Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4546
Views
5
Helpful
4
Replies

Hack attack on VCS Express

Go to solution
Randy Watson
Level 1
Level 1

‎04-21-2015 12:53 AM - edited ‎03-18-2019 04:21 AM

Hi,

I have a hacker continually trying to hack our VCS and he (his robot) is not giving up. 

He arrives on our VCS express and or Control with id "cisco" and is trying to call over the communication manager dialing various combinations of numbers , I would like to simply add a CPL entry to block anything arriving with "cisco" 

Does anyone have an example of how to add a source like this in the cpl file and send him off into nirvana?

Any help would be appreciated.

Randy

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Randy Watson

‎04-21-2015 03:58 PM

The one I uploaded should be used on the VCS-E since these call attempts are originating from the wild, this is where I also have ISDN blocks in place to prevent external sites from accessing our ISDN gateways.

However, I do not use CPL for that, only search rules, see page 39 of the deployment guide  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-Basic-Configuration-Control-with-Expressway-Deployment-Guide-X8-5.pdf - having said that, there's obviously nothing wrong with using CPL. :)

Which one you use is neither here nor there, you'll have to edit it anyway :) - just open it in Notepad and insert the additional rules and upload on the VCS-E.

Both VCS-C and VCS-E use the same format, so to create a new rule you would do something like this:

<taa:rule authenticated-origin="insert pattern here" destination="insert pattern here">

<reject status="insert here" reason="insert here">

</taa:rule>

You don't need to specify the reason, but some times it is satisfying to send them a customised message even though they probably won't read or see it. :)

You should include a rule for unauthenticated origin as well though.

It's basic XML, each rule begins with <taa:rule and ends with </taa:rule>

There's quite a few threads in the Telepresence support forum about isdn toll fraud which may be of interest to you - this one shows how to break the dial string.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

 

Please rate replies and mark question(s) as "answered" if applicable.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jens Didriksen
Level 9
Level 9

‎04-21-2015 04:17 AM

This is a very well known issue; see https://supportforums.cisco.com/discussion/12336591/sourceh323idcisco-incomingcalls and https://supportforums.cisco.com/discussion/12473696/receiving-automatic-calls-cisco-name-continuously - there are some others as well.

You can block them with CPL, but they'll still fill up the call log unfortunately.

Attached part of cpl I, and others, are using. Change the reason to whatever you want. :)

/jens

Please rate replies and mark question(s) as "answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.
cpl.zip

Go to solution
Randy Watson
Level 1
Level 1
In response to Jens Didriksen

‎04-21-2015 08:21 AM

Great to have such quick answers here!!

I kinda figured it would be known, I just hadn't put in the right search criteria to find them.

Jens, we currently have an active CPL on the vcs control for ISDN call-in abuse and would like to either edit this to include your suggestion or create a new one containing your recommendation and activate it on the Expressway.  What would you recommend??

If on Control, what is the proper format for additional rules/lines, the documents I have found only include simple 1 rule examples.

Thanks,

Randy

0 Helpful

Go to solution
Jens Didriksen
Level 9
Level 9
In response to Randy Watson

‎04-21-2015 03:58 PM

The one I uploaded should be used on the VCS-E since these call attempts are originating from the wild, this is where I also have ISDN blocks in place to prevent external sites from accessing our ISDN gateways.

However, I do not use CPL for that, only search rules, see page 39 of the deployment guide  http://www.cisco.com/c/dam/en/us/td/docs/telepresence/infrastructure/vcs/config_guide/X8-5/Cisco-VCS-Basic-Configuration-Control-with-Expressway-Deployment-Guide-X8-5.pdf - having said that, there's obviously nothing wrong with using CPL. :)

Which one you use is neither here nor there, you'll have to edit it anyway :) - just open it in Notepad and insert the additional rules and upload on the VCS-E.

Both VCS-C and VCS-E use the same format, so to create a new rule you would do something like this:

<taa:rule authenticated-origin="insert pattern here" destination="insert pattern here">

<reject status="insert here" reason="insert here">

</taa:rule>

You don't need to specify the reason, but some times it is satisfying to send them a customised message even though they probably won't read or see it. :)

You should include a rule for unauthenticated origin as well though.

It's basic XML, each rule begins with <taa:rule and ends with </taa:rule>

There's quite a few threads in the Telepresence support forum about isdn toll fraud which may be of interest to you - this one shows how to break the dial string.

/jens

Please rate replies and mark question(s) as "answered" if applicable.

 

Please rate replies and mark question(s) as "answered" if applicable.
0 Helpful

Go to solution
Randy Watson
Level 1
Level 1
In response to Jens Didriksen

‎04-23-2015 06:59 AM

Works quite well,

Thanks,

Randy

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents