vicidial.org

Hi upon checking the login attempts on ssh on our vicidial, I notice this:

(Too many failed login attempts)

admin ssh:notty 5.188.10.156 Thu Nov 8 23:06 - 23:06 (00:00)
default ssh:notty 139.199.181.192 Thu Nov 8 22:56 - 22:56 (00:00)
ftpuser ssh:notty 104.236.101.68 Thu Nov 8 22:33 - 22:33 (00:00)
martin ssh:notty 14.116.208.189 Thu Nov 8 22:13 - 22:13 (00:00)
webmaste ssh:notty 179.104.251.207 Thu Nov 8 22:06 - 22:06 (00:00)
admin ssh:notty 5.188.10.156 Thu Nov 8 21:43 - 21:43 (00:00)
pi ssh:notty 114.5.81.67 Thu Nov 8 21:24 - 21:24 (00:00)
pi ssh:notty 114.5.81.67 Thu Nov 8 21:24 - 21:24 (00:00)
openvpn ssh:notty 104.236.183.178 Thu Nov 8 07:28 - 07:28 (00:00)
ftpuser ssh:notty 205.ip-54-37-205 Thu Nov 8 07:23 - 07:23 (00:00)
test ssh:notty 192.144.139.214 Thu Nov 8 07:04 - 07:04 (00:00)
admin ssh:notty 69.57.235.78 Thu Nov 8 07:00 - 07:00 (00:00)
postgres ssh:notty 200.46.254.107 Thu Nov 8 06:35 - 06:35 (00:00)
admin ssh:notty 62.ip-145-239-76 Thu Nov 8 06:34 - 06:34 (00:00)
public ssh:notty 49.248.167.102 Thu Nov 8 05:54 - 05:54 (00:00)
postgres ssh:notty 220.116.47.116 Thu Nov 8 05:47 - 05:47 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:15 - 05:15 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)
oracle ssh:notty 89.34.237.204 Thu Nov 8 05:14 - 05:14 (00:00)

Is someone trying to access the vici thru ssh? CAn I just turn off the remote ssh login? if I can turn it off without affecting any other component on call operation, how can I do it?

Assuming you are running vicibox opensuse:

systemctl stop sshd
systemctl disable sshd

Verify:

ssh localhost

Yes, we're running vicibox opensuse. So I can turn of ssh without affecting calls or the system for calls right? Sorry Im newbie.

Yes vicidial doesnt need ssh.
John

Okay thanks, I turn off sshd on our server. But before I turn it off, i see some logs says that:

"Received disconnect from x.x.x.x(china) 11(port11 i guess) PREAUTH" - A bunch of this, i know its a bruteforce

and also this one

"input_userauth_request: invalid user backup" and after a
"Received disconnect from x.x.x.x 11: BYE BYE PREAUTH"

Do you think we're safe now from attack by turning off ssh?

Note:
Our dialer is accessible via remote using a static IP provided by our ISP (we set it up like this when out Vicidial Technician/IT is to fix some config on vici thru webGUI)

Password we use are strong combination of letters,number,symbols.

We have fail2ban install on the server (opensuse)

Yes like you said I believe those were brute force ssh attacks.
You turned off sshd. Now close port 22 in the firewall too.
/etc/sysconfig/SuSEfirewall2
Find where 22 is allowed delete it then restart the firewall with
systemctl restart SuSEfirewall2
Or remove port 22 in yast firewall

If you had a strong password like you describe I doubt if they gained entry. But i would tempted to take a good look at logs and logins.

You installed with vicibox 7.0.3
Are you using a whitelist firewall?
Dynamic Good Guys is highly recommended for locking down vicidial servers before vicibox 8.1.2 which has built in white, dynamic, and black list firewalls, and a portal to add users IP addresses to your white/dynamic firewall.
DGG is easy and fast to install, and completely free of charge. Get it working on your vicidial boxes and that’s one less thing to worry about)))

JM

Well I do close sshd last week. But I open it now but because I need to remote ssh the server from different part of the building, However I do disable the forwarding of port 22 on our gateway. I tried connecting from external ssh client to our server but it doesnt connect, so I guess its good.

But I see still a vulnerability, which is the backdoor. Is there any how to set the sshd on opensuse/vicibox to only listen on specific ip?

Yes we do use strong password as its a policy on our IT department.

Yes we do have whitelist of IP's from outside the Internal network, those that we're whitelisted are the IP of our VOIP Provider nothing else.