Thanks all - that seems to have fixed the issue - so now no internet
access until everything inside our network is happy! And then probably
only vpn connections allowed after that!

Laurie



From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Steve
Beaudry
Sent: 18 September 2012 01:50
To: Discussion list for users of sipXecs software
Cc: Discussion list for users of sipXecs software
Subject: Re: [sipx-users] Registrations dropping



Ahhh. We (and the script) do not allow SIP calls from anything other
than our users' SIP endpoints.. It is a closed SIP system, with all
'public' calling happening via PSTN gateway.



The script is a mid-way point between 'allow everything' and 'allow
nothing'.



...Steve...




On 2012-09-17, at 3:43 PM, "Tony Graziano"
<***@myitdepartment.net> wrote:

Then how does your script discern a real sip call from a foreign
system? It must not be allowed since there is no phone registered.

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about
sipX-CoLab 2013!

On Sep 17, 2012 5:19 PM, "Steve Beaudry"
<***@royalroads.ca> wrote:

Tony, I must now disagree. The script serves to block both
registration attempts and blod call attempts.



Essentially, there is a 'block all access from outside IPs'
rule, and the script adds exceptions for those who have successfully
logged in (on port 80/8443, which has a permanent exception).



ALL sip traffic is blocked/discarded unless it's from a known
IP.



You are correct, however, that the typical attempts we see
are simply 'blind call attempts', not registation attempts.



Respectfully,



...Steve...




On 2012-09-17, at 2:13 PM, "Tony Graziano"
<***@myitdepartment.net> wrote:

The registrations could be because of bogus registration
attempts. BUT if these are call attempts (not registrations) against the
proxy, they will effectively use resources if the attempts are
consistent enough in volume to effectively eat the resources away until
the registrar can't process registrations.



1. look at your CDR's for the day of and day before to
see if there are bogus call attempt.

2. Inspect your logs (sipXproxy.log and
sipregistrar.log)

3. Consider some measures by means of firewall rules to
rate limit your connections per second, etc.

4. Steve's script might help IF the attempts are to
register, but if it is simply probing your server to send calls through
it without registering, it will not help.

On Mon, Sep 17, 2012 at 4:06 PM, Steve Beaudry
<***@royalroads.ca> wrote:

Hi Laurie,



I have to agree with Tony here. I've had exactly the
same issue you describe at two different installations, and in every
case it turned out to be sip packets from the Internet, making
connections to the SipXecs server, and running it out of resources. I
can't say if the packets were an intentional DOS, or just an unintended
side effect of random probing. Nonetheless, the effect was the same.



In all cases, blocking port 5060 from the public
network was an immediate and effective solution.



If blocking port 5060 outright is not an option,
because you need to allow outside SIP connections, I have developed a
script that might help. The script monitors the log file of successful
logins to the web interface, and manages iptables firewall rules on the
SipX host itself, to only allow connections from IP addresses that have
successfully authenticated. We simply tell users that if they wish to
connect remotely, they first need to login to their voice mailbox from
whatever IP address they wish to connect from. This works equally well
for home users with a laptop and SIP phone behind a NAT gateway, and
from mobile clients like Bria on the iPhone.



I'm perfectly willing to share the script, with two
forewarnings..



1) I'd consider it a 'proof of concept', which should
be modified for your own environment. It works in the two installations
that I've set it up in.



2) It has no provisions for a high-availability
setup. It wouldn't be too hard to setup, but I haven't done so.



I'd considered shooting the script back to the community
in the last, but putting other fires out has prevented me from taking
the time to document it as much as I think it should be if anyone were
planning to use/include it.



If you'd like to see a copy of it, lemme know, and I can
send it your way.



Cheers,



...Steve...



Stephen Beaudry, Manager

Server, Network and Telecom Infrastructures Royal Roads
University

T 250.391.2600 ext. 4149
<tel:250.391.2600%20ext.%204149>

2005 Sooke Road, Victoria, BC Canada V9B 5Y2
royalroads.ca <http://royalroads.ca/>



LIFE.CHANGING




On 2012-09-17, at 6:48 AM, "Tony Graziano"
<***@myitdepartment.net> wrote:

Sounds like you are being bothered from the
outside.

