Re: [asterisk-users] Someone has hacked into our system
On Tue, Nov 23, 2010 at 06:51:37PM -0500, John Novack wrote: You should also have, in general: alwaysauthreject=yes This seems pretty effective in stopping some hacking These are simple fixes. I found it very effective to make sure the handled sip domains don't contain the ipadress(es) of your internet connection(s), by only explicitly listing internal ipadresses and hostnames. e.g.: domain=10.2.3.4 domain=sip.example.com The standard scanners will get a Not a local domain error, since they only try the external ipadress to connect (for now). -- Daniel Tryba -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Hi Gary, I went through this process a few times over the past few years. Theres a few short guides for securing Asterisk, but much of it depends on your design. If it's a traditional POTs-type PBX then locking down IPs using firewalls is a great thing, however if you make use of inbound-SIP calls from end-user PC clients on the Internet then that's not always possible. So heres my recommendations: 1) Change the default context name to something like publicinbound. 2) Create a context called publicinbound that does basically nothing. 3) Setup a different context for an peer or friend IAX or SIP, or whatever. That way you can see which connection the hackers coming in from. 4) If you don't want to firewall off the whole internet, then at least make use of fail2ban - it's a free scripted addon that watches for hacking attempts and firewalls them off. 5) Really really long passwords and usernames - this ones pretty key. My first task was in going through and understanding where all the passwords were and changing them. I now make mine completely random and a min of 30 chars. 6) IP restrictions. If a peer or user does have a fixed IP, then define it in the appropriate config file. 7) The alwaysauthreject is good.. helps fumble the hackers. Thanks, Adrian -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
One thing we did to secure remote users is to use SNOM370s and OpenVPN.. -- Singer XJ Wang, Senior System and Database Administrator The Pythian Group - love your data http://www.pythian.com Desk: (613) 565-8696 x298 Cell: (613) 266-3763 On Thu, Nov 25, 2010 at 12:33, Adrian Marsh adrian.ma...@ubiquisys.comwrote: Hi Gary, I went through this process a few times over the past few years. Theres a few short guides for securing Asterisk, but much of it depends on your design. If it’s a traditional POTs-type PBX then locking down IPs using firewalls is a great thing, however if you make use of inbound-SIP calls from end-user PC clients on the Internet then that’s not always possible. So heres my recommendations: 1) Change the default context name to something like publicinbound. 2) Create a context called publicinbound that does basically nothing. 3) Setup a different context for an peer or friend IAX or SIP, or whatever. That way you can see which connection the hackers coming in from. 4) If you don’t want to firewall off the whole internet, then at least make use of fail2ban - it’s a free scripted addon that watches for hacking attempts and firewalls them off. 5) Really really long passwords and usernames - this ones pretty key. My first task was in going through and understanding where all the passwords were and changing them. I now make mine completely random and a min of 30 chars. 6) IP restrictions. If a peer or user does have a fixed IP, then define it in the appropriate config file. 7) The alwaysauthreject is good.. helps fumble the hackers. Thanks, Adrian -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- The best compliment you could give Pythian for our service is a referral. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
On 23 Nov 2010 at 16:54, Joseph (Joseph syscon...@gmail.com) commented about Re: [asterisk-users] Someone has hacked into our : On 11/23/10 14:18, Gary Kuznitz wrote: Thank you for the reply... Comments below... On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesher asterisk- us...@lists.digium.com) commented about Re: [asterisk-users] Someone has hacked into our : On Monday 22 November 2010 17:10:31 Gary Kuznitz wrote: I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. allowguest=yes in sip.conf, with a context= in the [general] section that is permitted to make outbound calls? I'm trying to understand exactly what this means. I found a sip.conf in /etc/asterisk I have a [general] section. I don't have allowguest=yes. Is that good or am I supposed to have it? Look for allowguest default is yes I change it to allowguest=no In addition you might want to restrict some countries in your dial-plan, here is my list: This would be great. Can I put this anyplace in extensions.conf? Or does it need to go after [DLPN_DialPlanl] ? Thanks, Gary Kuznitz [blocked-numbers] ;block bahamas, etc exten = _91900.,1,congestion; N11 exten = _91XXX976.,1,congestion ; N11 exten = _91XXX555.,1,congestion ; N11 exten = _91X11.,1,congestion; N11 exten = _91867.,1,congestion; Yukon (sorry mike) ;exten = _1NPA Country exten = _91232.,1,congestion; Sierra Leone exten = _91242.,1,congestion; BAHAMAS exten = _91246.,1,congestion; BARBADOS exten = _91264.,1,congestion; ANGUILLA exten = _91268.,1,congestion; ANTIGUA/BARBUDA exten = _91284.,1,congestion; BRITISH VIRGIN ISLANDS exten = _91345.,1,congestion; CAYMAN ISLANDS exten = _91441.,1,congestion; BERMUDA exten = _91473.,1,congestion; GRENADA exten = _91649.,1,congestion; TURKS CAICOS ISLANDS exten = _91664.,1,congestion; MONTSERRAT exten = _91758.,1,congestion; ST. LUCIA exten = _91767.,1,congestion; DOMINICA exten = _91784.,1,congestion; ST. VINCENT GRENADINES exten = _91809.,1,congestion; DOMINICAN REPUBLIC exten = _91829.,1,congestion; DOMINICAN REPUBLIC exten = _91868.,1,congestion; TRINIDAD AND TOBAGO exten = _91869.,1,congestion; ST. KITTS AND NEVIS exten = _91876.,1,congestion; JAMAICA -- Joseph -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Thank you for the reply. On 23 Nov 2010 at 18:51, John (John Novack jnov...@stromberg-carlson.org) commented about Re: [asterisk-users] Someone has hacked into our : Gary Kuznitz wrote: Thank you for the reply... Comments below... On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesherasterisk- us...@lists.digium.com) commented about Re: [asterisk-users] Someone has hacked into our : On Monday 22 November 2010 17:10:31 Gary Kuznitz wrote: I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. allowguest=yes in sip.conf, with a context= in the [general] section that is permitted to make outbound calls? I'm trying to understand exactly what this means. I found a sip.conf in /etc/asterisk I have a [general] section. I don't have allowguest=yes. Is that good or am I supposed to have it? I believe what you SHOULD have is; allowguest=no Not sure if that is the default behavior or not If I'm supposed to have it can it go any place in the [general] section? I have in the [general] section a line with: context = default Is this where I would remove default and enter the IP addresses that are allowed to make calls? Your default context in extensions.conf should basiclly lead nowhere. I have mine set up to play an insane laugh then hangup Probably safe to say NEVER use context default for any outbound calling I don't have any context in extensions.conf I do have context = default in sip.conf Should I remove that line? Could you give me an example of what you have in your extensions.conf? Thank you, Gary Kuznitz You should also have, in general: alwaysauthreject=yes This seems pretty effective in stopping some hacking These are simple fixes. I will let others comment on other more detailed firewalling John Novack What would a line with IP address look like? Could you give me an example? If that isn't where the IP address that are allowed supposed to be where would I put them? Thank you, Gary Kuznitz Just a guess, but there have been more than a few such discussions on the list about that configuration, plus a README-SERIOUSLY.bestpractices.txt in the root directory of every Asterisk source tree. You DID read that file, right? -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Dog is my Co-pilot -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
On 11/24/10 10:39, Gary Kuznitz wrote: Look for allowguest default is yes I change it to allowguest=no In addition you might want to restrict some countries in your dial-plan, here is my list: This would be great. Can I put this anyplace in extensions.conf? Or does it need to go after [DLPN_DialPlanl] ? Thanks, Gary Kuznitz This is in sip.conf [general] context=default ; Default context for incoming calls allowguest=no ; Allow or reject guest calls (default is yes) ... -- Joseph -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Thank you for the reply... Comments below... On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesher asterisk- us...@lists.digium.com) commented about Re: [asterisk-users] Someone has hacked into our : On Monday 22 November 2010 17:10:31 Gary Kuznitz wrote: I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. allowguest=yes in sip.conf, with a context= in the [general] section that is permitted to make outbound calls? I'm trying to understand exactly what this means. I found a sip.conf in /etc/asterisk I have a [general] section. I don't have allowguest=yes. Is that good or am I supposed to have it? If I'm supposed to have it can it go any place in the [general] section? I have in the [general] section a line with: context = default Is this where I would remove default and enter the IP addresses that are allowed to make calls? What would a line with IP address look like? Could you give me an example? If that isn't where the IP address that are allowed supposed to be where would I put them? Thank you, Gary Kuznitz Just a guess, but there have been more than a few such discussions on the list about that configuration, plus a README-SERIOUSLY.bestpractices.txt in the root directory of every Asterisk source tree. You DID read that file, right? -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Gary Kuznitz wrote: Thank you for the reply... Comments below... On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesherasterisk- us...@lists.digium.com) commented about Re: [asterisk-users] Someone has hacked into our : On Monday 22 November 2010 17:10:31 Gary Kuznitz wrote: I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. allowguest=yes in sip.conf, with a context= in the [general] section that is permitted to make outbound calls? I'm trying to understand exactly what this means. I found a sip.conf in /etc/asterisk I have a [general] section. I don't have allowguest=yes. Is that good or am I supposed to have it? I believe what you SHOULD have is; allowguest=no Not sure if that is the default behavior or not If I'm supposed to have it can it go any place in the [general] section? I have in the [general] section a line with: context = default Is this where I would remove default and enter the IP addresses that are allowed to make calls? Your default context in extensions.conf should basiclly lead nowhere. I have mine set up to play an insane laugh then hangup Probably safe to say NEVER use context default for any outbound calling You should also have, in general: alwaysauthreject=yes This seems pretty effective in stopping some hacking These are simple fixes. I will let others comment on other more detailed firewalling John Novack What would a line with IP address look like? Could you give me an example? If that isn't where the IP address that are allowed supposed to be where would I put them? Thank you, Gary Kuznitz Just a guess, but there have been more than a few such discussions on the list about that configuration, plus a README-SERIOUSLY.bestpractices.txt in the root directory of every Asterisk source tree. You DID read that file, right? -- Tilghman Lesher Digium, Inc. | Senior Software Developer twitter: Corydon76 | IRC: Corydon76-dig (Freenode) Check us out at: www.digium.com www.asterisk.org -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users -- Dog is my Co-pilot -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
On 11/23/10 14:18, Gary Kuznitz wrote: Thank you for the reply... Comments below... On 22 Nov 2010 at 17:23, Tilghman (Tilghman Lesher asterisk- us...@lists.digium.com) commented about Re: [asterisk-users] Someone has hacked into our : On Monday 22 November 2010 17:10:31 Gary Kuznitz wrote: I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. allowguest=yes in sip.conf, with a context= in the [general] section that is permitted to make outbound calls? I'm trying to understand exactly what this means. I found a sip.conf in /etc/asterisk I have a [general] section. I don't have allowguest=yes. Is that good or am I supposed to have it? Look for allowguest default is yes I change it to allowguest=no In addition you might want to restrict some countries in your dial-plan, here is my list: [blocked-numbers] ;block bahamas, etc exten = _91900.,1,congestion; N11 exten = _91XXX976.,1,congestion ; N11 exten = _91XXX555.,1,congestion ; N11 exten = _91X11.,1,congestion; N11 exten = _91867.,1,congestion; Yukon (sorry mike) ;exten = _1NPA Country exten = _91232.,1,congestion; Sierra Leone exten = _91242.,1,congestion; BAHAMAS exten = _91246.,1,congestion; BARBADOS exten = _91264.,1,congestion; ANGUILLA exten = _91268.,1,congestion; ANTIGUA/BARBUDA exten = _91284.,1,congestion; BRITISH VIRGIN ISLANDS exten = _91345.,1,congestion; CAYMAN ISLANDS exten = _91441.,1,congestion; BERMUDA exten = _91473.,1,congestion; GRENADA exten = _91649.,1,congestion; TURKS CAICOS ISLANDS exten = _91664.,1,congestion; MONTSERRAT exten = _91758.,1,congestion; ST. LUCIA exten = _91767.,1,congestion; DOMINICA exten = _91784.,1,congestion; ST. VINCENT GRENADINES exten = _91809.,1,congestion; DOMINICAN REPUBLIC exten = _91829.,1,congestion; DOMINICAN REPUBLIC exten = _91868.,1,congestion; TRINIDAD AND TOBAGO exten = _91869.,1,congestion; ST. KITTS AND NEVIS exten = _91876.,1,congestion; JAMAICA -- Joseph -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
[asterisk-users] Someone has hacked into our system
Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
_ From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gary Kuznitz Sent: Monday, November 22, 2010 10:23 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Someone has hacked into our system Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz For #1, start with the CDR. You know that X is calling an overseas number. Determine who X is (or is supposed to be) For #2 (and the rest of #1) restrict your dialing access to a known set of IP's. If you have 5 phones (softphones or actual handsets), block everything that doesn't start with those 5 IP addresses. The first thing I would do is to change all of your passwords in sip.conf and do a sip reload. That will slow down or temporarily stop the hacker. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Blocking udp 5060 in the packet filter in unwanted directions should keep asterisk from setting up SIP connections. The real remedy is to figure out how the hacker got in and close the backdoor. I think a lot of us would be interested in what was the vulnerability. And if it turns out that it was a configuration mistake, don't be shy: for every mistake you did in your config, there are at least a thousand people who did the same mistake. You help them (us) by disclosing the error, and if you have already changed the configuration you should not have the error at that time. On 2010-11-22 17:37, Danny Nicholas wrote: *From:* asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] *On Behalf Of *Gary Kuznitz *Sent:* Monday, November 22, 2010 10:23 AM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* [asterisk-users] Someone has hacked into our system Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz For #1, start with the CDR. You know that X is calling an overseas number. Determine who X is (or is supposed to be) For #2 (and the rest of #1) restrict your dialing access to a known set of IP's. If you have 5 phones (softphones or actual handsets), block everything that doesn't start with those 5 IP addresses. The first thing I would do is to change all of your passwords in sip.conf and do a sip reload. That will slow down or temporarily stop the hacker. -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Thank you very much for help in finding the log. I have the log now. I'd like to know what to look for in trying to figure out how the calls are getting originated. I'd be happy to shere all the information. I just don't want to post information on this public list that might show other people how to get in to our box. Thanks you, Gary Kuznitz On 22 Nov 2010 at 13:11, Danny (Danny Nicholas da...@debsinc.com) commented about RE: [asterisk-users] Someone has hacked into our : From: Gary Kuznitz [mailto:docf...@theoffice.la] Sent: Monday, November 22, 2010 12:20 PM To: Danny Nicholas Subject: Re: [asterisk-users] Someone has hacked into our system Thank you for the quick response. Comments below... I am not familiar with navigating Asterisk. Would you please help me understand how to see the CDR? Thank you, Gary Kuznitz By default, Asterisk keeps the CDR as a flat-file in /var/log/asterisk/cdr-csv/Master.csv which you can open in Excel for easy viewing. If you have a custom cdr (see /etc/asterisk/cdr.conf or /etc/asterisk/cdr_custom.conf for more information), your CDR might be stored in a MYSQL table or some other place.I would start under the assumption that you have the flat file available.Once you have it open, use this link as a guide http://www.voip-info.org/wiki/view/Asterisk+cdr+csv Fields * accountcode: What account number to use: Asterisk billing account, (string, 20 characters) * src: Caller*ID number (string, 80 characters) * dst: Destination extension (string, 80 characters) * dcontext: Destination context (string, 80 characters) * clid: Caller*ID with text (80 characters) * channel: Channel used (80 characters) * dstchannel: Destination channel if appropriate (80 characters) * lastapp: Last application if appropriate (80 characters) * lastdata: Last application data (arguments) (80 characters) * start: Start of call (date/time) * answer: Answer of call (date/time) * end: End of call (date/time) * duration: Total time in system, in seconds (integer) * billsec: Total time call is up, in seconds (integer) * disposition: What happened to the call: ANSWERED, NO ANSWER, BUSY, FAILED * amaflags: What flags to use: see amaflags::DOCUMENTATION, BILL, IGNORE etc, specified on a per channel basis like accountcode. You will want to see if there are any peculiar src fields on your international calls (dst). WPM$68B7.PM$ Description: Mail message body -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
Use IPTables to lock down your machine to only accept incoming connections from your local network and from the particular IPs that you are expecting connections from (such as your SIP trunk, maybe). That is of course assuming that these calls are made by SIP. Don't forget to also change all the passwords. From: asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] On Behalf Of Gary Kuznitz Sent: Monday, November 22, 2010 8:23 AM To: Asterisk Users Mailing List - Non-Commercial Discussion Subject: [asterisk-users] Someone has hacked into our system Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
Re: [asterisk-users] Someone has hacked into our system
On 11/22/2010 06:44 PM, Kevin Keane wrote: Use IPTables to lock down your machine to only accept incoming connections from your local network and from the particular IPs that you are expecting connections from (such as your SIP trunk, maybe). That is of course assuming that these calls are made by SIP. Don't forget to also change all the passwords. good point - someone can easily just dial in a pots line locally and dial out another one making a long distance call, assuming the dial plan allows this. it doesn't have to be sip involved in any part of the problem. *From:* asterisk-users-boun...@lists.digium.com [mailto:asterisk-users-boun...@lists.digium.com] *On Behalf Of *Gary Kuznitz *Sent:* Monday, November 22, 2010 8:23 AM *To:* Asterisk Users Mailing List - Non-Commercial Discussion *Subject:* [asterisk-users] Someone has hacked into our system Someone has hacked into our system and is making calls overseas. How can I: 1. Find out the where the calls are originating from? 2. Block all calls that are not authorized? Our system is in the USA. Only calls from inside our LAN are allowed. Thank you, Gary Kuznitz -- _ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users