Am I being Hacked?

If you're not sure what you're doing, you are much safer running Incredible PBX. No ports are exposed to the Internet!
Click to expand...

Im not sure how that's helpful to resolving the problem. Apart from that it's also somewhat untrue. Here are examples of explicit instructions to open ports in/for PIAF:
http://nerdvittles.com/?p=216
"To fix NAT problems with Asterisk, you simply tell your router to forward all data received on UDP ports 4569, 5004 to 5037, 5039 to 5082, and 10000 to 20000 to the private IP address of your Asterisk server."

http://nerdvittles.com/?p=684
"...If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN."

http://nerdvittles.com/?p=66
"Then you'll need to make certain that your firewall redirects incoming UDP traffic on ports 5060 through 5082 and 10000 through 20000 to the internal IP address of your Asterisk server."

As my posts above detail, the only ports open to the outside world are for SIP traffic; moreover, these firewall rules are explicitly defined to accept SIP traffic from Vitelity's domain only. Doing these things is supposed to prevent SIP traffic from other domains/IP's but the evidence in the call logs, at least in my case, shows that these measures were overcome.

The folks that are posting in this thread are obviously concerned about the security of their PIAF installations--and are posting here to assess and fix the problem, and perhaps learn along the way or discover a mistake or misconfiguration. Whether we all "know what we're doing" is beside the point. Ensuring bulletproof network security is a complex, evolving, iterative endeavor and even the most knowledgeable, diligent folks occasionally screw up. Im sure most people would claim to know how to drive a car, but how many of us have been involved in accidents?



Back on point:
I've posted details about my hardware firewall, iptables, and SIP settings. Does anyone have any idea about how are these calls getting through?
 
ppmax said:
As my posts above detail, the only ports open to the outside world are for SIP traffic; moreover, these firewall rules are explicitly defined to accept SIP traffic from Vitelity's domain only. Doing these things is supposed to prevent SIP traffic from other domains/IP's but the evidence in the call logs, at least in my case, shows that these measures were overcome.
Click to expand...

I'm no expert but surely somethings gone wrong there then, maybe check your rules.

As far as this problem goes joe gave the solution on page 1, turn on allow anonymous sip, set a catch all to immediate hangup, job done, no more entries in the cdr, no phones ringing.
 
My only point was that SIP is a dangerous business these days. Out of the box, PIAF does not have it locked down. Incredible PBX does. Not suggesting anyone doesn't know what they're doing.
 
wardmundy said:
My only point was that SIP is a dangerous business these days. Out of the box, PIAF does not have it locked down. Incredible PBX does. Not suggesting anyone doesn't know what they're doing.
Click to expand...

How exactly is this locked down in the Incredible PBX. We are seeing these entries in Incredible PBX Silver install. I have entered the ip address that the sip entries were coming from in the iptables firewall as you suggested. By following these directions below. I have also implemented the Catch All as Joe has suggested. My question still is, can and how to make an entry that would block a series of all IP address that start with 93.190.143.XXX like in the example below????

EXAMPLE GIVEN: A INPUT -s 93.190.143.10 -j DROP

[FONT=&quot]DIRECTIONS FOLLOWED:
[/FONT]
[FONT=&quot]Edit /etc/sysconfig/iptables and search for the following line:[/FONT]
[FONT=&quot]Quote:[/FONT]
[FONT=&quot]-A INPUT -m state --state RELATED -j ACCEPT [/FONT]
[FONT=&quot]
Immediately after this line, add lines like this for each IP address you wish to block:[/FONT]
[FONT=&quot]Quote:[/FONT]
[FONT=&quot]-A INPUT -s 192.168.2.68 -j DROP
-A INPUT -s 93.190.143.10 -j DROP [/FONT]
[FONT=&quot]
Save the file: Ctrl-X, Y, then Enter.

Then reload IPtables: [/FONT]
[FONT=&quot]Quote:[/FONT]
[FONT=&quot]service iptables stop
service iptables start [/FONT]

My question still is
 
My question still is, can and how to make an entry that would block a series of all IP address that start with 93.190.143.XXX like in the example below????
Click to expand...

The -s option allows you to specify a single address or a range using the address/mask style notation.

To drop all connections between 93.190.143.0 - 93.190.143.255, use this:
-A INPUT -s 93.190.143.0/24 -j DROP

HTH
 
kmcdaniel said:
How exactly is [SIP] locked down in the Incredible PBX.
Click to expand...

It's locked down in Incredible PBX by virtue of the fact that it is supposed to be sitting behind a hardware-based firewall with NO ports mapped to your Incredible PBX. SIP is not locked down in IPtables; however, IAX is. Sorry for the confusion.
 
You must log in or register to reply here.

Members online

No members online now.
Total: 98 (members: 1, guests: 97)

Latest Posts

Forum statistics

Threads
26,687
Messages
174,411
Members
20,257
Latest member
Dempan
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Verify your Email

Check your inbox!

We’ve sent you an email. Click on the button in the email body to verify your email address – (if you can not find it, check your spam folder).

Upon verification you will be directed to the 3CX setup wizard.

Back
Top