/var/log/sipxpbx

Is where logs are.

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:

http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry?
Ask me about sipX-CoLab 2013!

On Sep 17, 2012 9:23 AM, "IT Manager"
<***@maf-uganda.org> wrote:

Where would I find the proxy and
registrar logs - I can't find them in the web interface?

And now you mention it - I do
occasionally get lots of emails about there not being enough ports or
something for media. Hopefully, disabling the internet connection will
stop any trouble.

So now - should I run the yum update to
update everything?

Laurie



From:
sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Tony
Graziano
Sent: 17 September 2012 12:10
To: Discussion list for users of sipXecs
software
Subject: Re: [sipx-users] Registrations
dropping



Check the proxy and registrar logs. Also
check CPU and ram/swap. The logs may show a lot of call or registration
attempts. If the phone are not registering via the internet close off
port 5060.

--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:

http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from
SIPFoundry? Ask me about sipX-CoLab 2013!

On Sep 17, 2012 2:41 AM, "IT Manager"
<***@maf-uganda.org> wrote:

Dear all,

I think I have emailed on this before,
but I am still struggling with it:

Regularly (read - most mornings) - I
will come into the office and all my phones have lost their
registrations with the server - going to the server's page and
restarting all the services (which incidentally all claim to be running)
fixes the problem and the registrations are ok (until the next time).

Here is my configuration setup:

* SipXecs 4.4.0 (no yum updates
as this seemed to make it lose registrations much more frequently)

* Running as VM (still
testing...L) on ESXi free - the host is not particularly busy
(especially overnight which is when it has it's issues)

* Grandstream phones GXP2000
(yes- I know they are crap phones...so don't berate me on them - but
they do work fine when they are allowed to register)

* Firewall 5060 opened to the
internet along with the other higher ports - could it be falling over
due to hacking?



Can anyone help? I cannot install this
company wide if it is going to be doing this and I know that it works
reliably elsewhere in the world...



Thanks,

Laurie



<image001.png>

Laurie Nason

IT Manager

Mission Aviation Fellowship - Uganda


T +256 41 4267462 F +256 41 4267433

PO Box 1, Kampala, Uganda



Mission Aviation Fellowship
International. A company Limited by guarantee, registered in England &
Wales

Registered Charity Number: 1058226.
Registered Company Number: 3144199.

Registered Office: Operations Centre,
Henwood, Ashford, Kent TN24 8DH

<image002.png>www.maf-uganda.org





_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive:
http://list.sipfoundry.org/archive/sipx-users/



LAN/Telephony/Security and Control
Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net



Helpdesk Customers:
http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net


--
This message has been scanned for
viruses and
dangerous content by MailScanner
<http://www.mailscanner.info/> , and is
believed to be clean.



_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive:
http://list.sipfoundry.org/archive/sipx-users/



LAN/Telephony/Security and Control Systems
Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net



Helpdesk Customers:
http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive:
http://list.sipfoundry.org/archive/sipx-users/


_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive:
http://list.sipfoundry.org/archive/sipx-users/







--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~



Using or developing for sipXecs from SIPFoundry? Ask me
about sipX-CoLab 2013!

<http://sipxcolab2013.eventbrite.com/?discount=tony2013>





LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net



Helpdesk Customers: http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive:
http://list.sipfoundry.org/archive/sipx-users/


_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/



LAN/Telephony/Security and Control Systems Helpdesk:

Telephone: 434.984.8426

sip: ***@voice.myitdepartment.net



Helpdesk Customers: http://myhelp.myitdepartment.net

Blog: http://blog.myitdepartment.net

_______________________________________________
sipx-users mailing list
sipx-***@list.sipfoundry.org
List Archive: http://list.sipfoundry.org/archive/sipx-users/


--
This message has been scanned for viruses and
dangerous content by MailScanner <http://www.mailscanner.info/> , and is

believed to be clean.