07-24-2013 12:29 AM - edited 03-18-2019 01:30 AM
Dear Experts,
I have a VCS Starter Pack Express and I want to make it more secure as it is. Someone tries to login all the time.
and someone tries to call through the VCS-E all the time.
How can I make the VCS secure for all this scenarios - is there a "Security Guide" to prevent from all these attacks?
2013-07-21T09:00:55+02:00 | sshd[32491]: error: PAM: Authentication failure for illegal user ernesto from 187.0.77.2 |
2013-07-21T09:00:55+02:00 | sshd[32492]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user ernesto from 187.0.77.2 port 47719 ssh2" UTCTime="2013-07-21 07:00:55" |
2013-07-21T09:00:55+02:00 | sshd[32492]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user ernesto" UTCTime="2013-07-21 07:00:55" |
2013-07-21T09:00:55+02:00 | sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user ernesto from 187.0.77.2" UTCTime="2013-07-21 07:00:55" |
2013-07-21T09:00:53+02:00 | sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47719" UTCTime="2013-07-21 07:00:53" |
2013-07-21T09:00:53+02:00 | sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:53" |
2013-07-21T09:00:53+02:00 | sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:53" |
2013-07-21T09:00:52+02:00 | sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for invalid user oracle from 187.0.77.2 port 47586 ssh2" UTCTime="2013-07-21 07:00:52" |
2013-07-21T09:00:52+02:00 | sshd[32485]: error: PAM: Authentication failure for illegal user oracle from 187.0.77.2 |
2013-07-21T09:00:52+02:00 | sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user oracle from 187.0.77.2 port 47586 ssh2" UTCTime="2013-07-21 07:00:52" |
2013-07-21T09:00:52+02:00 | sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user oracle" UTCTime="2013-07-21 07:00:52" |
2013-07-21T09:00:52+02:00 | sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user oracle from 187.0.77.2" UTCTime="2013-07-21 07:00:52" |
2013-07-21T09:00:50+02:00 | sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47586" UTCTime="2013-07-21 07:00:50" |
2013-07-21T09:00:50+02:00 | sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:50" |
2013-07-21T09:00:49+02:00 | sshd[32478]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:49" |
2013-07-21T09:00:49+02:00 | sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47349 ssh2" UTCTime="2013-07-21 07:00:49" |
2013-07-21T09:00:49+02:00 | sshd[32475]: error: PAM: Authentication failure for root from 187.0.77.2 |
2013-07-21T09:00:49+02:00 | sshd[32478]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for root from 187.0.77.2 port 47349 ssh2" UTCTime="2013-07-21 07:00:49" |
2013-07-21T09:00:47+02:00 | sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47349" UTCTime="2013-07-21 07:00:47" |
2013-07-21T09:00:47+02:00 | sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:47" |
2013-07-21T09:00:43+02:00 | sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:43" |
2013-07-21T09:00:43+02:00 | sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for invalid user sidney from 187.0.77.2 port 47237 ssh2" UTCTime="2013-07-21 07:00:43" |
2013-07-21T09:00:43+02:00 | sshd[32468]: error: PAM: Authentication failure for illegal user sidney from 187.0.77.2 |
2013-07-21T09:00:42+02:00 | sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user sidney from 187.0.77.2 port 47237 ssh2" UTCTime="2013-07-21 07:00:42" |
2013-07-21T09:00:42+02:00 | sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user sidney" UTCTime="2013-07-21 07:00:42" |
2013-07-21T09:00:42+02:00 | sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user sidney from 187.0.77.2" UTCTime="2013-07-21 07:00:42" |
2013-07-21T09:00:40+02:00 | sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47237" UTCTime="2013-07-21 07:00:40" |
2013-07-21T09:00:40+02:00 | sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:40" |
2013-07-21T09:00:40+02:00 | sshd[32464]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:40" |
2013-07-21T09:00:39+02:00 | sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47125 ssh2" UTCTime="2013-07-21 07:00:39" |
2013-07-21T09:00:39+02:00 | sshd[32463]: error: PAM: Authentication failure for root from 187.0.77.2 |
2013-07-21T09:00:39+02:00 | sshd[32464]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for root from 187.0.77.2 port 47125 ssh2" UTCTime="2013-07-21 07:00:39" |
2013-07-21T09:00:37+02:00 | sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47125" UTCTime="2013-07-21 07:00:37" |
2013-07-21T09:00:37+02:00 | sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:37" |
2013-07-21T09:00:37+02:00 | sshd[32458]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:37" |
2013-07-21T09:00:36+02:00 | sshd[32457]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47006 ssh2" UTCTime="2013-07-21 07:00:36" |
2013-07-21T09:00:36+02:00 | sshd[32457]: error: PAM: Authentication failure for root from 187.0.77.2 |
Thanks
Klaus
07-24-2013 01:03 AM
07-24-2013 01:57 AM
Also see:
https://supportforums.cisco.com/thread/2092832
https://supportforums.cisco.com/message/3929888
/jens
Please rate replies and mark question(s) "Answered" if applicable.
07-24-2013 10:33 AM
Klaus,
For the SSH issues, I highly recommend making sure the VCS-E is behind a firewall that filers unwanted SSH connections.
For the SIP messages, the vast majority of people attempting to access your system via SIP will do so via the UDP protocol. For this reason, I would recommend disabling SIP UDP.
However, this will not block all of the unwanted calls. The best thing to do would be to write a CPL blocking calls that you do not want to allow in. The important thing to keep in mind when using CPL to reject calls is that the authentication flag on incoming messages is very important. Unless you have a neighbor/Traversal zone that shares an IP address with the incoming calls, the calls will be seen as coming in on the default zone.
Assuming that these calls are coming in on the default zone (they almost always are)...
If the default zone is set to do not check credentials, the messages will come in as unauthenticated.
If the default zone is set to treat as authenticated, the messages will come in as authenticated.
If the default zone is set to check credentials, the VCS will demand a username/password for these messages before processing them.
My guess is that your VCS is currently set to check credentials on the default zone, which would explain all of the 407 messages. If the other side never responds with proper credentials, the VCS will never process the message and you probably have nothing to worry about.
If however, the messages are being processed by the VCS, the messages will first go through any applicable transforms. After a transform is either applied or not, the VCS will check the request against a SIP route. If the message does not match a SIP route pattern, then the message will be checked against CPL.
The CPL is the point where the VCS can determine to reject or proxy messages. If CPL is enabled (VCS configuration > Call Policy > Configuration), then the VCS will enable the CPL check. For a beginning user, using a local CPL is highly recommended.
Once Local CPL is enabled, you can edit the rules specified in the CPL Wizard
(VCS configuration > Call Policy > Rules) to either reject or proxy certain messages based on the authenticated source and destination.
This is where the authentication flag becomes important. The VCS will only match a specific source address if the request is authenticated. If the request is not authenticated, the VCS will consider the source to be blank. This only applies to the source. The destination is always the actually request URI in the sip header.
So, if for instance, I wanted to block all unauthenticated calls that started with a 9, I would write a CPL with a blank source and a destination of "9.*"
If I wanted to block authenticated calls from sources that come from the cisco.com domain to any destination, I would write a CPL with a source of ".*@cisco\.com" and a destination of ".*"
".*" in regex means anything, but it is important to remember that ".*" in the source means any authenticated source. A ".*" in the source will not match any unauthenticated caller.
Finally, even with these security systems in place, you will still see people attempting to connect to your box on sip. You should see all calls that you want to reject rejected with a 403 forbidden message. If you do not see 403's, then make your security is properly configured (A 407 or 401 would also effectively stop the VCS from processing the message).
As this is a public internet facing box, people will attempt to send you messages. The only way around this would be to deploy a firewall to block ranges of addresses. It is the same with any public internet facing servers.
07-24-2013 10:34 AM
Also, forgot to mention. CPL's are covered in detail on page 187 of the admin guide:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide