We'll be discussing some of the new features in 4.6 at the CoLab in March @ CSU that will help address this...
On Thu, Dec 29, 2011 at 5:46 AM, Tony Graziano <[email protected] > wrote: > This has been discussed before. This is an attempt to use your system > illegally. > > Simply put, the outsider is sending an invite to port 5060 (because that's > sip, essentially). They can use "unknown" or whatever CNAM they want, but > they are not getting the call completed because sipx challenges them for > credentials. They are likely supplying a list of usernames/passwords that > are well known on asterisk or other systems (default account from > difference distributions), in an attempt to find an open system and provide > access to it to make International calls. > > This is what is known as "toll fraud". > > You have options: > > Rate limit the cps (connections per second) to port 5060 at your firewall. > Block access to port 5060 from countries other than your providers/users > in your firewall. > Go to your firewall logs and determine where those connections are coming > from and specifically block that network/ip. > > This is a security issue. At this time sipx does protect itself because it > sets up secure sip passwords by default and requires the caller to provide > adequate credentials in a method that does not compromise this from the > outside. > > You might find it more helpful to alleviate this in the future by seeing > what can be done at your firewall to reduce these types of incidents. > Sometimes they can overwhelm a system and actually bring services down if > the requests are concetrated enough (ddos). > > On Wed, Dec 28, 2011 at 11:02 PM, Chris Wiegand <[email protected] > > wrote: > >> I have a number of failed calls from “unknown” to a number that appears >> to be in the uk. 442032987203 is the only common part, they keep trying >> different prefixes/access codes. All failed, thankfully, but I’m not even >> sure where I can find this in the logs – the only evidence I have that this >> even occurred is in the call detail records in the web interface. **** >> >> ** ** >> >> We’re using the random passwords the system generates, so I feel it’s >> probably unlikely that someone magically brute-forced one of the passwords >> to one of our extensions. I tried grep’ing the /var/log/sipxecs folder but >> didn’t find any instances of this number – is there a log file that these >> calls should be in? If someone did register I want to find that record, >> re-do that extension’s password and install fail2ban to prevent future >> (non)incidents, but I can’t seem to find it anywhere outside of the web >> interface…**** >> >> ** ** >> >> ** ** >> >> [image: Description: cid:E24B8010-D245-4AE2-AA7A-D9A5F4680677][image: >> Description: cid:9C59A6AA-F4CA-411C-BDF5-674EF63B187A] >> MobileAccord.com<http://mobileaccord.com> >> [image: Description: cid:CDD6CBAF-7863-4FB3-B221-E80CC788C010] For >> more information text *MA* to 50555.**** >> >> __________________________________________________________________**** >> >> Chris Wiegand | Network Administrator | Mobile Accord**** >> >> 2150 West 29th Avenue | Second Floor | Denver, Colorado 80211 USA**** >> >> t +1.303.531.5505 | m +1.720.244.1409 | f +1.303.531.5509**** >> >> ** ** >> >> ** ** >> >> [image: Description: Mobile Accord, Inc. on >> LinkedIn]<http://www.linkedin.com/company/mobile-accord-inc.> >> [image: Description: Mobile Accord on >> Twitter]<http://www.twitter.com/mobileaccordinc> >> **** >> >> ** ** >> >> _______________________________________________ >> sipx-users mailing list >> [email protected] >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ====================== > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: [email protected] > Fax: 434.465.6833 > > Email: [email protected] > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: [email protected] > > Helpdesk Customers: http://myhelp.myitdepartment.net > Blog: http://blog.myitdepartment.net > > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > > _______________________________________________ > sipx-users mailing list > [email protected] > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- Michael Picher, Director of Technical Services eZuce, Inc. 300 Brickstone Square**** Suite 201**** Andover, MA. 01810 O.978-296-1005 X2015 M.207-956-0262 @mpicher <http://twitter.com/mpicher> www.ezuce.com
<<image003.png>>
<<image002.png>>
<<image001.png>>
<<image004.png>>
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
