cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2242
Views
10
Helpful
4
Replies

Secure VCS-E

kseewald
Level 1
Level 1

Dear Experts,

I have a VCS Starter Pack Express and I want to make it more secure as it is. Someone tries to login all the time.

and someone tries to call through the VCS-E all the time.

How can I make the VCS secure for all this scenarios - is there a "Security Guide" to prevent from all these attacks?

2013-07-24T07:01:34+02:00tvcs: UTCTime="2013-07-24 05:01:34,930" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5075" Detail="Sending Response Code=407, Method=INVITE, To=sip:900972597037633@91.112.39.12, Call-ID=a6c877a24009bc47a3d7e1bf1b28fbeb"
2013-07-24T07:01:32+02:00tvcs: UTCTime="2013-07-24 05:01:32,850" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5078" Detail="Sending Response Code=407, Method=INVITE, To=sip:600972597037633@91.112.39.12, Call-ID=75e36369cd673ea44c1fe71a934d79a3"
2013-07-24T07:01:30+02:00tvcs: UTCTime="2013-07-24 05:01:30,930" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5075" Detail="Sending Response Code=407, Method=INVITE, To=sip:900972597037633@91.112.39.12, Call-ID=a6c877a24009bc47a3d7e1bf1b28fbeb"
2013-07-24T07:01:28+02:00tvcs: UTCTime="2013-07-24 05:01:28,850" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5078" Detail="Sending Response Code=407, Method=INVITE, To=sip:600972597037633@91.112.39.12, Call-ID=75e36369cd673ea44c1fe71a934d79a3"
2013-07-24T07:01:27+02:00tvcs: UTCTime="2013-07-24 05:01:27,920" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5078" Detail="Sending Response Code=407, Method=INVITE, To=sip:00972597037633@91.112.39.12, Call-ID=edd68eae2a85248c2f18fae53acd271c"
2013-07-24T07:01:26+02:00tvcs: UTCTime="2013-07-24 05:01:26,930" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5075" Detail="Sending Response Code=407, Method=INVITE, To=sip:900972597037633@91.112.39.12, Call-ID=a6c877a24009bc47a3d7e1bf1b28fbeb"
2013-07-24T07:01:25+02:00tvcs: UTCTime="2013-07-24 05:01:25,140" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5083" Detail="Sending Response Code=407, Method=INVITE, To=sip:+000972597037633@91.112.39.12, Call-ID=6cfae6864af5fd0f3513ef8d86100e34"
2013-07-24T07:01:24+02:00tvcs: UTCTime="2013-07-24 05:01:24,850" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5078" Detail="Sending Response Code=407, Method=INVITE, To=sip:600972597037633@91.112.39.12, Call-ID=75e36369cd673ea44c1fe71a934d79a3"
2013-07-24T07:01:23+02:00tvcs: UTCTime="2013-07-24 05:01:23,920" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5078" Detail="Sending Response Code=407, Method=INVITE, To=sip:00972597037633@91.112.39.12, Call-ID=edd68eae2a85248c2f18fae53acd271c"
2013-07-24T07:01:22+02:00tvcs: UTCTime="2013-07-24 05:01:22,930" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5075" Detail="Sending Response Code=407, Method=INVITE, To=sip:900972597037633@91.112.39.12, Call-ID=a6c877a24009bc47a3d7e1bf1b28fbeb"
2013-07-24T07:01:21+02:00tvcs: UTCTime="2013-07-24 05:01:21,140" Module="network.sip" Level="INFO": Dst-ip="204.12.251.66" Dst-port="5083" Detail="Sending Response Code=407, Method=INVITE, To=sip:+000972597037633@91.112.39.12, Call-ID=6cfae6864af5fd0f3513ef8d86100e34"

                  

2013-07-23T20:47:14+02:00tvcs: UTCTime="2013-07-23 18:47:14,235" Module="network.sip" Level="INFO": Dst-ip="85.114.130.40" Dst-port="5091" Detail="Sending Response Code=482, Method=OPTIONS, To=sip:100@1.1.1.1, Call-ID=152151632091779081615164"
2013-07-23T20:47:14+02:00tvcs: UTCTime="2013-07-23 18:47:14,233" Module="network.sip" Level="INFO": Src-ip="91.112.39.12" Src-port="5060" Detail="Receive Response Code=482, Method=OPTIONS, To=sip:100@1.1.1.1, Call-ID=152151632091779081615164"
2013-07-23T20:47:14+02:00tvcs: UTCTime="2013-07-23 18:47:14,233" Module="network.sip" Level="INFO": Dst-ip="91.112.39.12" Dst-port="5060" Detail="Sending Response Code=482, Method=OPTIONS, To=sip:100@1.1.1.1, Call-ID=152151632091779081615164"
2013-07-23T20:47:14+02:00tvcs: UTCTime="2013-07-23 18:47:14,231" Module="network.sip" Level="INFO": Src-ip="91.112.39.12" Src-port="5060" Detail="Receive Request Method=OPTIONS, Request-URI=sip:100@91.112.39.12, Call-ID=152151632091779081615164"
2013-07-23T20:47:14+02:00tvcs: UTCTime="2013-07-23 18:47:14,231" Module="network.sip" Level="INFO": Dst-ip="91.112.39.12" Dst-port="5060" Detail="Sending Request Method=OPTIONS, Request-URI=sip:100@91.112.39.12, Call-ID=152151632091779081615164"

2013-07-21T09:00:55+02:00sshd[32491]: error: PAM: Authentication failure for illegal user ernesto from 187.0.77.2
2013-07-21T09:00:55+02:00sshd[32492]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user ernesto from 187.0.77.2 port 47719 ssh2" UTCTime="2013-07-21 07:00:55"
2013-07-21T09:00:55+02:00sshd[32492]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user ernesto" UTCTime="2013-07-21 07:00:55"
2013-07-21T09:00:55+02:00sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user ernesto from 187.0.77.2" UTCTime="2013-07-21 07:00:55"
2013-07-21T09:00:53+02:00sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47719" UTCTime="2013-07-21 07:00:53"
2013-07-21T09:00:53+02:00sshd[32491]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:53"
2013-07-21T09:00:53+02:00sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:53"
2013-07-21T09:00:52+02:00sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for invalid user oracle from 187.0.77.2 port 47586 ssh2" UTCTime="2013-07-21 07:00:52"
2013-07-21T09:00:52+02:00sshd[32485]: error: PAM: Authentication failure for illegal user oracle from 187.0.77.2
2013-07-21T09:00:52+02:00sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user oracle from 187.0.77.2 port 47586 ssh2" UTCTime="2013-07-21 07:00:52"
2013-07-21T09:00:52+02:00sshd[32486]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user oracle" UTCTime="2013-07-21 07:00:52"
2013-07-21T09:00:52+02:00sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user oracle from 187.0.77.2" UTCTime="2013-07-21 07:00:52"
2013-07-21T09:00:50+02:00sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47586" UTCTime="2013-07-21 07:00:50"
2013-07-21T09:00:50+02:00sshd[32485]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:50"
2013-07-21T09:00:49+02:00sshd[32478]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:49"
2013-07-21T09:00:49+02:00sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47349 ssh2" UTCTime="2013-07-21 07:00:49"
2013-07-21T09:00:49+02:00sshd[32475]: error: PAM: Authentication failure for root from 187.0.77.2
2013-07-21T09:00:49+02:00sshd[32478]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for root from 187.0.77.2 port 47349 ssh2" UTCTime="2013-07-21 07:00:49"
2013-07-21T09:00:47+02:00sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47349" UTCTime="2013-07-21 07:00:47"
2013-07-21T09:00:47+02:00sshd[32475]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:47"
2013-07-21T09:00:43+02:00sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:43"
2013-07-21T09:00:43+02:00sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for invalid user sidney from 187.0.77.2 port 47237 ssh2" UTCTime="2013-07-21 07:00:43"
2013-07-21T09:00:43+02:00sshd[32468]: error: PAM: Authentication failure for illegal user sidney from 187.0.77.2
2013-07-21T09:00:42+02:00sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for invalid user sidney from 187.0.77.2 port 47237 ssh2" UTCTime="2013-07-21 07:00:42"
2013-07-21T09:00:42+02:00sshd[32470]: Event="sshd" Module="openssh" Level="INFO" Detail="input_userauth_request: invalid user sidney" UTCTime="2013-07-21 07:00:42"
2013-07-21T09:00:42+02:00sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Invalid user sidney from 187.0.77.2" UTCTime="2013-07-21 07:00:42"
2013-07-21T09:00:40+02:00sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47237" UTCTime="2013-07-21 07:00:40"
2013-07-21T09:00:40+02:00sshd[32468]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:40"
2013-07-21T09:00:40+02:00sshd[32464]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:40"
2013-07-21T09:00:39+02:00sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47125 ssh2" UTCTime="2013-07-21 07:00:39"
2013-07-21T09:00:39+02:00sshd[32463]: error: PAM: Authentication failure for root from 187.0.77.2
2013-07-21T09:00:39+02:00sshd[32464]: Event="sshd" Module="openssh" Level="INFO" Detail="Postponed keyboard-interactive for root from 187.0.77.2 port 47125 ssh2" UTCTime="2013-07-21 07:00:39"
2013-07-21T09:00:37+02:00sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Connection from 187.0.77.2 port 47125" UTCTime="2013-07-21 07:00:37"
2013-07-21T09:00:37+02:00sshd[32463]: Event="sshd" Module="openssh" Level="INFO" Detail="Set /proc/self/oom_score_adj to 0" UTCTime="2013-07-21 07:00:37"
2013-07-21T09:00:37+02:00sshd[32458]: Event="sshd" Module="openssh" Level="INFO" Detail="Received disconnect from 187.0.77.2: 11: Bye Bye" UTCTime="2013-07-21 07:00:37"
2013-07-21T09:00:36+02:00sshd[32457]: Event="sshd" Module="openssh" Level="INFO" Detail="Failed keyboard-interactive/pam for root from 187.0.77.2 port 47006 ssh2" UTCTime="2013-07-21 07:00:36"
2013-07-21T09:00:36+02:00sshd[32457]: error: PAM: Authentication failure for root from 187.0.77.2

Thanks

Klaus

4 Replies 4

Magnus Ohm
Cisco Employee
Cisco Employee

Hi

They are discussing the same topic here:

https://supportforums.cisco.com/thread/2127426

/Magnus

Also see:

https://supportforums.cisco.com/thread/2092832

https://supportforums.cisco.com/message/3929888

/jens

Please rate replies and mark question(s) "Answered" if applicable.

Please rate replies and mark question(s) as "answered" if applicable.

Vernon Depee
Cisco Employee
Cisco Employee

Klaus,

For the SSH issues, I highly recommend making sure the VCS-E is behind a firewall that filers unwanted SSH connections.

For the SIP messages, the vast majority of people attempting to access your system via SIP will do so via the UDP protocol. For this reason, I would recommend disabling SIP UDP.

However, this will not block all of the unwanted calls. The best thing to do would be to write a CPL blocking calls that you do not want to allow in. The important thing to keep in mind when using CPL to reject calls is that the authentication flag on incoming messages is very important. Unless you have a neighbor/Traversal zone that shares an IP address with the incoming calls, the calls will be seen as coming in on the default zone.

Assuming that these calls are coming in on the default zone (they almost always are)...

If the default zone is set to do not check credentials, the messages will come in as unauthenticated.

If the default zone is set to treat as authenticated, the messages will come in as authenticated.

If the default zone is set to check credentials, the VCS will demand a username/password for these messages before processing them.

My guess is that your VCS is currently set to check credentials on the default zone, which would explain all of the 407 messages. If the other side never responds with proper credentials, the VCS will never process the message and you probably have nothing to worry about.

If however, the messages are being processed by the VCS, the messages will first go through any applicable transforms. After a transform is either applied or not, the VCS will check the request against a SIP route. If the message does not match a SIP route pattern, then the message will be checked against CPL.

The CPL is the point where the VCS can determine to reject or proxy messages. If CPL is enabled (VCS configuration > Call Policy > Configuration), then the VCS will enable the CPL check. For a beginning user, using a local CPL is highly recommended.

Once Local CPL is enabled, you can edit the rules specified in the CPL Wizard

(VCS configuration > Call Policy > Rules) to either reject or proxy certain messages based on the authenticated source and destination.

This is where the authentication flag becomes important. The VCS will only match a specific source address if the request is authenticated. If the request is not authenticated, the VCS will consider the source to be blank. This only applies to the source. The destination is always the actually request URI in the sip header.

So, if for instance, I wanted to block all unauthenticated calls that started with a 9, I would write a CPL with a blank source and a destination of "9.*"

If I wanted to block authenticated calls from sources that come from the cisco.com domain to any destination, I would write a CPL with a source of ".*@cisco\.com" and a destination of ".*"

".*" in regex means anything, but it is important to remember that ".*" in the source means any authenticated source. A ".*" in the source will not match any unauthenticated caller.

Finally, even with these security systems in place, you will still see people attempting to connect to your box on sip. You should see all calls that you want to reject rejected with a 403 forbidden message. If you do not see 403's, then make your security is properly configured (A 407 or 401 would also effectively stop the VCS from processing the message).

As this is a public internet facing box, people will attempt to send you messages. The only way around this would be to deploy a firewall to block ranges of addresses. It is the same with any public internet facing servers.

Also, forgot to mention. CPL's are covered in detail on page 187 of the admin guide:

http://www.cisco.com/en/US/docs/telepresence/infrastructure/vcs/admin_guide/Cisco_VCS_Administrator_Guide_X7-2.pdf

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: