Discussion:
Registrations Expiring
Tommy Laino
2012-12-16 15:54:49 UTC
Permalink
For the last 2 weekends I have had a SipXecs 4.4 with 30
Polycom 335's that has all the registrations expire. I have
to resend the server profile and all the phones re-register.
Weird thing is that this only happens over the weekend or
when all the phones are inactive for a long period of time.
Any ideas? I have the logs but not sure what I should be
looking for to try and troubleshoot this
--
Tommy Laino
Dome Technologies
Tony Graziano
2012-12-16 16:31:07 UTC
Permalink
Is port 5060 exposed in the firewall? If so it is potentially a script
from outside trying to abuse your system you would need to inspect your
logs to verify.
Post by Tommy Laino
For the last 2 weekends I have had a SipXecs 4.4 with 30
Polycom 335's that has all the registrations expire. I have
to resend the server profile and all the phones re-register.
Weird thing is that this only happens over the weekend or
when all the phones are inactive for a long period of time.
Any ideas? I have the logs but not sure what I should be
looking for to try and troubleshoot this
--
Tommy Laino
Dome Technologies
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
Tommy Laino
2012-12-16 16:57:38 UTC
Permalink
The sipproxy.log file is so large that my text editors will
not open it. I am assuming that it is an attack. I am going
to have the IT department close that port on the firewall
and see if we have any luck.
--
Tommy Laino
Dome Technologies
Tony Graziano
2012-12-16 18:36:22 UTC
Permalink
If you have it open, it means that you support remote users. If you do not
support remote users, it should not be open.

There are also numerous things you could do both onboard sipx and at your
firewall to limit the attempts at scripts and other malicious activity
aimed at your voip services in general.
Post by Tommy Laino
The sipproxy.log file is so large that my text editors will
not open it. I am assuming that it is an attack. I am going
to have the IT department close that port on the firewall
and see if we have any luck.
--
Tommy Laino
Dome Technologies
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
Tommy Laino
2012-12-16 19:02:35 UTC
Permalink
Yes I know that 5060 is used for remote users. I had it
opened because they are going to be deploying a remote sales
team in a few months. They are using Comcast which has a
shared pipe. I am wondering if that has anything to do with
it. When I do remote deployments they almost exclusively use
FiOS which is a dedicated pipe.
--
Tommy Laino
Dome Technologies
Tony Graziano
2012-12-16 19:12:27 UTC
Permalink
If the port is open then it is vulbnerable. It doesn't matter whose
backbone it is on.

There are lots of ways to protect it though.

We are big fans of using mesh VPN's and removing that as an open port
altogether. We have found our chosen method scales pretty well.

In the meantime, your firewall might be able to limit connections per
second from an IP address to that port. With some firewall products, we do
that AND we block countries altogether (depending on the customer and their
geographic footprint). There are lots of things you can do but you HAVE to
do them or suffer the consequences.
Post by Tommy Laino
Yes I know that 5060 is used for remote users. I had it
opened because they are going to be deploying a remote sales
team in a few months. They are using Comcast which has a
shared pipe. I am wondering if that has anything to do with
it. When I do remote deployments they almost exclusively use
FiOS which is a dedicated pipe.
--
Tommy Laino
Dome Technologies
_______________________________________________
sipx-users mailing list
List Archive: http://list.sipfoundry.org/archive/sipx-users/
--
~~~~~~~~~~~~~~~~~~
Tony Graziano, Manager
Telephone: 434.984.8430
sip: ***@voice.myitdepartment.net
Fax: 434.465.6833
~~~~~~~~~~~~~~~~~~
Linked-In Profile:
http://www.linkedin.com/pub/tony-graziano/14/4a6/7a4
Ask about our Internet Fax services!
~~~~~~~~~~~~~~~~~~

Using or developing for sipXecs from SIPFoundry? Ask me about sipX-CoLab
2013!
<http://sipxcolab2013.eventbrite.com/?discount=tony2013>
--
LAN/Telephony/Security and Control Systems Helpdesk:
Telephone: 434.984.8426
sip: ***@voice.myitdepartment.net

Helpdesk Customers: http://myhelp.myitdepartment.net
Blog: http://blog.myitdepartment.net
Todd Hodgen
2012-12-16 19:10:59 UTC
Permalink
You can run log rotate to remove the log files and monitor smaller one.
logrotate -f /etc/logrotate.d/sipxchange

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Tommy Laino
Sent: Sunday, December 16, 2012 8:58 AM
To: sipx-***@list.sipfoundry.org
Subject: Re: [sipx-users] Registrations Expiring



The sipproxy.log file is so large that my text editors will not open it. I
am assuming that it is an attack. I am going to have the IT department close
that port on the firewall and see if we have any luck.
--
Tommy Laino
Dome Technologies
Todd Hodgen
2012-12-16 19:28:00 UTC
Permalink
And you are sure someone's not turning the system off over the weekend by
mistake? Had a customer turning off circuit breakers for the weekend, and
turning off more than they should have. UPS died, and it was rebooted on
Monday - but phones were not registered. Just an example. I'd really
suggest you look at the logs to see what it is doing rather than locking
into an issue without any proof. It could be any one of a dozen things
going on.

-----Original Message-----
From: sipx-users-***@list.sipfoundry.org
[mailto:sipx-users-***@list.sipfoundry.org] On Behalf Of Tommy Laino
Sent: Sunday, December 16, 2012 7:55 AM
To: sipx-***@list.sipfoundry.org
Subject: [sipx-users] Registrations Expiring



For the last 2 weekends I have had a SipXecs 4.4 with 30 Polycom 335's that
has all the registrations expire. I have to resend the server profile and
all the phones re-register.
Weird thing is that this only happens over the weekend or when all the
phones are inactive for a long period of time.
Any ideas? I have the logs but not sure what I should be looking for to try
and troubleshoot this
--
Tommy Laino
Dome Technologies
Tommy Laino
2012-12-16 20:42:23 UTC
Permalink
Well I do not have access to the firewall, only the IT
department does. I will look into the logs but I already
spoke to the director of IT and he said he has had issues
with hackers in the past and that it appears that this is
the same problem. I know the system is up and running
because I can log into the system remotely and get them back
up and inbound calls are answered by AA. I have spoken to
them about VPN but so far I have had no luck (they are penny
wise and dollar foolish)
--
Tommy Laino
Dome Technologies
Loading...