Hi Eric, Y'know I thought about our conversation just as this was happening. The bit I don't get is the getting into my system in the first instance and why do I show no calls in the log?
I've tried making calls locally across the bench and they don't show up. Indeed, even inbound calls don;t show up right away. Tonight I've witnessed calls somehow purged from the logs themselves. I made 2 calls to Broadvoice this evening which showed up in the log almost immediately; now the are gone. Clearly I need some schooling in security around here :) I think the MySIP UA thing is a "poison rouge". I'm thinking that the UA field remained populated just because the current user didn't override it with a new setting - an undocumented "feature" perhaps? I'm going back to dig through the logs some more. In the mean time, I had a thought about your hacker of last week and why the FW rule wasn't keeping him out. We forgot that the firewall is stateful. The rule would only affect new connections. Until the current connection had terminated it could continue to do its thing. Note to self, change FW rules - reboot firewall! Mark On 09/18/2010 09:07 PM, e...@kowalewski.com wrote: > Mark, > > So then the hacker was able to hack you by: > > IP > SIP account name > SIP password > > ??? > > As you know, I was hacked my IP and SIP account, but they were > unable to get the password. Would a static IP from your cell phone provider > help with a "guilty unless allowed access" strategy work? > > Eric > > -----Original Message----- > From: Mark Phillips [mailto:g7...@g7ltt.com] > Sent: Saturday, September 18, 2010 8:55 PM > To: AstLinux Users Mailing List > Subject: [Astlinux-users] Call Theft again - questions > > Hi All, > > Well, for the second time in about a month I've been the victim of call > theft to the tune of almost $1000. It would seem that someone is able to > acquire an extension on my AstLinux box and use it to call Somalia for a > few minutes at a time over and over again until I catch it. > > Luckily this time my provider was on the lookout and trapped the theft > after about $250 of calls were made. > > To get to the point, Broadvoice's call log show that I made a good many > calls to a particular number in Somalia but my log does not. Indeed, my > log as viewed via the AstLinux Management web interface shows that the > last call made by one of my users was at around 1030am today. The last > call to Somalia was at 5:48 tonight. > > I have a number of questions all related to SIP security but my biggest > question is "why don't the calls show up in my log?" My provider can > show logs demonstrating that the Somalia calls came from my IP address > and I did spot the odd one or 2 towards the end originating from an > extension within my number plan. > > So back to my SIP questions, I use a combination of hard and softphones > around the house and a softphone on my new Android phone. I occasionally > use a softphone on my laptop remotely via L2TP VPN. > > Each entry in my sip.conf file has this in it; > > deny=0.0.0.0/0.0.0.0 > permit=192.168.201.0/255.255.255.0 > permit=192.168.202.0/255.255.255.0 > > but yet still the hacker/thief was able to get in. > > When I spotted the theft I noted that the thief was using exten 2201 (my > android softphone), the UA as reported by "sip show peer 2201" was > "MySIP" (an app I was never able to get working correctly) but yet my > Android wasn't running the MySIP softphone at the time. > > Could it be that the MySIP app was in fact some sort of Android Trojan? > How well do if at all do the deny/permit parameters in sip.conf work? > How well does the SIP module in AstLinux stand up to brute force attacks > (I'm assuming the thief tried that as well)? > > I'm now so worried about another one of these occurrences that I'm > having to disable SIP access on my monoWall which in turn will impact my > ability to work. > > Ideas?? > > Thanks > > Mark > > > ---------------------------------------------------------------------------- > -- > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > > > ------------------------------------------------------------------------------ > Start uncovering the many advantages of virtual appliances > and start using them to simplify application deployment and > accelerate your shift to cloud computing. > http://p.sf.net/sfu/novell-sfdev2dev > _______________________________________________ > Astlinux-users mailing list > Astlinux-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/astlinux-users > > Donations to support AstLinux are graciously accepted via PayPal to > pay...@krisk.org. > ------------------------------------------------------------------------------ Start uncovering the many advantages of virtual appliances and start using them to simplify application deployment and accelerate your shift to cloud computing. http://p.sf.net/sfu/novell-sfdev2dev _______________________________________________ Astlinux-users mailing list Astlinux-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/astlinux-users Donations to support AstLinux are graciously accepted via PayPal to pay...@krisk.org.
