Hi Tony, I am using PFSense, but I have a weird setup, with 2 offsite links and 2 external IP addresses for my sipx server that are each 1:1 NATed to the servers's internal address, with firewall rules limiting the ports that are accessible.
One PFSense connects to a dedicated fiber to my ITSP, and that PFSense is set to only accept traffic for my sipx if it comes from the ITSP's SIP switches. This is for trunk traffic only. I have a second connection to the open internet, also using PFSense, where I allow all of the usual ports you recommend in your PFSense blog entry to reach my sipx server. My plan is to allow remote users to connect to sipx over this link, and my external DNS entries point to the sipx server using this external IP address. I'm not sure this is a good plan, though, as I don't yet have a need for external users and I am worried about the security issues. So it seems to me that my proxy is exposed to anyone on the internet, since I allow access to port 5060. Looking in the logs, I see an invite from an address in china to "<sip:90441920486688@" (the external address on my open internet link). The proxy responded with a 404 not found. Can you suggest a better approach to allow remote users without this exposure? Or is this a risk people just live with? Thanks, Jeff On Feb 19, 2010, at 11:57 AM, Tony Graziano wrote: > Please identify what kind of firewall and what type of itsp solution you > have. Its more likely a pc was hacked, because the cdr data shows the call > coming from the proxy, which is not directly exposed except through the > firewall. The call "authenticated" because it got "to" the proxy. It is more > likely the pc was hijacked. > > You would be wise to also look at sipxbridge logs in the same timeframe. > ============================ > Tony Graziano, Manager > Telephone: 434.984.8430 > Fax: 434.984.8431 > > Email: [email protected] > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > Fax: 434.984.8427 > > Helpdesk Contract Customers: > http://www.myitdepartment.net/gethelp/ > > ----- Original Message ----- > From: [email protected] > <[email protected]> > To: [email protected] users <[email protected]> > Sent: Fri Feb 19 11:45:55 2010 > Subject: [sipx-users] Was I being hacked? > > I saw in my call detail records a block of about 50 call attempts made > within 2 minutes minutes of each other to international numbers, and > using a variety of prefixes. All calls showed the status "failed", so > I presume they did not connect. The from field was "sip". Here is an > example: > > sip 9011441383417547 2/13/10 5:02 AM 0 seconds Failed > > My guess is that my server was being probed to see if it could be > hijacked for free calls. Does that seem right? > > What exactly does it mean to have "sip" as the From? > > Is there a checklist for security measures to ensure that an > installation is reasonably protected from such attempts? > > Thanks, > > Jeff > > > _______________________________________________ > sipx-users mailing list [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users > Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users > sipXecs IP PBX -- http://www.sipfoundry.org/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-users sipXecs IP PBX -- http://www.sipfoundry.org/
