Thanks all - that seems to have fixed the issue - so now no internet access until everything inside our network is happy! And then probably only vpn connections allowed after that!
Laurie From: [email protected] [mailto:[email protected]] On Behalf Of Steve Beaudry Sent: 18 September 2012 01:50 To: Discussion list for users of sipXecs software Cc: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Registrations dropping Ahhh. We (and the script) do not allow SIP calls from anything other than our users' SIP endpoints.. It is a closed SIP system, with all 'public' calling happening via PSTN gateway. The script is a mid-way point between 'allow everything' and 'allow nothing'. ...Steve... On 2012-09-17, at 3:43 PM, "Tony Graziano" <[email protected]> wrote: Then how does your script discern a real sip call from a foreign system? It must not be allowed since there is no phone registered. -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! On Sep 17, 2012 5:19 PM, "Steve Beaudry" <[email protected]> wrote: Tony, I must now disagree. The script serves to block both registration attempts and blod call attempts. Essentially, there is a 'block all access from outside IPs' rule, and the script adds exceptions for those who have successfully logged in (on port 80/8443, which has a permanent exception). ALL sip traffic is blocked/discarded unless it's from a known IP. You are correct, however, that the typical attempts we see are simply 'blind call attempts', not registation attempts. Respectfully, ...Steve... On 2012-09-17, at 2:13 PM, "Tony Graziano" <[email protected]> wrote: The registrations could be because of bogus registration attempts. BUT if these are call attempts (not registrations) against the proxy, they will effectively use resources if the attempts are consistent enough in volume to effectively eat the resources away until the registrar can't process registrations. 1. look at your CDR's for the day of and day before to see if there are bogus call attempt. 2. Inspect your logs (sipXproxy.log and sipregistrar.log) 3. Consider some measures by means of firewall rules to rate limit your connections per second, etc. 4. Steve's script might help IF the attempts are to register, but if it is simply probing your server to send calls through it without registering, it will not help. On Mon, Sep 17, 2012 at 4:06 PM, Steve Beaudry <[email protected]> wrote: Hi Laurie, I have to agree with Tony here. I've had exactly the same issue you describe at two different installations, and in every case it turned out to be sip packets from the Internet, making connections to the SipXecs server, and running it out of resources. I can't say if the packets were an intentional DOS, or just an unintended side effect of random probing. Nonetheless, the effect was the same. In all cases, blocking port 5060 from the public network was an immediate and effective solution. If blocking port 5060 outright is not an option, because you need to allow outside SIP connections, I have developed a script that might help. The script monitors the log file of successful logins to the web interface, and manages iptables firewall rules on the SipX host itself, to only allow connections from IP addresses that have successfully authenticated. We simply tell users that if they wish to connect remotely, they first need to login to their voice mailbox from whatever IP address they wish to connect from. This works equally well for home users with a laptop and SIP phone behind a NAT gateway, and from mobile clients like Bria on the iPhone. I'm perfectly willing to share the script, with two forewarnings.. 1) I'd consider it a 'proof of concept', which should be modified for your own environment. It works in the two installations that I've set it up in. 2) It has no provisions for a high-availability setup. It wouldn't be too hard to setup, but I haven't done so. I'd considered shooting the script back to the community in the last, but putting other fires out has prevented me from taking the time to document it as much as I think it should be if anyone were planning to use/include it. If you'd like to see a copy of it, lemme know, and I can send it your way. Cheers, ...Steve... Stephen Beaudry, Manager Server, Network and Telecom Infrastructures Royal Roads University T 250.391.2600 ext. 4149 <tel:250.391.2600%20ext.%204149> 2005 Sooke Road, Victoria, BC Canada V9B 5Y2 royalroads.ca <http://royalroads.ca/> LIFE.CHANGING On 2012-09-17, at 6:48 AM, "Tony Graziano" <[email protected]> wrote: Sounds like you are being bothered from the outside. /var/log/sipxpbx Is where logs are. -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! On Sep 17, 2012 9:23 AM, "IT Manager" <[email protected]> wrote: Where would I find the proxy and registrar logs - I can't find them in the web interface? And now you mention it - I do occasionally get lots of emails about there not being enough ports or something for media. Hopefully, disabling the internet connection will stop any trouble. So now - should I run the yum update to update everything? Laurie From: [email protected] [mailto:[email protected]] On Behalf Of Tony Graziano Sent: 17 September 2012 12:10 To: Discussion list for users of sipXecs software Subject: Re: [sipx-users] Registrations dropping Check the proxy and registrar logs. Also check CPU and ram/swap. The logs may show a lot of call or registration attempts. If the phone are not registering via the internet close off port 5060. -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! On Sep 17, 2012 2:41 AM, "IT Manager" <[email protected]> wrote: Dear all, I think I have emailed on this before, but I am still struggling with it: Regularly (read - most mornings) - I will come into the office and all my phones have lost their registrations with the server - going to the server's page and restarting all the services (which incidentally all claim to be running) fixes the problem and the registrations are ok (until the next time). Here is my configuration setup: * SipXecs 4.4.0 (no yum updates as this seemed to make it lose registrations much more frequently) * Running as VM (still testing...L) on ESXi free - the host is not particularly busy (especially overnight which is when it has it's issues) * Grandstream phones GXP2000 (yes- I know they are crap phones...so don't berate me on them - but they do work fine when they are allowed to register) * Firewall 5060 opened to the internet along with the other higher ports - could it be falling over due to hacking? Can anyone help? I cannot install this company wide if it is going to be doing this and I know that it works reliably elsewhere in the world... Thanks, Laurie <image001.png> Laurie Nason IT Manager Mission Aviation Fellowship - Uganda T +256 41 4267462 F +256 41 4267433 PO Box 1, Kampala, Uganda Mission Aviation Fellowship International. A company Limited by guarantee, registered in England & Wales Registered Charity Number: 1058226. Registered Company Number: 3144199. Registered Office: Operations Centre, Henwood, Ashford, Kent TN24 8DH <image002.png>www.maf-uganda.org _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean. _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ -- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: [email protected] Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! <http://sipxcolab2013.eventbrite.com/?discount=tony2013> LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: [email protected] Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net _______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/ -- This message has been scanned for viruses and dangerous content by MailScanner <http://www.mailscanner.info/> , and is believed to be clean.
_______________________________________________ sipx-users mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-users/
