Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 22

Thread: HELP: hacker attempts despite firewall set to high

  1. #11

    Default

    1./ check the management of the filtering for starters - make sure that you have locked it down to local IPs only

    2./ check that accept sip stray requests isnt turned on under the hidden page epygiip/generalconfig.cgi

    It is quite possible that most of the problem is in the filtering pages...

  2. #12

    Smile

    Thanks, Kevin for your suggestions.

    Regarding 1: It is locked down to local ips and ip addresses of VOIP service providers

    Regarding 2: Accept stray SIP requests was turned on! I turned it off. Let's see if that does the trick.

  3. #13

    Default

    I just went through all posts on this forum regarding hacking attempts and found the following from David in 2010:

    Quote from old thread:
    There is a problem in the firewall of 5.1.19 (and actually all versions prior to 5.1.38), which is the following: if in the "SIP Access" list you allow access from a range of IP addresses, which includes the Quadro's own IP address, the SIP requests from all addresses get accepted...

    This could be the case with your configuration. Please check it and make sure that you don't open a SIP access to any IP range, which includes Quadro's own IP address...
    The fix for this will be published soon (version 5.1.39).
    --------------------------end of quote---------------------

    As I was tired of updating the list of local ip addresses, I recently updated the allowed pool list to all ip addresses in the local lan: 192.168.1.0/24

    So this includes the Epygi....
    And I am running 5.1.19

    I am pretty sure this is the issue here. I will go back to manually adding IP adresses although this is real hassle.

  4. #14

    Default

    Hello,

    In any case please upgrade your firmware to the latest one.

    Thanks,
    Aram.

  5. #15

    Default

    Usually my strategy is not to upgrade unless it is really necessary. Don't fix it if it ain't broke.
    In this case I may make an exception.

    Since I removed the IP address of the Epygi itself in the "allowed IP addresses Pool" 2 days ago, the attacks have stopped, so it was clearly a flaw in the software.

    In all fairness, it is software from 2009 and this problem was patched, if I understand it correctly.

    I will try to find a manual about upgrading and report back.

  6. #16

    Default

    See under fixed issues of the release notes FW 5.1.39 for 2x(Support Center » Downloads » IP PBX Products » Quadro2x, 2xi » Software » Release Note for Quadro2x 5.1.39).
    Yes you are right it was a security flaw which is already fixed since 5.1.39 release.

    Thanks,
    Aram.

  7. #17

    Default

    I just upgraded to 5.3.11.

    The Epygi would not register to the SIP servers.

    I then reduced the Firewall to low security. The SIP servers registered right away.

    After that, I put the Firewall to high security again. The SIP servers registered again after expiration without problems.

    Hypothesis:
    even DNS servers are blocked when the Firewall is set to high. Once the addresses are translated, they IP addresses are saved in the Epygi memory.

    Correct or is there another reason?

  8. #18

    Default

    Unfortunately, this is not correct.

    With the new version of the Firmware, the SIP accounts do not register if the Firewall is set to high.

    When the Firewall is set to low, they register right away. Oddly enough, they reregister for a few hours, but then they don't anymore.
    I added the DNS server ip addresses to the allowed pool list, but this does not help.

    I will open a new thread to address this issue to keep the board readable! The original problem was solved.

  9. #19

    Default

    I have a similar problem which puzzles me. So far i had two attacks trying to log in as a remote phone and M32 failed to put them in the beaned IP list, so they kept trying for hours. At all other times IP was put into banned list and stopped after 2-3 attempts. What is the reasons that sometimes it fails? Both times i had to add those IP numbers manually to filtering rules. Another strange thing was IDS attack lasting for 10 hours not being stopped by manually adding IP to the filtering rules.

  10. #20

    Default

    Please check how frequent were those registration attempts. If 3 or more attempts in a second then the malicious IP should have been blocked automatically. Otherwise, it will not.
    If you manually added the IP to the blocked list and it didn't work then you probably forgot to enable the rule. Please double check that.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Hacker attempts
    By KSComs in forum General Discussions
    Replies: 51
    Last Post: 01-21-2011, 01:12 PM
  2. Symmetric Firewall issue
    By ozbeanz in forum Troubleshooting and Problems
    Replies: 1
    Last Post: 10-25-2010, 04:49 AM
  3. Firewall - Policy High
    By cit in forum Troubleshooting and Problems
    Replies: 2
    Last Post: 06-25-2010, 03:56 AM
  4. Jitter using Cisco 5505 Firewall
    By andy@telecomhelp.co.uk in forum Installation
    Replies: 2
    Last Post: 04-29-2010, 05:00 AM
  5. Firewall and X-lite/QCM
    By AsIntented in forum Troubleshooting and Problems
    Replies: 5
    Last Post: 05-15-2009, 03:30 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •