vicidial.org

What is this ? And what they want ?

Code: Select all

 --------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 2 Time(s)

 Failed logins from:
    61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
    110.45.138.170: 75 times # ( Korea)
    114.112.184.150: 344 times # (China)

 Illegal users from:
    61.136.68.83 (83.68.136.61.ha.cnc): 32 times
    110.45.138.170: 27 times
    114.112.184.150: 187 times

 Users logging in through sshd:
    root:
       59.93.xxx.xxx: 12 times # ( That's me! from home)


 Received disconnect:
    11: Terminating connection : 2 Time(s)


 SFTP subsystem requests: 13 Time(s)

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)


 ---------------------- SSHD End -------------------------


they want to steal your babies.

use yast firewall to lock out EVERYONE from ALL ports unless they are on an authorized IP address. add authorized IP addresses (both tcp and udp for each address) in custom (at the bottom of the yast firewall settings).

remember that it is easy to lock yourself out, so be IN the office when you set it up. this requires turning OFF all allowed services (and Advanced allowed services).

you can explore using Fail2ban

boybawang wrote:you can explore using Fail2ban

true.

yast firewall is built in, but has "lockdown" or "open" as possibilities, whereas fail2ban can "learn" and lockout offenders. but it can also lock out good guys who put the wrong entry into their soft phone for registration (which can result in locking out an entire ROOM of agents, so be careful with ANY dynamic security system!).

A couple others:

Advanced Policy Firewall
Brute Force Detection
Denial of Service Deflate
Rootkit Detection

Some instructions here, but use google for more help:

http://www.topwebhosts.org/tools/apf-bf ... ootkit.php

Really? I thought they already have more babies than any other place -LOL
( China, Birth rate 31.67 births/1,000 population) actual

Thank you William

Well, What resources they can steal/hack? Our public IP is mapped with voip provider and we dial 3 shifts so someone (admins) is always watching the campaigns and 'real time summery' so our voip minutes are safe I hope. They want our leads ? or Campaign details? I am just curious !

Thank you again for your replies William and boybawang. I will try those firewalls and will post back the results. But it will take some time as I am not familiar with them at all.

having someone watch a screen that "outside vicidial" (manual calls) do not show up on will not "protect your minutes". If they get into your box the odds are that they will cap $2k before you "catch on" unless you have some monetary system in place to stop them (for instance: you cannot make international calls ...).

we have several clients who came to us specifically for the "lockdown" after losing roughly $2k, and several more who came to us because the "failed" calls and/or failed login attempts disrupted the vicidial system enough to render it unusable (DenialOfService, DOS, resulting from Brute Force login/registration attempts).

Lock it down NOW.

OOOPS!!! I missed that point. yes I got it.
Thank you William. You are the lifeline of vicidial community.

Nah. I'm just an arrogant noisy guy. Ask my kids.

Off cours firewalls are the most important but after I forgot to turn on firewall after some testing one thing that saved my minutes was a dial plan that was allowing calls only to my country with 9 digits.


In one hour they tried 4196 combinations to dial out.

Under 10k. An amateurish attempt.

It's a real problem. We had some guy in china probe all our vicidial servers over the last few days, fail2ban caught them, but it's becoming a real pain in the A*** It's not a vicidial issue though, more Asterisk being a little too helpful.

Problem being that fail2ban may catch them, but that often does not stop the DOS result (your firewall dropping packets still fills your "inbound traffic limit"). So having rejected the packets from the beginning would likely have caused them to NOT attack in the first place.

I have actually had situations when I had to turn on traffic shaping and limit the bandwidth on the attack to regain use of the server ... until after the attack, then set the system to stealth (drop all unauth packets) before the next attack which USUALLY stops the next attack before it starts. I've had a couple occasions where this process took a couple days. ouch.

Code: Select all

--------------------- SSHD Begin ------------------------

 SSHD Killed: 1 Time(s)

 SSHD Started: 2 Time(s)

 Failed logins from:
    61.136.68.83 (83.68.136.61.ha.cnc): 3115 times # over 3 thousand attempts ! HOLY SHIT!!! China
    110.45.138.170: 75 times # ( Korea)
    114.112.184.150: 344 times # (China)

 Illegal users from:
    61.136.68.83 (83.68.136.61.ha.cnc): 32 times
    110.45.138.170: 27 times
    114.112.184.150: 187 times

 Users logging in through sshd:
    root:
       59.93.xxx.xxx: 12 times # ( That's me! from home)


 Received disconnect:
    11: Terminating connection : 2 Time(s)


 SFTP subsystem requests: 13 Time(s)

 **Unmatched Entries**
 pam_succeed_if(sshd:auth): error retrieving information about user testuser : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user dave : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user desktop : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user vpn : 3 time(s)
 pam_succeed_if(sshd:auth): error retrieving information about user tester : 3 time(s)


 ---------------------- SSHD End -------------------------

Sorry to bump this up but what command is this? Or do we need to install something first?

That looks like the output from a piece of software called 'Logwatch'. It analyses your server logs and sends you an email report of anything it deems interesting.

Whitelist your firewall system. Do not rely on automated systems to "catch" the problem. No one should be on your system unless you have expressly authorized their IP address to be there. This is not a Public Web Server, it's a dialer. In the old days there wouldn't even be any access outside the ROOM much less outside the country.

That being said, we have Dynamic Good Guys for Vicibox, which can be adjusted for GoAutodial ... but I recommend just installing Vicibox and using it there. You CAN back up your DB, install Vicibox, install your DB and then upgrade your DB to match your new Vicidial code. Then install DGG and you have a fresh new system that's secure.

http://www.viciwiki.com/index.php/DGG

http://www.viciwiki.com/index.php/Whitelist (if you just want a "lockdown")