Then how does your script discern a real sip call from a foreign system? It must not be allowed since there is no phone registered.
-- ~~~~~~~~~~~~~~~~~~ Tony Graziano, Manager Telephone: 434.984.8430 sip: tgrazi...@voice.myitdepartment.net Fax: 434.465.6833 ~~~~~~~~~~~~~~~~~~ Linked-In Profile: http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 Ask about our Internet Fax services! ~~~~~~~~~~~~~~~~~~ Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab 2013! On Sep 17, 2012 5:19 PM, "Steve Beaudry" <steve.beau...@royalroads.ca> wrote: > Tony, I must now disagree. The script serves to block both > registration attempts and blod call attempts. > > Essentially, there is a 'block all access from outside IPs' rule, and > the script adds exceptions for those who have successfully logged in (on > port 80/8443, which has a permanent exception). > > ALL sip traffic is blocked/discarded unless it's from a known IP. > > You are correct, however, that the typical attempts we see are simply > 'blind call attempts', not registation attempts. > > Respectfully, > > ...Steve... > > > > On 2012-09-17, at 2:13 PM, "Tony Graziano" <tgrazi...@myitdepartment.net> > wrote: > > The registrations could be because of bogus registration attempts. BUT > if these are call attempts (not registrations) against the proxy, they will > effectively use resources if the attempts are consistent enough in volume > to effectively eat the resources away until the registrar can't process > registrations. > > 1. look at your CDR's for the day of and day before to see if there are > bogus call attempt. > 2. Inspect your logs (sipXproxy.log and sipregistrar.log) > 3. Consider some measures by means of firewall rules to rate limit your > connections per second, etc. > 4. Steve's script might help IF the attempts are to register, but if it is > simply probing your server to send calls through it without registering, it > will not help. > > On Mon, Sep 17, 2012 at 4:06 PM, Steve Beaudry < > steve.beau...@royalroads.ca> wrote: > >> Hi Laurie, >> >> I have to agree with Tony here. I've had exactly the same issue you >> describe at two different installations, and in every case it turned out to >> be sip packets from the Internet, making connections to the SipXecs server, >> and running it out of resources. I can't say if the packets were an >> intentional DOS, or just an unintended side effect of random probing. >> Nonetheless, the effect was the same. >> >> In all cases, blocking port 5060 from the public network was an >> immediate and effective solution. >> >> If blocking port 5060 outright is not an option, because you need to >> allow outside SIP connections, I have developed a script that might help. >> The script monitors the log file of successful logins to the web >> interface, and manages iptables firewall rules on the SipX host itself, to >> only allow connections from IP addresses that have successfully >> authenticated. We simply tell users that if they wish to connect remotely, >> they first need to login to their voice mailbox from whatever IP address >> they wish to connect from. This works equally well for home users with a >> laptop and SIP phone behind a NAT gateway, and from mobile clients like >> Bria on the iPhone. >> >> I'm perfectly willing to share the script, with two forewarnings.. >> >> 1) I'd consider it a 'proof of concept', which should be modified >> for your own environment. It works in the two installations that I've set >> it up in. >> >> 2) It has no provisions for a high-availability setup. It wouldn't >> be too hard to setup, but I haven't done so. >> >> I'd considered shooting the script back to the community in the last, >> but putting other fires out has prevented me from taking the time to >> document it as much as I think it should be if anyone were planning to >> use/include it. >> >> If you'd like to see a copy of it, lemme know, and I can send it your >> way. >> >> Cheers, >> >> ...Steve... >> >> *Stephen Beaudry**,* Manager**** >> >> Server, Network and Telecom Infrastructures *Royal Roads University***** >> >> *T* 250.391.2600 ext. 4149**** >> >> 2005 Sooke Road, Victoria, BC Canada V9B 5Y2 *royalroads.ca***** >> >> **** >> >> *LIFE.**CHANGING* >> >> >> On 2012-09-17, at 6:48 AM, "Tony Graziano" <tgrazi...@myitdepartment.net> >> wrote: >> >> Sounds like you are being bothered from the outside. >> >> /var/log/sipxpbx >> >> Is where logs are. >> >> -- >> ~~~~~~~~~~~~~~~~~~ >> Tony Graziano, Manager >> Telephone: 434.984.8430 >> sip: tgrazi...@voice.myitdepartment.net >> Fax: 434.465.6833 >> ~~~~~~~~~~~~~~~~~~ >> Linked-In Profile: >> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >> Ask about our Internet Fax services! >> ~~~~~~~~~~~~~~~~~~ >> >> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab >> 2013! >> On Sep 17, 2012 9:23 AM, "IT Manager" <it.mana...@maf-uganda.org> >> wrote: >> >>> Where would I find the proxy and registrar logs – I can’t find them >>> in the web interface?**** >>> >>> And now you mention it – I do occasionally get lots of emails about >>> there not being enough ports or something for media. Hopefully, disabling >>> the internet connection will stop any trouble.**** >>> >>> So now – should I run the yum update to update everything?**** >>> >>> Laurie**** >>> >>> ** ** >>> >>> *From:* sipx-users-boun...@list.sipfoundry.org [mailto: >>> sipx-users-boun...@list.sipfoundry.org] *On Behalf Of *Tony Graziano >>> *Sent:* 17 September 2012 12:10 >>> *To:* Discussion list for users of sipXecs software >>> *Subject:* Re: [sipx-users] Registrations dropping**** >>> >>> ** ** >>> >>> Check the proxy and registrar logs. Also check CPU and ram/swap. The >>> logs may show a lot of call or registration attempts. If the phone are not >>> registering via the internet close off port 5060.**** >>> >>> -- >>> ~~~~~~~~~~~~~~~~~~ >>> Tony Graziano, Manager >>> Telephone: 434.984.8430 >>> sip: tgrazi...@voice.myitdepartment.net >>> Fax: 434.465.6833 >>> ~~~~~~~~~~~~~~~~~~ >>> Linked-In Profile: >>> http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 >>> Ask about our Internet Fax services! >>> ~~~~~~~~~~~~~~~~~~**** >>> >>> Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab >>> 2013!**** >>> >>> On Sep 17, 2012 2:41 AM, "IT Manager" <it.mana...@maf-uganda.org> wrote: >>> **** >>> >>> Dear all,**** >>> >>> I think I have emailed on this before, but I am still struggling with it: >>> **** >>> >>> Regularly (read – most mornings) – I will come into the office and all >>> my phones have lost their registrations with the server – going to the >>> server’s page and restarting all the services (which incidentally all claim >>> to be running) fixes the problem and the registrations are ok (until the >>> next time).**** >>> >>> Here is my configuration setup:**** >>> >>> · SipXecs 4.4.0 (no yum updates as this seemed to make it lose >>> registrations much more frequently)**** >>> >>> · Running as VM (still testing…L) on ESXi free – the host is >>> not particularly busy (especially overnight which is when it has it’s >>> issues)**** >>> >>> · Grandstream phones GXP2000 (yes- I know they are crap >>> phones…so don’t berate me on them – but they do work fine when they are >>> allowed to register)**** >>> >>> · Firewall 5060 opened to the internet along with the other >>> higher ports – could it be falling over due to hacking?**** >>> >>> **** >>> >>> Can anyone help? I cannot install this company wide if it is going to be >>> doing this and I know that it works reliably elsewhere in the world…**** >>> >>> **** >>> >>> Thanks,**** >>> >>> Laurie**** >>> >>> **** >>> >>> *<image001.png>***** >>> >>> Laurie Nason**** >>> >>> IT Manager**** >>> >>> Mission Aviation Fellowship - Uganda **** >>> >>> T +256 41 4267462 F +256 41 4267433**** >>> >>> PO Box 1, Kampala, Uganda**** >>> >>> **** >>> >>> Mission Aviation Fellowship International. A company Limited by >>> guarantee, registered in England & Wales**** >>> >>> Registered Charity Number: 1058226. Registered Company Number: 3144199. >>> **** >>> >>> Registered Office: Operations Centre, Henwood, Ashford, Kent TN24 8DH*** >>> * >>> >>> <image002.png>*www.maf-uganda.org***** >>> >>> **** >>> >>> >>> _______________________________________________ >>> sipx-users mailing list >>> sipx-users@list.sipfoundry.org >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/**** >>> >>> ** ** >>> >>> LAN/Telephony/Security and Control Systems Helpdesk:**** >>> >>> Telephone: 434.984.8426**** >>> >>> sip: helpd...@voice.myitdepartment.net**** >>> >>> ** ** >>> >>> Helpdesk Customers: http://myhelp.myitdepartment.net**** >>> >>> Blog: http://blog.myitdepartment.net**** >>> >>> >>> -- >>> This message has been scanned for viruses and >>> dangerous content by *MailScanner* <http://www.mailscanner.info/>, and >>> is >>> believed to be clean. **** >>> >>> _______________________________________________ >>> sipx-users mailing list >>> sipx-users@list.sipfoundry.org >>> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >>> >> >> LAN/Telephony/Security and Control Systems Helpdesk: >> Telephone: 434.984.8426 >> sip: helpdesk@voice.myitdepartment.**net<helpd...@voice.myitdepartment.net> >> >> Helpdesk Customers: >> http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net> >> Blog: http://blog.myitdepartment.net >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> >> >> _______________________________________________ >> sipx-users mailing list >> sipx-users@list.sipfoundry.org >> List Archive: http://list.sipfoundry.org/archive/sipx-users/ >> > > > > -- > ~~~~~~~~~~~~~~~~~~ > Tony Graziano, Manager > Telephone: 434.984.8430 > sip: tgrazi...@voice.myitdepartment.net > Fax: 434.465.6833 > ~~~~~~~~~~~~~~~~~~ > Linked-In Profile: > http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4 > Ask about our Internet Fax services! > ~~~~~~~~~~~~~~~~~~ > > Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab > 2013! > <http://sipxcolab2013.eventbrite.com/?discount=tony2013> > > > LAN/Telephony/Security and Control Systems Helpdesk: > Telephone: 434.984.8426 > sip: helpdesk@voice.myitdepartment.**net<helpd...@voice.myitdepartment.net> > > Helpdesk Customers: > http://myhelp.myitdepartment.**net<http://myhelp.myitdepartment.net> > Blog: http://blog.myitdepartment.net > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > > > _______________________________________________ > sipx-users mailing list > sipx-users@list.sipfoundry.org > List Archive: http://list.sipfoundry.org/archive/sipx-users/ > -- LAN/Telephony/Security and Control Systems Helpdesk: Telephone: 434.984.8426 sip: helpd...@voice.myitdepartment.net Helpdesk Customers: http://myhelp.myitdepartment.net Blog: http://blog.myitdepartment.net
_______________________________________________ sipx-users mailing list sipx-users@list.sipfoundry.org List Archive: http://list.sipfoundry.org/archive/sipx-users/