Tom Waterman Posted November 2, 2010 Report Share Posted November 2, 2010 Hello all, our PBX has blacklisted about 600 IP addresses in the last 4 days. My current settings are for every 5 attempts in a 2 second span blacklist for 7 days. My question is how can I blacklist them permanently without having to type them in manually? And is anyone else seeing an increase in failed registration attempts? Thank you, Tom Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 2, 2010 Report Share Posted November 2, 2010 Yes, this is a known attack. Some of my notes: http://forum.pbxnsip.com/index.php?showtop...amp;#entry17308 We have a site we manage this is experiencing it as well. There are other reports in the wild. I would be glad to compare notes. One thing I am curious is if our blocked IP list matches yours? I would be glad to swap the entire list we have. We have been living in the "Access" page in the last days and have noticed some things I will post as a suggestion. Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 2, 2010 Report Share Posted November 2, 2010 Hello all, our PBX has blacklisted about 600 IP addresses in the last 4 days. My current settings are for every 5 attempts in a 2 second span blacklist for 7 days. My question is how can I blacklist them permanently without having to type them in manually? And is anyone else seeing an increase in failed registration attempts? Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days. Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer. Quote Link to comment Share on other sites More sharing options...
Tom Waterman Posted November 2, 2010 Author Report Share Posted November 2, 2010 Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days. Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer. Are you saying that if I have a long blacklist it will hurt system performance? If so could I just blacklist the entire outside and allow on the handfull of internet addresses I need to register? But how would that affect my voip trunk provider? Would I have to add them in as well? Thank you!!! Tom Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 2, 2010 Report Share Posted November 2, 2010 Are you saying that if I have a long blacklist it will hurt system performance? If so could I just blacklist the entire outside and allow on the handfull of internet addresses I need to register? But how would that affect my voip trunk provider? Would I have to add them in as well? No, no. The blacklisting uses some nice efficient data structures internally. The performance impact of even long lists should be okay. You can also blacklist everything by default (0.0.0.0/0) and only whitelist certain IP addresses or subnets. If you know the IP addresses of your users/customers than that is a real option where you dont have to worry about people scanning your PBX. In this case you also need to whitelist your trunk provider. The black/whitelisting does not support DNS, you you need to look the IP addresses where the service provider might come from. Quote Link to comment Share on other sites More sharing options...
Tom Waterman Posted November 2, 2010 Author Report Share Posted November 2, 2010 No, no. The blacklisting uses some nice efficient data structures internally. The performance impact of even long lists should be okay. You can also blacklist everything by default (0.0.0.0/0) and only whitelist certain IP addresses or subnets. If you know the IP addresses of your users/customers than that is a real option where you dont have to worry about people scanning your PBX. In this case you also need to whitelist your trunk provider. The black/whitelisting does not support DNS, you you need to look the IP addresses where the service provider might come from. Ok are SP is callcentric. Do you happen to know those? Thanks guys! Tom Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 2, 2010 Report Share Posted November 2, 2010 Ok are SP is callcentric. Do you happen to know those? Thanks guys! $ host -t SRV _sip._udp.callcentric.com _sip._udp.callcentric.com has SRV record 20 0 5080 alpha6.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha7.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha8.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha9.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha1.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha2.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha3.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha4.callcentric.com. _sip._udp.callcentric.com has SRV record 20 0 5080 alpha5.callcentric.com. $ for i in 1 2 3 4 5 6 7 8 9; do host alpha$i.callcentric.com; done alpha1.callcentric.com has address 204.11.192.22 alpha2.callcentric.com has address 204.11.192.23 alpha3.callcentric.com has address 204.11.192.31 alpha4.callcentric.com has address 204.11.192.34 alpha5.callcentric.com has address 204.11.192.35 alpha6.callcentric.com has address 204.11.192.36 alpha7.callcentric.com has address 204.11.192.37 alpha8.callcentric.com has address 204.11.192.38 alpha9.callcentric.com has address 204.11.192.39 I would use 204.11.192/24 to play safe. Quote Link to comment Share on other sites More sharing options...
Tom Waterman Posted November 2, 2010 Author Report Share Posted November 2, 2010 Whow! IMHO you dont have to blacklist too long as the total impact to the system performance is really getting very low if you blacklist for something like 7 days. Anyway. The dropdown just contains some useful (as we thought) proposals, you can edit the page in the admin/email/texts section and add another option for example for 365 days or longer. Whewre do you endit the length of time? I looked in the above mentioned section and I don't see where I can edit that. Should it not just be one of the xml pages in the PBX directory that I edit? Tom Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted November 3, 2010 Report Share Posted November 3, 2010 Whewre do you endit the length of time? I looked in the above mentioned section and I don't see where I can edit that. Should it not just be one of the xml pages in the PBX directory that I edit? No better dont edit the XML, the PBX may override it any time. It is easier to change the web interface options. Go as admin to the reg_texts.htm page (admin/email/texts) and then edit the reg_access.htm page like this (add the bold line): <select name="blacklist_expires" id="blacklist_expires" class="cCombo"> <option value="60" selected="{ssi rsel blacklist_expires 60}">1 min</option> ... <option value="604800" selected="{ssi rsel blacklist_expires 604800}">7 d</option> <option value="31536000" selected="{ssi rsel blacklist_expires 31536000}">365 d</option> </select> Quote Link to comment Share on other sites More sharing options...
mattlandis Posted November 3, 2010 Report Share Posted November 3, 2010 ahem...wow only works in v4.2 it looks like?...but..powerful! thanks, Matt Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.