I need help, please


#1

tTrwW meaning? I was recently hacked (elastix) there any way to know from which IP address is connected the hacker? I have a box connected with dundi to another in the main office, calls were generated in the remote location and use the trunk of the main office. It is assumed that the local operator had blocked all calls to the outside. I’m new to this world as in asterisk.
Thank you.
ALLOW_SIP_ANON = yes? what is this? is it ok?


#2

T: Allow the calling user to transfer the call by hitting the blind xfer keys (features.conf). Does not affect transfers initiated through other methods.

t: Allow the called user to transfer the call by hitting the blind xfer keys (features.conf) Does not affect transfers initiated through other methods.

W: Allow the calling user to start recording after pressing *1 or what defined in features.conf (Asterisk v1.2.x); requires Set(DYNAMIC_FEATURES=automon)

w: Allow the called user to start recording after pressing *1 or what defined in features.conf (Asterisk v1.2.x); requires Set(DYNAMIC_FEATURES=automon)

Use the wiki.

For bann IP use iptables or fail2ban or blockhost


#3

ALLOW_SIP_ANON does not appear anyhere in Asterisk, so I guess it is something to do with Elastix.

As basic rules, you should not allow outgoing calls in your default context and you should set allowguest = no, unless you know you really need it.

You should also not use extension numbers as the names for local phones, in sip.conf, but Elastix may get in the way. You should ensure that all phone passwords are complex and different.


#4

I really apreciate your help, i really do, thank you very much.
Ive been looking on the internet about those letter and i couldnt find anything about it, believeme ive tried.
if you have the link where you get those definitions ill be more than grateful and if you point me out a link where i could learn a little more about the macros, cause i look at those lines and… Thank You Very Much From Honduras


#5

With Asterisk running, run:

from the shell prompt.

Enter the command:

The output from this, for Asterisk 1.4, is in Asterisk: The Future of Telephony, which can be downloaded from asteriskdocs.org/.


#6

I cannot thank you enough, but Ill try, Thank YOU very very much, ill start my Asterisk training rigth away, hopinh i can do for some one what you did for me. Thank you, Fron Honduras.


#7

If you want the IP address, you should consider looking in the Asterisk and gateway logs, based on the time and date of the incident. (Google is your friend). This sounds more like a network security issue than an Asterisk problem. I keep my external ports closed and do not forward any ports to VOIP services. Although all my VOIP services are free, I don’t like the idea of anyone mis-using my callerID: I don’t need a prankster to make a threatening call to anyone.

In the future, you may wish to consider learning Asterisk Security practices. Here’s a good place to start: http://tinyurl.com/3nw9yxn

My gateway (ASUS RT-N16 with Optware) blocks traffic from known ‘hacker states’ like China, Pakistan etc (an application called Asiablock). It also is able to block IP addresses (Stophammer) that use a brute-force \ flood attack. For more details check here:

http://www.dd-wrt.com/wiki/index.php/Optware%2C_the_Right_Way#Service_Explanations.2FConfiguration_Examples

Example:

[quote]17:15:00 athomehost optware.info stophammer: Check /var/log/messages
Jul 01 17:15:01 athomehost optware.info S98stophack: No entries found since last run
Jul 01 17:15:02 athomehost optware.info stophammer: 66.67.24.164 hammered 15 times (on ports 18402,) in the last 15 minutes, I will permanently block it in /opt/etc/iptables.hammer.rules
Jul 01 17:15:02 athomehost optware.info stophammer: 96.49.210.109 hammered 15 times (on ports 18402,) in the last 15 minutes, I will permanently block it in /opt/etc/iptables.hammer.rules
Jul 01 17:15:02 athomehost optware.info stophammer: 180.191.12.142 hammered 20 times (on ports 18402,) in the last 15 minutes, I will permanently block it in /opt/etc/iptables.hammer.rules
Jul 01 17:15:02 athomehost optware.info stophammer: reload chain because /opt/etc/iptables.hammer.rules has changed
Jul 01 17:20:01 athomehost optware.info S98stophack: Start monitoring /var/log/messages
Jul 01 17:20:03 athomehost optware.info S98stophack: No entries found since last run[/quote]


#8

Thank you for your help, ill start looking to those links you send me. Thank you Very Much