shared hosting servers, think cPanel & Plesk. The one server 
is both mail, and website. Which means that the server has websites that accept 
credit card payments, and therefore is subject to PCI. Any system that is on 
that server is required to comply with PCI.

If the server was website only, then I'd agree 100% that it would be out of 
scope for PCI, but since the same server runs both email and websites for 
shared hosting customers, it is in scope.

We have zero issue with any other MTA, it is only these TPG MTA's that are 
forcing both TLSv1.0 and an old cipher. If they either turned off TLS or 
upgraded to TLSv1.2 they would be up to spec.

But we either have to make the decision to block TPG from being able to send to 
the 100,000s of email accounts we have, or make it so that none of our 
customers servers are PCI compliant. I'd rather speak to TPG and work with them 
to fix the underlying problem.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 3:34 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
But PCI Compliance only applies to the Cardholder Data Environment.

Why on earth would you have a mail server in the Cardholder Data Environment?

And if it isn’t in the CDE: You can run whatever version of TLS you want, and 
it’s none of PCI’s business.

  - mark



On Jul 23, 2018, at 3:06 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Hi Matt,

Really appreciate you sending me that email, I will definitely send an email 
through to there!

@Mark Certainly not! PCI Compliance requires that TLSv1.0 be disabled on the 
server. Postifx/Exim/Dovecot are not exception to the rule, if we disable 
TLSv1.0 on the server and remove the weak cipher, then TPG's MTAs aren't able 
to send mail to us.

Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8464

On Mon, Jul 23, 2018 at 2:48 PM, Mark Newton 
mailto:new...@atdot.dotat.org>> wrote:
You’re trying to exchange payment card information over email?

  - mark

On Jul 23, 2018, at 1:30 PM, Bradley Silverman 
mailto:bsilver...@staff.ventraip.com>> wrote:

Does anyone have a contact at TPG regarding their mail servers?

We are having issues with their mail servers using non-PCI compliant ciphers 
which is stopping our servers accepting mail from them.


Regards,

Bradley Silverman | VentraIP Australia
Technical Operations

mobile. +61 418 641 103
phone. +61 3 9013 8

Re: [AusNOG] NTP Best Current Practices Internet Draft

2019-02-01 Thread Michael Junek 
Thats correct. Windows only has a SNTP client implemented, and not an NTP 
client. As such, it can only query a single NTP server, and does not have the 
algorithms to determine the accuracy of the time sources.





From: AusNOG  on behalf of O'Connor, Daniel 

Sent: Saturday, 2 February 2019 12:31
To: Mark Smith
Cc: 
Subject: Re: [AusNOG] NTP Best Current Practices Internet Draft

> On 2 Feb 2019, at 11:48, Mark Smith  wrote:
> The problem that occurred with 0.au.pool.ntp.org proving bad time
> wouldn't have had an effect if the Windows domain controller had at
> least 2 other NTP time sources.

The behaviour of OPs system implies that a PDC does not use more than one clock 
source.

If that is true (I have no idea, but googling suggests it may be so) then you 
are going to end up relying on a single time server. In that case you are 
probably better firing up a tiny Linux VM running only ntpd (or chrony etc etc) 
which is configured for multiple pool servers and then point your DCs at that.

It does seem pretty ridiculous than Windows server can't behave more sensibly 
though..

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] NTP Best Current Practices Internet Draft

2019-02-01 Thread Michael Junek 
Yes and no -- relative time is critical within the Windows network, such as 
synchronisation between Servers, Clients and Domain Controllers, which is why 
everything Syncs back to the DCs.

The absolute time (syncrhonising to an outside souce) has no bearing on its 
operation. (Excluding things such as domain trusts and the like)

So in the case that the OP had, the whole network goes half hour out of sync, 
but relatively speaking, all the clocks on the network are within a few seconds 
of each other, and Kerberos etc doesn't die.




From: O'Connor, Daniel 
Sent: Saturday, 2 February 2019 12:37
To: Michael Junek
Cc: Mark Smith; 
Subject: Re: [AusNOG] NTP Best Current Practices Internet Draft

> On 2 Feb 2019, at 12:05, Michael Junek  wrote:
> Thats correct. Windows only has a SNTP client implemented, and not an NTP 
> client. As such, it can only query a single NTP server, and does not have the 
> algorithms to determine the accuracy of the time sources.

That is pretty insane given how critical time is to the correct functioning of 
an AD network..

Is there an MS solution apart from #yolo?

--
Daniel O'Connor
"The nice thing about standards is that there
are so many of them to choose from."
 -- Andrew Tanenbaum


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] (Probably a bit OT) IPv6 oddity

2019-10-15 Thread Michael Junek 
2 from 2 of the Arcadyan modems supplied to other family by Telstra have 
exhibited the same issue. Whirlpool is full of complaints of similar things. 
Something to do with UPNP apparently.

"Intermittent internet access" is the typical reported fault, however when 
debugging the issue I found the working sites were all IPv6 and the non-working 
ones were IPv4 only.


As not to get to get more tech support calls from family, the Telstra boxes 
were reassigned to be dumb ATA's only (seeing you cant get the SIP config from 
Telstra) and a MikroTik router was placed in front doing the work and heavy 
lifting from the NBN NCD.


Both premises were FttC.




From: AusNOG  on behalf of Jamie Lovick 

Sent: Tuesday, 15 October 2019 19:57
To: Karl Auer
Cc: AUSNOG
Subject: Re: [AusNOG] (Probably a bit OT) IPv6 oddity

I've seen those Optus branded Netgear cable routers stop handing out DHCP to 
the local network, but will continue to route just fine. Typically, if there is 
bad power (brownouts, etc.), this can happen.

Jamie

On Tue, 15 Oct 2019 at 3:05 pm, Karl Auer 
mailto:ka...@biplane.com.au>> wrote:
Had an interesting (to me) case last week. Client rang on his mobile to
say his phones didn't work and also he couldn't get to his bank or
anything else - except Google. Also, I found I was able to use
TeamViewer to access one of his PCs.

He's on NBN over FTTC (or maybe FTTN) with Telstra.

Turned out his Telstra router was supplying a valid prefix to
autoconfigure IPv6 addresses in, but it was not supplying IPv4
addresses via DHCP. Reset the router and it all came good.

This is the first time I've seen this in the wild where it was not a
misconfiguration (though I'm the first to admit that "the wild" is more
of an inoffensive thicket in my case). Is it more common than I think?

Regards, K.

--
~~~
Karl Auer (ka...@biplane.com.au)
http://www.biplane.com.au/kauer
http://twitter.com/kauer389

GPG fingerprint: 8D08 9CAA 649A AFEF E862 062A 2E97 42D4 A2A0 616D
Old fingerprint: A0CD 28F0 10BE FC21 C57C 67C1 19A6 83A4 9B0B 1D75


___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
--
Jamie Lovick <-> IT Consultant <-> AU <-> +61-4-1479-1681
-> US <-> +1-8018-4-52643 (JAMIE)
-> FR <-> +33-9-7073-0340
Doof.org-> Em <-> 
jalov...@doof.org

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] FYI: Telstra carrier interconnects are full

2020-03-22 Thread Michael Junek 
AAPT certainly were running SS7 over various SDH technologies when I was last 
working on their call centre platform a few years back.



From: AusNOG  on behalf of Mark Delany 

Sent: Monday, 23 March 2020 15:20
To: ausnog@lists.ausnog.net
Subject: Re: [AusNOG] FYI: Telstra carrier interconnects are full

> Yes. With Telstra, it's an EXTRAORDINARLY big deal. You still have to
> use specific hardware, and SS7 signaling over ISDN

Oh. My bad. I was basing my assumptions on how I've seen voice delivered in the 
US. Even
big ol' bad boy and recalcitrant Telco, AT&T provides SIP over a PNI. At my 
$DayJob we
have a 10G PNI to them. Easily provisioned and managed as 
just-another-IP-network.

I was also under the impression, tho I could be wrong, that voice interconnects 
in the US
are increasingly over private IP networks with SIP. I assumed Australia was 
doing the
same. You are clearly saying "not so".

But ISDN? I still have nightmares over Telstra-variant LAPD state-machines from 
the dark
ages. I thought all that stuff was archaeological by now. Next thing you'll be 
telling me
is that Telstra still carry voice over an ATM transport or some archaic 
plesiochronous
network.


Mark.
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Lightning and FTTC - is it really this bad?

2021-01-20 Thread Michael Junek 
Hi Troy,

Lightning has always been an issue for the copper network – the old adage 
“don’t use the phone in a storm” comes to mind.
Certainly where my mum is, in Springwood, the copper is above-ground-- you 
often see a 100-pair floating off the power poles, with the house pair coming 
from a jumper box mounted up high. This would contribute towards the issues 
seen.
So it definitely has some merit – my mum has already had to have the FTTC NCD 
replaced once in the (less than) 12 months she’s had an NBN connection.

The article states “Our technical teams continuously look to investigate ways 
to reduce the impact of lightning on our electronic equipment with ongoing 
testing and trials as part of this process.” – this I can attest to, as I have 
two properties which will be participating in these trials.

Cheers
M.







From: AusNOG  On Behalf Of Troy Kelly
Sent: Wednesday, 20 January 2021 20:54
To: 'aus...@ausnog.net' 
Subject: [AusNOG] Lightning and FTTC - is it really this bad?

I'm confused as to how FTTC would suffer more from lightning strike related 
issues than other ground conducting technologies?

Is it something about the Blue Mountains in particular, or is this article 
rubbish?

(Paywall, open in incognito if so inclined)
https://www.smh.com.au/national/nsw/blue-mountains-residents-turn-off-nbn-in-storms-or-risk-no-connection-for-days-20210120-p56vjb.html

Cheers,
Troy

___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog

Re: [AusNOG] Banking outages.

2021-06-16 Thread Michael Junek 
Commonality I have heard it’s to do with AWS Route 53.

From: AusNOG  On Behalf Of DaZZa
Sent: Thursday, 17 June 2021 15:59
To: AusNOG Mailing List 
Subject: [AusNOG] Banking outages.

Apparently, most of the big 4 (and a lot of other!) banks are having major 
issues with online sites.

Anyone got insight? I'm seeing speculation that it's anything from an Akamai 
outage to CloudFlare to a massive DDOS against multiple institutions.

Anyone seeing more detail?

D
___
AusNOG mailing list
AusNOG@lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog