Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1763
Views
0
Helpful
2
Replies

Please help hacking attempt RVS4000

aandstech
Level 1
Level 1

‎01-10-2012 04:54 PM

HI All,

Currently I have 1 RVS4000 and one WRVS4400N routers in my business. One of the routers rvs4000 has the following ports forwarded to an IPPBX 5060, 5090 both tcp and udp.

Recentley I noticed increased internet activity on the IPPBX 100% of the time and really laggy phone calls. I have seen this before and its useually caused by sip hacking attempts. Anyway sure enough looking through the logs on the phone server two IP addresses were getting blocked trying to use SIP authentication to my IPPBX.

In an attempt to put a stop to the issue I created the following Deny rules as per the table below on the RVS4000 router which is port forwarding tcp 5060 udp 5060 and 5090 tcp and 5090 udp.

This did not stop the issue after adding the settings and clicking reboot, I can see the settings have saved but still I can still see connection on the destation pc (ippbx server) reciving connection from the IP addresses im atemptikng to block. My question is does the allow ANY, ANY, ANY at the bottom of the table take presidence over the rules at the top and if not should these rules be blocking udp as well as tcp?

Finally my last problem the IPS doesnt seem to do anything for SIP based attackes. EG a remote IP address constantly trying to authenticate. Ideally I would like to modify the port forwarding rules to say port forward 5060 tcp/udp will be forwarded from these public IP addresses only. But this function doesnt seem to exist on the rvs4000. How would one secure there firewall to stop attackes from public ip addresses trying to authenticate with sip. Even though my pbx has smarts built it to block the attack the router still lets them through and my bandwidth usage goes through the roof. 20 GB yesterday.

Any help would be greatley apprciated

Under the ACL under firwall I have the following

PriorityEnableActionServiceSource
Interface		SourceDestinationTimeDayEditDelete
DenyAll ProtocolANYANY108.163.194.147Any TimeEvery Day
DenyAll ProtocolANY108.163.194.147ANYAny TimeEvery Day
DenyAll ProtocolANYANY61.19.121.130Any TimeEvery Day
DenyAll ProtocolWAN61.19.121.130ANYAny TimeEvery Day
EnableAllowAll ServiceLANANYANYAny TimeEvery Day
EnableAllowAll ServiceWANANYANYAny TimeEvery Day
Labels:
0 Helpful
2 Replies 2

aandstech
Level 1
Level 1

‎01-11-2012 02:57 PM

bump

0 Helpful

zurich8000
Level 1
Level 1

‎01-11-2012 06:28 PM

Hi Aron,

let me try:

1. The last two lines have the lowest priority, therefore they are at the end of the list.

2. Did you check the definition of the service "All Protocol"' (ports, TCP and/or UDP)? And did you try to log the denied connections (not only deny, but also log them to the (general) log)? And did you test this from a device of your own in order to test a positive denial from a test ip?

Regards from Zurich.

0 Helpful
Customers Also Viewed These Support Documents