| 00:00.20 | Samot | Is there a GUI interface? |
| 00:02.27 | Reinhilde | [TK]D-Fender: welcome back!@ |
| 00:03.19 | ircarcs | Samot: "xivo" |
| 00:03.42 | Samot | Then you need to go to their website or help channels. |
| 00:04.26 | Reinhilde | Samot: is this true if all the GUI does is provide a list of buttons for each config file and opens each config file in a plain text editor? |
| 00:04.32 | Reinhilde | (hypothetical, but I figured I'd ask) |
| 00:06.36 | Samot | Xivo is not one of those. |
| 00:06.45 | Samot | It's an appliance that uses Asterisk as it's telephony engine. |
| 00:06.47 | ircarcs | Samot: actually i d like to know what skill are required for a someone who don't know annnything about asterisk or voip to host a server . |
| 00:07.04 | ircarcs | for that purpose |
| 00:07.17 | Samot | ircarcs: Asterisk/VoIP knowledge |
| 00:07.24 | ircarcs | :D |
| 00:07.40 | Samot | You need to look at the Xivo documents. |
| 00:07.48 | Samot | And use their support channels. |
| 00:08.33 | ircarcs | i m working on a new network and i have to make choices Qos . Vlans .. so .. i m askink : ) |
| 00:08.38 | ircarcs | ok thanks |
| 00:10.52 | Samot | Reinhilde: Projects like Xivo, FreePBX, et al are just using Asterisk as their telephone engine. They may break up or change the file structure. They may store additional information and generate configs/dialplan. They in no way compare to some simple HTML form that lets you do basic file editing. |
| 00:11.44 | ircarcs | Samot: thanks. |
| 00:13.08 | Reinhilde | Samot: sounds about right |
| 00:15.36 | Samot | Then why did you ask that question? |
| 00:16.19 | *** join/#asterisk infobot (ibot@c-174-52-60-165.hsd1.ut.comcast.net) |
| 00:16.19 | *** topic/#asterisk is Take the March 2019 Asterisk User Survey! https://goo.gl/forms/xL1VUHRsf95saly13 -- #asterisk The Open Source PBX and Telephony Platform (asterisk.org) -=- LTS: 13.27.0 (2019/5/30) 16.4.0 (2019/5/30), Security Only: 15.7.2 (2019/2/28); DAHDI: 2.11.1 (2016/03/01); libpri 1.6.0 (2017/01/27) -=- Wiki: wiki.asterisk.org -=- Code of Conduct: bit.ly/1hH6P22 |
| 00:16.36 | Reinhilde | Samot: because why not |
| 00:16.56 | Samot | If you already knew the answer, it was pointless to ask it. |
| 00:18.06 | ircarcs | Samot: sometime asking make you understand . |
| 00:19.01 | ircarcs | Samot > as is was pointless to mention it ... |
| 00:20.42 | Reinhilde | i don't know much about xivo |
| 00:29.21 | ircarcs | by tha way thanks all . Samot actually will not be admin of the astreisk xivo server but for the "comuters" hosting it .. |
| 00:29.40 | ircarcs | (computers) |
| 00:31.42 | Reinhilde | that's incoherent |
| 00:34.09 | ircarcs | Reinhilde: have to deal with / bandtith / ressources / for asterisk - xivo application against my need > i host sometime apps i don't know but they needs. |
| 00:36.05 | ircarcs | does some app need many cpu while another not ? |
| 00:38.19 | Reinhilde | an unadjusted network configuration should be adequate for most smaller installations of Asterisk or any other IP PBX solution. |
| 00:52.00 | FuriousGeorge | im a little confused here. i just deployed asterisk on a compute engine slice, and I'm getting flooded with: |
| 00:52.01 | FuriousGeorge | chan_sip.c:26179 handle_request_invite: Failed to authenticate device <sip:2500@104.196.159.95>;tag=836066503 |
| 00:52.14 | FuriousGeorge | that ip is mine |
| 00:52.29 | FuriousGeorge | where's the ip of the person attempting to connect to 2500? |
| 00:52.58 | Reinhilde | the ip is yours because that's the hostname of the asterisk instance, and so would be the RHS as the registrant's SIP address. |
| 00:54.31 | FuriousGeorge | Reinhilde: are you saying the system is trying to register to itself? i looked for those extensions in the /etc/asterisk directory, and did not see them |
| 00:54.52 | FuriousGeorge | actually, fail2ban picks up on this, and tried to ban it's own external ip |
| 00:55.00 | FuriousGeorge | tries* |
| 00:55.01 | FuriousGeorge | actually does |
| 00:56.55 | Reinhilde | FuriousGeorge: no, I am not saying that. |
| 00:57.23 | FuriousGeorge | Reinhilde: what confuses me, in that case, is shouldn't the output tell me where the failed connection attempt came from? |
| 00:57.43 | Reinhilde | in my experience, it doesn't, and likely shouldn't. |
| 00:58.43 | FuriousGeorge | im getting hundreds of these a minute. i can't think of any other way to stop them. the tcpbindaddr = setting in sip.conf does not succeed in changing the port (i know it's not an ideal solution), |
| 00:58.48 | FuriousGeorge | and the comments seem to suggest it should |
| 00:59.42 | Reinhilde | you need udpbindaddr. |
| 00:59.54 | FuriousGeorge | ahhhh |
| 01:02.18 | FuriousGeorge | i just changed it on externaddr, and nothing stops these failed attempts. now ill try it as you suggested |
| 01:03.09 | FuriousGeorge | Reinhilde: but it did succeed in taking out my trunk registration. something is really odd here |
| 01:04.58 | FuriousGeorge | Reinhilde: that worked... merciful silence |
| 01:05.35 | FuriousGeorge | of course, why not just port scan me... then what? there has to be a better way. i can't keep changing my port |
| 01:05.47 | FuriousGeorge | if there's no host, i can't use fail2ban |
| 01:06.06 | Reinhilde | aye |
| 01:06.32 | FuriousGeorge | could this be some misconfiguration of the asterisk 13 in the debian repo? the only thing i've done different is to not compile from source |
| 01:06.52 | FuriousGeorge | also notice sip reload disconnects all my peers, unbeknownst to them, so they do |
| 01:07.00 | FuriousGeorge | n't try to reconnect. never seen that before either |
| 01:07.11 | Reinhilde | i've had sip reload take 7 minutes |
| 01:08.10 | FuriousGeorge | Reinhilde: there are examples more complicated than this server right now. there are four peers, one registered user, and 2 lines of dialplan making it all work |
| 01:08.20 | FuriousGeorge | and by "all" i mean "almost nothing" |
| 01:08.35 | FuriousGeorge | sip reloads quick |
| 01:28.11 | Samot | FuriousGeorge: are your nat settings right? |
| 01:28.26 | Samot | FuriousGeorge: also disable allowguests |
| 01:29.51 | *** join/#asterisk bmg505 (~leon@169-0-104-21.ip.afrihost.co.za) |
| 01:39.08 | *** join/#asterisk LiuYan (~NiHola@unaffiliated/liuyan) |
| 01:52.10 | FuriousGeorge | Samot: i did disable that |
| 01:52.23 | FuriousGeorge | i just resintalled from source. it's 15 this time. im still on port 5080 tho |
| 01:53.51 | FuriousGeorge | one good thing now: reloading sip does not drop all peers. that was a big problem |
| 01:54.18 | FuriousGeorge | do i dare put it back on 5060? i may as well just to see if the flood of badness continues |
| 01:57.07 | FuriousGeorge | yup, they are there. |
| 01:57.46 | FuriousGeorge | fail2ban obviously thinks this is dumb. why not show the attacking IP? unfortunately, the regex causes it to block the external ip |
| 01:58.10 | FuriousGeorge | how can this be the out of the box behavior for fail2ban and asterisk combined? |
| 01:58.20 | Samot | FuriousGeorge: Why are you using 15? |
| 01:59.36 | FuriousGeorge | cuz it's more recent than 13 but not as recent as 16? |
| 01:59.55 | FuriousGeorge | Samot: should it matter? 13 was in the repos for debian, so i tried that first. same result |
| 02:00.19 | *** join/#asterisk yokel (~yokel@unaffiliated/contempt) |
| 02:00.30 | FuriousGeorge | this is apparently what causes the connection issues after sip reload. now when i reload sip, peers get dropped, and do not rejoin on their own |
| 02:02.04 | FuriousGeorge | The peer doesn't try to do anything, as it, for whatever reason, believes itself to still be connected: |
| 02:02.05 | FuriousGeorge | SIP Identity Status: |
| 02:02.30 | FuriousGeorge | begging the quesstion: why doesn't keepalive work here? |
| 02:02.34 | FuriousGeorge | what a mess |
| 02:02.35 | [TK]D-Fender | Phone has to have a reason to check |
| 02:03.59 | Samot | FuriousGeorge: 15 is unsupported. So any issues you have with it, you're on your own. |
| 02:05.43 | FuriousGeorge | Samot: no problem. let's see how 16 does |
| 02:08.27 | FuriousGeorge | ill nuke the vm, and start from scratch too |
| 02:34.23 | FuriousGeorge | Samot: 16 doesn't compile in the latest debian, because libjansson is not new enough. i suppose i could compile that |
| 02:36.55 | FuriousGeorge | but no matter. ill go back to 13, since it appears to be supported still, i doubt 16 would work any differently ayway |
| 02:38.47 | [TK]D-Fender | You're just setting yourself up for having to upgrade sooner again rather than plotting a clean and sane path |
| 02:44.33 | Samot | Also, we never verified what your actual configs where. |
| 02:44.53 | Samot | This very well could be a misconfiguration. |
| 02:49.40 | *** join/#asterisk K0HAX (~michael@gateway/tor-sasl/k0hax) |
| 03:03.40 | FuriousGeorge | Samot: check out steps to reproduce: |
| 03:04.45 | FuriousGeorge | https://pastebin.com/NFhzzvuG |
| 03:04.49 | FuriousGeorge | ill post my configs now |
| 03:05.22 | FuriousGeorge | whatever this attacker is doing, he is able to render many installs broken, I'd guess |
| 03:09.20 | Samot | Waiting on the configs. |
| 03:12.20 | FuriousGeorge | Samot: one sec |
| 03:16.19 | FuriousGeorge | Samot: https://pastebin.com/g1DLVKBY |
| 03:16.40 | FuriousGeorge | was trying to strip out the lines that start with spaces and end with comments but i couldn't get the regex right |
| 03:16.52 | FuriousGeorge | took out most in the process of copy pasting |
| 03:17.23 | FuriousGeorge | left out peer settings below, as i don't think they are relevant, please correct me if I'm wrong, Samot |
| 03:17.44 | Samot | So this box is behind NAT |
| 03:18.04 | Samot | Therefore there should be nat=force_rport,comedi in the [general] |
| 03:18.09 | Samot | Therefore there should be nat=force_rport,comedia in the [general] |
| 03:18.28 | Samot | You should have the same nat setting for all your peers that are behind NAT. |
| 03:19.14 | FuriousGeorge | it is not behind nat |
| 03:19.25 | FuriousGeorge | Samot: do i have a setting which suggests it is? |
| 03:19.35 | FuriousGeorge | it is an instance on GCE |
| 03:19.46 | Samot | So there is a public WAN directly on the server? |
| 03:19.51 | FuriousGeorge | yes |
| 03:20.09 | Samot | Then why do you have an external address and a local network set? |
| 03:20.35 | FuriousGeorge | well, kinda.... i forget what this setup is called. there is an internal ip, and there is an external ip, but there is no nat |
| 03:20.44 | Samot | WAit. |
| 03:20.47 | FuriousGeorge | the internal ip only works between nodes |
| 03:20.53 | Samot | Is the internal IP an RFC1918 IP? |
| 03:20.56 | FuriousGeorge | it's just how google does their compute engine stuff |
| 03:21.00 | Samot | Stop. |
| 03:21.01 | Samot | Is the internal IP an RFC1918 IP? |
| 03:21.07 | FuriousGeorge | let me look up what i think this setup is called |
| 03:21.18 | Samot | Can you not answer the question? |
| 03:21.44 | FuriousGeorge | it is |
| 03:21.50 | FuriousGeorge | 10.0.0.0/8 |
| 03:21.58 | Samot | Then you are behind NAT. |
| 03:22.00 | FuriousGeorge | i believe that answers it, unless i have my rfc's confused |
| 03:22.03 | FuriousGeorge | no, it's not |
| 03:22.07 | Samot | Dude. |
| 03:22.20 | Samot | Public WAN is being TRANSLATED to a RFC1918 IP |
| 03:22.29 | Samot | Network Address Translation. |
| 03:22.51 | Reinhilde | Samot: he could be speaking of a 1:1 NAT? |
| 03:22.55 | FuriousGeorge | yes |
| 03:22.56 | FuriousGeorge | 1:1 |
| 03:22.58 | Samot | JFC. |
| 03:23.03 | Samot | 1:1 NAT = NAT |
| 03:23.12 | Samot | Period.\ |
| 03:23.14 | Samot | It's in the name. |
| 03:23.29 | FuriousGeorge | like a pseudo nat i guess. from the outside there is no nat |
| 03:23.36 | Reinhilde | You're getting fixated on this one terminological issue, Samot, and it's really annoying me |
| 03:23.39 | FuriousGeorge | it's more like a server with two interfaces |
| 03:23.43 | *** join/#asterisk pa (~pa@unaffiliated/pa) |
| 03:23.44 | Samot | All that means is a WAN IP is only NAT'd to a SINGLE IP. |
| 03:23.45 | Reinhilde | and it's not helping FuriousGeorge get his life straight |
| 03:23.58 | Samot | OK, this is a NAT issue. |
| 03:24.04 | Reinhilde | do you take any psychoactive medications or any statins? |
| 03:24.11 | Samot | If you will refuse to accept that NAT is involved you cannot fix the problem. |
| 03:24.20 | FuriousGeorge | ok, i can set the nat setting |
| 03:24.55 | Samot | You also need to apply that nat setting to all your peers. |
| 03:25.02 | Samot | That are behind NAT. |
| 03:25.04 | Reinhilde | I'd set it to just comedia, or to auto_force_rport,comedia. It shouldn't be a problem if it's a 1:1 NAT, but it seems htat it is. |
| 03:25.40 | Samot | 1:1 NAT means that the public IP cannot be NAT'd to other private IPs. |
| 03:25.51 | Samot | Therefore all the ports on the WAN will go to the same ports on the LAN. |
| 03:26.10 | Reinhilde | Samot: YOU'RE FIXATING ONE ONE STUPID TERMINOLOGICAL ISSUE, AND IT'S MAKING THE EFFECTIVE PROVISION OF SUPPORT MORE DIFFICULT. |
| 03:26.42 | Reinhilde | FuriousGeorge: it's a nat situation. you may be the only person on that public IP, but it's a nat situation. we clear? |
| 03:26.48 | FuriousGeorge | <PROTECTED> |
| 03:26.55 | Reinhilde | that's what Samot has been saying all along, but he's been unbelievably aggressive about it. |
| 03:26.58 | Samot | Is 9984 one of your peers? |
| 03:27.00 | FuriousGeorge | this m,eans fail2ban would still block my external ip, even with the nat setting in general |
| 03:27.08 | FuriousGeorge | did i misunderstand what you wanted me to do? |
| 03:27.19 | Samot | Is 9984 one of your peers? |
| 03:27.24 | Reinhilde | Samot: Implied no. |
| 03:27.26 | FuriousGeorge | Samot: no, i have no idea where that is comming from |
| 03:27.33 | Reinhilde | Samot: It's one of the wardialers. |
| 03:27.34 | FuriousGeorge | i can start tcpdunping |
| 03:27.42 | Reinhilde | I've seen similar issues |
| 03:27.47 | Samot | Then you're being hit. |
| 03:27.56 | FuriousGeorge | that part i got |
| 03:27.57 | Samot | So you need to get some better firewalling in place. |
| 03:28.19 | Reinhilde | The issue that FuriousGeorge is having is that the external IP of his own server is showing instead of the IP of who's hitting him. |
| 03:28.21 | FuriousGeorge | i can enable the firewall, but i always have to have a port open for the remote peers, so i'm screwed either way |
| 03:28.31 | FuriousGeorge | right |
| 03:28.42 | Reinhilde | Usually the issue is benign if your passwords are strong and allowguest= is no, or if your guest context doesn't allow you to run up a huge toll. |
| 03:28.56 | Reinhilde | or any toll.p |
| 03:29.04 | Samot | 104.196.159.95 <-- That's your PBX IP? |
| 03:29.17 | FuriousGeorge | yes, as per the comments in the pastenin, fail2ban bans my external IP |
| 03:29.26 | FuriousGeorge | so it breaks sip for remote clients |
| 03:29.48 | Samot | Time to enable the sip debug |
| 03:29.49 | Reinhilde | FuriousGeorge: why are packets showing coming from /your/ external IP if they're from someone else's? |
| 03:29.52 | FuriousGeorge | they will become unreachable, and not try to reregister |
| 03:29.52 | Samot | sip set debug on |
| 03:30.27 | FuriousGeorge | Reinhilde: i have no idea. i assumed it was showing the extension and server of the destination |
| 03:30.42 | Reinhilde | the extension they're trying to register to '@' your server |
| 03:30.43 | FuriousGeorge | it's on AF samot ;) |
| 03:30.56 | Reinhilde | FuriousGeorge: asterisk -rx 'sip set debug on' |
| 03:31.00 | Samot | Show some output |
| 03:31.09 | FuriousGeorge | right, the destination being my server. i have no idea why there is not a part that says "from <IP>" |
| 03:31.15 | *** join/#asterisk life_of_e (~life_of_e@108-95-189-245.lightspeed.irvnca.sbcglobal.net) |
| 03:31.29 | Samot | Show the output from the debug |
| 03:31.52 | Reinhilde | This is a problem that every public-facing Asterisk admin has - they get hit and it's always their IP in the RHS of the authentication failure, so they end up blocking themselves, or they could block some innocent user |
| 03:32.48 | FuriousGeorge | Samot: i can get more in one shot, just gotta set up keys in putty or something. google |
| 03:32.51 | FuriousGeorge | 's console is bad |
| 03:32.51 | FuriousGeorge | https://pastebin.com/b62WakBd |
| 03:33.00 | FuriousGeorge | i guess not that bad for a web based terminal though |
| 03:33.17 | FuriousGeorge | i see an external IP |
| 03:33.31 | FuriousGeorge | ofc, i was assuming it was coming from external, so that doesn't really help |
| 03:33.32 | Samot | Right |
| 03:33.44 | Samot | <sip:10061000@104.196.159.95>;tag=955610318 <-- That is the From Header. |
| 03:33.47 | FuriousGeorge | i could manually drop packets from there, but is there a better way |
| 03:33.54 | FuriousGeorge | ? |
| 03:34.03 | FuriousGeorge | I'm in the from header |
| 03:34.04 | Samot | The FROM header. |
| 03:34.14 | Samot | Yes, as the FROM DOMAIN. |
| 03:34.36 | FuriousGeorge | i just spun up the GCE instance. you need rsa keys to connect |
| 03:34.36 | Samot | Which means they have your IP and have it in their HOST section of their PBX/device. |
| 03:34.37 | Samot | Via: SIP/2.0/UDP 185.53.88.23:55415;branch=z9hG4bK668742547;received=185.53.88.23;rport=55415 |
| 03:34.45 | Samot | That is where it is coming from. |
| 03:34.46 | FuriousGeorge | o i c |
| 03:34.56 | Samot | FuriousGeorge: Do you think your IP hasn't been used before? |
| 03:35.14 | Samot | Do you think that major VM providers aren't being scanned for people with poor firewalls? |
| 03:35.19 | Reinhilde | I don't know what the problem is. Samot for seemingly being on psychoactive drugs that have fried his brain, or FuriousGeorge for not researching SIP protocol basics. |
| 03:35.20 | FuriousGeorge | Samot: not by me. i generated it for this VM. it's possible someone else had and released it. very possible |
| 03:35.36 | Samot | OK so right now someone is trying to send calls to your PBX. |
| 03:35.46 | Samot | Since there is no peer for them they are being rejected. |
| 03:35.55 | Samot | Since they are being rejected, fail2bain is finding that in the log. |
| 03:36.06 | FuriousGeorge | Reinhilde: this hardly seems basic. |
| 03:36.16 | Reinhilde | My read on it is this: This is benign and you do not need to react to the matter unless your passwords are weak. |
| 03:36.20 | FuriousGeorge | Samot: with you so far |
| 03:36.36 | Reinhilde | turns into a predictive text enghine |
| 03:36.41 | Samot | This is not benign because it's Chan_SIP. |
| 03:36.42 | FuriousGeorge | Reinhilde: benign aside from rendering my console useless |
| 03:36.51 | Samot | Which can be grounded to a halt with an attack. |
| 03:37.10 | FuriousGeorge | yeaj, no bueno |
| 03:37.42 | Samot | Are the phones at someplace with a static IP(s)? |
| 03:37.47 | FuriousGeorge | i could very easily get a new ip, too. this is mostly academic on my side |
| 03:37.55 | Reinhilde | in my experience, using a nonstandard port significantly reduces the density of failed auth noticesn. |
| 03:37.55 | Samot | That's not going to matter. |
| 03:38.01 | FuriousGeorge | Samot: they are not, but im not sure it matters |
| 03:38.12 | Samot | It does |
| 03:38.17 | Samot | Because if they had static IPs.. |
| 03:38.21 | FuriousGeorge | Reinhilde: if i go to port 5080 everything stops |
| 03:38.26 | Samot | You could close the system off to every but those IPs. |
| 03:38.36 | Reinhilde | FuriousGeorge: then tell your clients to use that port as the SIP registrar port |
| 03:39.01 | Reinhilde | alternatively, if you use DNS and SRV records, you can set your SRV record to use the nonstandard port. |
| 03:39.17 | FuriousGeorge | the main location is already dynamic, then they gonna want mobile clients... i can see that getting annoying |
| 03:39.32 | FuriousGeorge | that's a good idea |
| 03:40.01 | Reinhilde | at the WORST, as samot says, this is likely to be a DoS problem, not a toll fraud problem. |
| 03:40.23 | Reinhilde | (unless you've jacked up your guest configuration, WHILE allowing guests) |
| 03:41.19 | FuriousGeorge | i think i'll change the port and ip and continue to monitor it |
| 03:41.36 | FuriousGeorge | would be nice if asterisk could handle this situation for me in a future release |
| 03:41.46 | Samot | iptables would handle this |
| 03:41.52 | Samot | Like on any other SIP box. |
| 03:41.53 | FuriousGeorge | im using them |
| 03:41.56 | Samot | er linux box |
| 03:42.01 | Samot | No, you're using fail2ban |
| 03:42.10 | Samot | Which writes to iptables after the fact. |
| 03:42.28 | Reinhilde | that's obviously not working for this person |
| 03:42.39 | FuriousGeorge | which runs ip tables. here's where im not understanding you: they are attacking on the same port my clients are using. how does blocking that port solve the issue if now my clients are blocked too? |
| 03:42.51 | Samot | I didn't say block that port. |
| 03:42.56 | Samot | I said you needed better firewalling. |
| 03:43.06 | Samot | fail2ban is not suited for that. |
| 03:43.45 | FuriousGeorge | could you flesh that out a bit. im getting hit on port 5060, and my clients are also using 5060. What would i do in my better firewall to resolve that? |
| 03:44.18 | Samot | Use rate limiting |
| 03:44.26 | Samot | Block unwanted subnets. |
| 03:44.34 | Samot | Do you need your entire machine open to the world? |
| 03:45.37 | FuriousGeorge | there should be a blacklist of bad subnets somewhere, no? i know lists like these are maintained for other purposes |
| 03:46.00 | Samot | Well there are bogon lists of bad IPs. |
| 03:47.32 | Samot | But I'm talking a bit broader. |
| 03:47.38 | FuriousGeorge | rate limiting is gonna be an issue with the client's main location using dynamic ips |
| 03:47.44 | Samot | For example, I only have users in ARIN IP space. |
| 03:47.48 | Samot | No it's not. |
| 03:47.51 | Samot | That's the point. |
| 03:48.11 | Samot | You're rating limiting the incoming request... |
| 03:48.30 | Samot | How many INVITES do they need to send in a 60 seconds? |
| 03:51.28 | FuriousGeorge | Samot: thanks for the help. im going to start employing some of your suggestions in general |
| 03:51.45 | Reinhilde | my view is that using a nonstandard port works to reduce the console clutter and flooding, but it is not more secure |
| 03:51.48 | FuriousGeorge | but especially for asterisk, which seems to be a magnet for miscreants of all sorts |
| 03:51.52 | FuriousGeorge | myself included |
| 03:51.52 | Samot | As I was saying, I only have users in ARIN IP space. |
| 03:51.57 | FuriousGeorge | i noticed that part |
| 03:51.57 | Samot | So I block everything else. |
| 03:52.04 | FuriousGeorge | that was my favorite |
| 03:52.15 | Samot | Now I only have to deal with those IPs. |
| 03:52.20 | Samot | And not the entire world. |
| 03:53.02 | FuriousGeorge | makes sense |
| 03:53.04 | FuriousGeorge | thanks for the help |
| 04:37.52 | FuriousGeorge | Samot: not to beat a dead horse, but rate limiting and a firewall would not stop someone from forcing you to ban yourself |
| 04:38.08 | FuriousGeorge | unless you have really liberal fail2ban settings, or you don't use fail2ban |
| 04:38.17 | Samot | I don't use fail2ban. |
| 04:38.24 | Samot | I like to stop the stuff as it happens. |
| 04:38.32 | Samot | Not later. |
| 04:38.50 | FuriousGeorge | i maen, if you have enough servers you are doing that full time. they are magnets |
| 04:39.04 | Samot | It's what I do full time. |
| 04:39.38 | FuriousGeorge | fair enough |
| 04:40.52 | FuriousGeorge | a lot of people do use fail2ban with aserieks, however, if for no other reason than because (rightly or wrongly) a lot of docs recommend it |
| 04:41.10 | FuriousGeorge | s/asereks/\* |
| 04:41.24 | Samot | The first thing Asterisk does when under load is stop low level things. |
| 04:41.28 | Samot | Logging is low level. |
| 04:41.46 | Samot | How can fail2ban do anything if the attack has rendering logging useless? |
| 04:43.00 | Samot | You should be asking yourself "Why is fail2ban banning the IP in the from domain instead of the actual source IP" |
| 04:43.38 | Samot | The SIP debug clearly showed the correct source IP multiple locations. |
| 04:44.56 | FuriousGeorge | my assessment of the situation was that the logs were omitting some information... as if I were looking at a smtp server log and saw an auth fail for myuser@mydomain.com, but not seeing the source ip |
| 04:45.18 | FuriousGeorge | the explanation of the hosts file was no where near where my head was at. ive seen a lot of things, just not that |
| 04:45.22 | Samot | You should check those settings. |
| 04:45.29 | FuriousGeorge | the host file on the attacking side* |
| 04:46.31 | FuriousGeorge | but, that said, i knew i could change the port or ip, and make it stop. i knew it was originating outside my domain, despite having my ip in there |
| 04:46.48 | Reinhilde | FuriousGeorge: then tell your clients to use an odd port |
| 04:46.51 | Reinhilde | the one that you change to |
| 04:46.56 | Samot | It's not originating from your IP |
| 04:47.27 | FuriousGeorge | Reinhilde: they'd look at me funny. i just put stuff in for them or tell them what to do. they actually don't like explainations |
| 04:47.42 | FuriousGeorge | Samot: meant to say was NOT |
| 04:48.19 | Reinhilde | FuriousGeorge: don't need to explain anything to say "use an odd port" |
| 04:48.30 | FuriousGeorge | hence changing the IP or port would resolve |
| 04:48.46 | Samot | Changing the IP will just mean it's another IP being attacked. |
| 04:48.50 | Samot | Or scanned. |
| 04:48.52 | FuriousGeorge | Reinhilde: i thought you meant literally tell them we are using a non-default port |
| 04:48.58 | Samot | It is just what happens, you need to accept it. |
| 04:49.09 | FuriousGeorge | like death and taxes |
| 04:49.20 | Samot | It's like any other Internet facing system. |
| 04:49.30 | Samot | It will be scanned and attempts will be made on it. |
| 04:50.10 | *** join/#asterisk gerhard7 (~gerhard7@ip5657ee30.direct-adsl.nl) |
| 04:50.14 | Samot | Relying on non-standard ports is a false flag of security. |
| 04:50.27 | Samot | While they may not be scanned as often or as much, they are still scanned. |
| 04:51.14 | Reinhilde | Samot: It's scanned less. It's not security we're going for, but admin convenience. |
| 04:51.24 | Reinhilde | I know full well that my Asterisk is just as exploitable on pt 5022 as on port 5060 |
| 04:51.36 | FuriousGeorge | i mentioned at the time that it wasn't much of a fix, hence why i was here, but in general it can't hurt as part of a comprehensive plan |
| 04:51.45 | Samot | That's a poor sacrifice. |
| 04:54.16 | Samot | FuriousGeorge: No, it can't hurt. It just can't be the only thing. |
| 04:56.59 | Reinhilde | I voluntarily allow guests knowing that it is more exploitable than not. |
| 04:57.15 | Samot | Yeah, those are things I just don't do. |
| 04:57.35 | Samot | Those types of things don't pass security audits. |
| 05:00.19 | *** join/#asterisk yokel (~yokel@unaffiliated/contempt) |
| 05:00.50 | Samot | Admin convenience for me is nothing having my usage costs blown through the sky, or risk having peers shut down with upstream's due to fraud activity. Specially not having to explain to end users why calls aren't working. |
| 05:04.04 | Samot | I even have a layer of security checks for end user devices despite even if it is coming from a trusted IP/domain. |
| 05:04.24 | Samot | Because end user devices can be compromised. |
| 05:05.36 | Samot | I had an end user's PBX get hacked a few weeks back, not only didn't calls not go through because they didn't have International calling rights but it shut down all their calling because they raised flags. |
| 05:43.42 | *** join/#asterisk lankanmon (~LKNnet@CPE64777d632383-CM64777d632380.cpe.net.cable.rogers.com) |
| 06:15.41 | *** join/#asterisk pchero_work (~pchero@87.213.247.82) |
| 06:16.22 | *** join/#asterisk twanny796 (~user@antazzo.com) |
| 06:56.50 | *** join/#asterisk hehol (~hehol@gatekeeper.loca.net) |
| 07:06.31 | *** join/#asterisk wdoekes (~walter@wjd.osso.nl) |
| 07:06.31 | *** mode/#asterisk [+o wdoekes] by ChanServ |
| 07:15.06 | *** join/#asterisk derPlexus (~plexus@81.173.204.226) |
| 07:15.40 | *** join/#asterisk alexandre9099 (~alexandre@unaffiliated/alexandre9099) |
| 07:35.38 | *** join/#asterisk lwlvl (~lwlvl@2a01:4f9:c010:328e::1) |
| 07:38.19 | lwlvl | I'm trying to determine the status of a extension with for example ${EXTENSION_STATE(202@internal)}. I also have a hint in "internal" (exten => 202,hint,SIP/jan). The problem is, that since asterisk 13 hints are not updated if nobody subscribed to them - which is the case for that hint. Any suggestions how to solve this? |
| 08:12.55 | *** join/#asterisk MoonTide (~NiHola@unaffiliated/liuyan) |
| 08:13.33 | *** join/#asterisk jkroon (~jkroon@165.16.203.58) |
| 09:49.59 | *** join/#asterisk ircarcs (~quassel@169.9.159.77.rev.sfr.net) |
| 11:02.04 | *** join/#asterisk lankanmon (~LKNnet@CPE64777d632383-CM64777d632380.cpe.net.cable.rogers.com) |
| 11:51.15 | *** join/#asterisk twanny796 (~user@antazzo.com) |
| 13:09.21 | *** join/#asterisk [TK]D-Fender (~joe@216.191.106.165) |
| 13:15.44 | *** join/#asterisk lankanmon (~LKNnet@CPE64777d632383-CM64777d632380.cpe.net.cable.rogers.com) |
| 13:21.55 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 13:47.29 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 13:58.21 | cusco | hey |
| 13:58.47 | cusco | what module is required for the ISNULL function? |
| 13:59.02 | cusco | (or where can I find that out?) |
| 14:05.17 | sibiria | you've probably disabled func_logic when configuring before building |
| 14:07.26 | cusco | ow? |
| 14:07.38 | cusco | I still have the output of the ./configure |
| 14:07.49 | cusco | what should I grep for? |
| 14:10.01 | sibiria | after configuring you're doing make menuselect i presume |
| 14:10.07 | sibiria | that's where oyu enabled/disable stuff to be built |
| 14:10.37 | sibiria | if not, just do "make menuselect" after configuring |
| 14:10.48 | sibiria | func_logic should be in the dial plan function section |
| 14:11.32 | cusco | yes I went trough make menu select |
| 14:11.46 | cusco | checking it out again |
| 14:12.27 | sibiria | don't forget to save changes before exiting |
| 14:12.29 | cusco | func_logic is enabled |
| 14:12.34 | cusco | so it means it was enabled before |
| 14:12.40 | cusco | so that is probably the module I need to load |
| 14:12.59 | sibiria | right so you autoload nothing in modules.conf, i guess... |
| 14:13.05 | cusco | ok got it |
| 14:13.06 | sibiria | that's a bit unusual |
| 14:13.12 | cusco | yea, optimizing.. lol |
| 14:13.34 | cusco | thank you sibiria |
| 14:13.34 | sibiria | well this is the result ;) |
| 14:13.46 | sibiria | keep in mind that asterisk is very lean even if you autoload _everything_ |
| 14:13.52 | sibiria | very small memory footprint |
| 14:13.55 | cusco | sure, configure once.. but that once is troubleshoot over and over again |
| 14:14.17 | cusco | ow yes, but for a embeded system, I really want it to be cut short |
| 14:21.03 | *** join/#asterisk ghoti (~paul@glphon2233w-grc-09-184-145-52-216.dsl.bell.ca) |
| 14:46.15 | *** join/#asterisk kessius (bb079dca@187-7-157-202.3g.brasiltelecom.net.br) |
| 15:00.47 | sibiria | mhm |
| 15:01.30 | sibiria | the x86-64 asterisk build on my test system, which builds with everything more or less, and autloads everything, uses less than 100mb of ram |
| 15:13.48 | sibiria | with the whole OS running, that is - asterisk itself takes up only ~30mb of RAM |
| 15:28.48 | *** join/#asterisk sumic (abd48c48@171.212.140.72) |
| 15:29.07 | sumic | hi everyone~ |
| 15:30.34 | sumic | how can i get the "hoard" packeg? |
| 15:31.10 | sumic | "hoard" package |
| 15:31.11 | *** join/#asterisk mahafyi (~quassel@103.195.203.44) |
| 15:33.38 | mahafyi | Hello, for setting externip , does the packets actually have to be routed from that IP addr , or can one have a externip where inbound port fwding is setup, but the actual source IP address is different? configuring some firewall and had this doubt |
| 15:34.24 | mahafyi | happy July 4th to all in USA! |
| 15:34.48 | Samot | Well the external IP is how they communicate with you |
| 15:34.57 | Samot | So the the source IP route back to the PBX? |
| 15:35.14 | mahafyi | yes, the externip routes back to the asterisk box |
| 15:38.57 | sumic | Samot: could you help me? i cann't find "hoard" package |
| 15:39.11 | Samot | What hoard pacakage? |
| 15:39.14 | Samot | What hoard package? |
| 15:40.08 | sumic | "/home/asterisk-16.4.0/contrib/scripts/install_prereq test |
| 15:41.33 | sumic | Samot: i'm using CentOS release 6.10 (Final) |
| 15:42.34 | Samot | Shrug. |
| 15:42.37 | Samot | I don't use it. |
| 16:14.54 | *** join/#asterisk derPlexus (~plexus@81.173.204.226) |
| 16:18.52 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 16:31.22 | *** join/#asterisk gerhard7 (~gerhard7@ip5657ee30.direct-adsl.nl) |
| 16:40.00 | *** join/#asterisk ganbold (~ganbold@202.21.108.200) |
| 16:51.37 | qakhan | hi all, my customer is using rrmemory as strategy in Q1 and Q2. |
| 16:51.37 | qakhan | queue members are Local/3001@agent, Local/3002@agent, Local/3003@agent and Local/3004@agent. |
| 16:51.37 | qakhan | Local/3001@agent and Local/3002@agent penalty 0 in Q1 and Local/3003@agent and Local/3004@agent penalty 5 in Q1 |
| 16:51.37 | qakhan | Local/3001@agent and Local/3002@agent penalty 5 in Q2 and Local/3003@agent and Local/3004@agent penalty 0 in Q2 |
| 16:51.37 | qakhan | now the requirement is if penalty 0 agents are busy (on the call) donât send a new call to them and send a new call to penalty 5 agents. |
| 16:51.37 | qakhan | if penalty 5 agents are also busy (on the call) then send a new call to penalty 0 agents even though penalty 0 agents are already on the call (busy). |
| 16:55.41 | *** join/#asterisk dacod (~dacod@187.103.104.42) |
| 17:09.45 | *** join/#asterisk mducharme (uid303982@gateway/web/irccloud.com/x-rsgqenogwhyvitnw) |
| 17:16.18 | qakhan | I have limited 1 call to an agent at a time. I need to send a new call to agents who are already on the call. |
| 17:24.19 | *** join/#asterisk hfb (~hfb@cpe-108-185-247-93.socal.res.rr.com) |
| 17:43.29 | *** join/#asterisk ganbold (~ganbold@202.21.108.106) |
| 17:49.28 | *** join/#asterisk jkroon (~jkroon@165.16.203.105) |
| 17:54.15 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 18:09.09 | *** join/#asterisk twanny796 (~user@antazzo.com) |
| 18:20.59 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 18:51.59 | qakhan | any thought on my question |
| 18:58.53 | Samot | Nope |
| 19:00.06 | qakhan | does queue support this ringing strategy? or can we do something about it |
| 19:00.29 | Samot | Well the ring strategy is rrmemory |
| 19:00.33 | Samot | So yes, it supports that. |
| 19:01.35 | qakhan | i am current using rrmemory, but main objective is to send 1 call to each the agent at a time. but if all agents are busy then send new calls to busy agents |
| 19:07.38 | Samot | Well 3001 and 3002 are going to be called first. |
| 19:07.44 | Samot | Then 3003 and 3004 |
| 19:07.55 | Samot | Then rinse repeat. |
| 19:19.02 | qakhan | yes thats what is happening rightnow. but if all agents are busy then the send calls to 3001 and 3002 and the 3003 and 3004 |
| 19:21.01 | Samot | Doesn't it retry them? |
| 19:29.33 | qakhan | 1 requirment is, if 3001 is on the call dont send second to 3001. send it to 3002 and so on. |
| 19:32.12 | qakhan | now all agents are on the call. according to 1st requirment no agent should receive second call. but since all agents are busy (on the call) now start sending second call to in same rrmemory fashion to 3001 then 3002 and so on |
| 19:33.31 | *** join/#asterisk pchero_work (~pchero@dhcp-077-249-058-090.chello.nl) |
| 19:40.41 | *** join/#asterisk scgm11_ (~scgm11@r186-50-148-227.dialup.adsl.anteldata.net.uy) |
| 19:51.40 | [TK]D-Fender | <qakhan> any thought on my question <- you didn't even ask one |
| 19:52.05 | [TK]D-Fender | wait... |
| 19:52.13 | [TK]D-Fender | think I missed something in there... |
| 19:59.15 | Samot | It's the same thing he's posted for a day or so. |
| 20:53.50 | *** join/#asterisk Typhon (~Typhon@dslb-084-056-167-098.084.056.pools.vodafone-ip.de) |
| 21:01.40 | *** join/#asterisk twanny796 (~user@antazzo.com) |
| 21:22.08 | *** join/#asterisk mducharme (uid303982@gateway/web/irccloud.com/x-ikhwierklfrxxwzp) |
| 21:26.58 | *** join/#asterisk [TK]D-Fender (~joe@64.235.216.2) |
| 22:07.51 | *** join/#asterisk tomaluca95 (~quassel@kde/developer/tomaluca) |
| 22:24.34 | *** join/#asterisk pa (~pa@unaffiliated/pa) |