The only external presence our FreePBX deployment has is to our SIP trunk provider. So we do the obvious and set up the firewall policy so that only our trunk provider is allowed inbound to the PBX and only over the necessary ports.

I have been considering opening up SIP/RTP to the public as there have been instances where setting up remote phones would be beneficial, but not knowing how to mitigate potential attacks has stopped me. However, we did purchase some Yealink! phones that seem to support OpenVPN...I've been considering building an OpenVPN server for us to use in the event we need to set up a remote phone.

I saw the EdgeRouter PoE mentioned here and just thought I'd chime in with nothing useful...

I just ordered one of these for my house. Found one pre-owned on eBay for $95. The seller appeared reputable and the sale included a 30 day return policy. To be safe though, I am planning on re-flashing the firmware so there is less chance of any funny business going on. Figured it was worth the gamble at any rate.

The only thing that turns me off regarding the Unifi Security Gateway is the way you have to manage it. Correct me if I'm wrong, but I believe you either have to run the Unifi management console somewhere or use their cloud management platform. Neither of those options are appealing to me which is why I opted for the ERPoE-5.

I'm in the process of re-vamping my home network.

I'm currently awaiting arrival of a Ubiquiti EdgeRouter PoE and an EnGenius ENS620EXT WAP (will mount it in my attic) and am pretty excited.

I was planning on re-using the existing Linksys SR2924C unmanaged gigabit switch I have, but I'm realizing that it would be nice to have a managed L2 switch so I can trunk it with the ERPoE-5 and go to VLAN town.

Any recommendations on a cheap managed L2 gigabit switch? My only requirements are that 1) it be rack mountable and 2) fan-less (or at least near silent operation) as my "network closet" is an AV cabinet in the living room (think built-in cabinet that used to hide a CRT television).

The existing switch is a 24-porter, but I could easily get away with fewer ports.

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@coliver said in Malicious Logins To Zimbra Mail Server:

Why wouldn't you use Fail2Ban? This seems like this is exactly what that system was designed to do.

Yes, but the way these attempts are formed it would take days for an IP to even be considered to be blocked. Our users fat-finger their passwords much quicker than that :-D, so I think it would block our users more than the bad guy. I would need to set the failed time frame to like a week in order for it to be useful.

Is this attack over SSH or IMAP or web?

Appears to be IMAP (which will be blocked publicly shortly). We do not have SSH open publicly.

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

One less attack vector I suppose. They could still hammer the web interface.

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@anthonyh said in Malicious Logins To Zimbra Mail Server:

@scottalanmiller said in Malicious Logins To Zimbra Mail Server:

@dafyre said in Malicious Logins To Zimbra Mail Server:

I'm going to echo @StorageNinja's comments about POP3 and / or IMAP -- disable them and force folks to use the ActiveSync setup and/or the Webmail.

Does that solve anything? Same issues.

One less attack vector I suppose. They could still hammer the web interface.

Any unused protocol should be shut down, certainly. But it's that they are unused, not that they are what they are.

I fully agree with this. Shut down and blocked at the site's Firewall.

Done and done. POP3 was disabled eons ago. IMAP/IMAPS officially is no longer available externally. Only the following ports are allowed inbound from the outside:

25
443
465
587

Although, do I need 465/587? All MTA to MTA should be through 25, right?

Correct, MTA is always on 25 unless you have an agreement with someone. Then it could be anything.

Ok. Now the only ports open inbound from the outside are 25 and 443.

I wasn't involved in the vetting of SIP providers, but we use Vodex Communications (based out of SoCal) and have had a great 3 years so far. I can't speak to their pricing or anything as I'm not involved with that, but in terms of service and support they've been top notch.

Welp, as near as I can tell my cluster of a script does exactly what I'm looking for. I've updated the Pastebin link for those who are curious (https://pastebin.com/0JvUrzQU).

It will analyze existing group memberships and remove users if they do not meet all of the following requirements:

• The account no longer matches the specified $fileString
• The account is disabled
• The account does not reside within the $searchBase

Next, it will pull all accounts from the system, excludes existing members, and adds the remaining users to the group if they meet all of the following requirements:

• The account is enabled
• The account matches the specified $fileString
• The account resides within the $searchBase
• The sAMAccountName does not contain a 1 (something we use internally)
• The Display Name does not contain the string 'test' (we do not have any users who have 'test' in their name yet :-D)

After the above is done, it writes the changes to a log file (which is overwritten each time the script runs) and if emails it off to a specified email address.

In an attempt to post something helpful...

We have a few wireless links in our WAN topology using Ubiquiti AirFiber radios. When we planned our deployment, we budgeted to have two spare radios on hand in the event we had a failure of some sort. Perhaps it's as simple as having a spare set stored somewhere safe (not likely to be swept away by a hurricane) so that you can re-deploy as soon as the storm passes?

I don't know if this will be of much help, but here is an article that details how to get true "root" access to CUCM. Under the hood it's basically a RHEL/CentOS install.

http://www.uccollaborationgeek.com/root-access-cucm/

Skimming the article it is a bit involved, but maybe will lead you to the access you need to fix the SSH issue? shrugs

If I had to guess, I bet the same process will work for Unity as well.

@dafyre said in PowerShell - Script never completes. Is there a session timeout?:

ROFL. Not a problem. Things working as designed. Next!

For what it's worth, my post was intended to be framed from the standpoint of "what am I doing wrong??" rather than "what's wrong with the system?!". I figured I was missing something stupid.

I run a CentOS VM that does both recursive DNS (bind) and DHCP (dhcpd) for my home network.

2 vCPUS and 1G RAM which is more than plenty for the role in my environment.

I have dhcpd set up to do dynamic DNS updates so that my dynamic clients are reachable via hostname. Works really well.

I have an EdgeRouter PoE and have found that it is not as quick at resolving DNS than BIND in my environment.

@scottalanmiller said in Home Network Setup:

@anthonyh said in Home Network Setup:

2 vCPUS and 1G RAM which is more than plenty for the role in my environment.

1vCPU and 512MB should do that fine.

You're probably right.

I'm toying with the idea of setting up an Asterisks deployment (likely FreePBX) in my home lab. I'd like to be able to make/receive external calls. Any recommendations on a SIP trunk provider for such use? voip.ms seems pretty cheap. Just curious what you guys would recommend.

Thanks!

@scottalanmiller said in SIP Trunk Provider For Home Lab:

THink about how many minutes that is of incoming calls for home use. A DID with pay per minute is $.85. Incoming calls are $.009 per minute. So ...

$4.25 - $.85 = $3.40
$3.40 / .009 = 377 minutes included.

Unless you are regularly getting a lot of incoming calls a month, you are losing money on that. For a home, that's really rare. That's many hours of sitting on the phone every month on incoming calls alone.

OH!!! I was reading it as 9 cents. Not 0.9 cents!!! Makes total sense now!

@jrc Glad you were able to find a solution!

I built a script that I use with my Linux (CentOS) template that eases standing up Linux VMs (very handy). It walks me through IPing the host, setting the hostname, joining it to AD, and making sure it's up to date.

Something I just thought of and am wondering if it's possible is re-naming the VM from within the VM.

In my environment, the guest name as displayed in XenCenter is equal to the guest's real hostname. What I'd like to do is have my script then "apply" this name to the guest. And, even a step forward, also re-name the virtual disk too.

Is this possible?

@black3dynamite said in XenServer - Rename guest within guest?:

@anthonyh said in XenServer - Rename guest within guest?:

I built a script that I use with my Linux (CentOS) template that eases standing up Linux VMs (very handy). It walks me through IPing the host, setting the hostname, joining it to AD, and making sure it's up to date.

Something I just thought of and am wondering if it's possible is re-naming the VM from within the VM.

In my environment, the guest name as displayed in XenCenter is equal to the guest's real hostname. What I'd like to do is have my script then "apply" this name to the guest. And, even a step forward, also re-name the virtual disk too.

Is this possible?

Maybe you can ssh using key file to XenServer and then use your xapi commands to capture the VM name so you can rename your guest VM. You can probably to do the same with renaming virtual disk too.

That's not a bad idea! I may look into this.

We purchase Bria licensing here and it seems to work well. I don't use it personally so I cannot share any end-user experience with it. However, we do have some users who ask for it specifically and prefer it over a physical phone.

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

@scottalanmiller said in Cisco ASA5510 vs Ubiquiti ERPro8:

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

@scottalanmiller said in Cisco ASA5510 vs Ubiquiti ERPro8:

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

@scottalanmiller said in Cisco ASA5510 vs Ubiquiti ERPro8:

@anthonyh said in Cisco ASA5510 vs Ubiquiti ERPro8:

I am curious to know...how is knowing EdgeOS is more useful than ASA software?

Because one is the "most applicable to the SMB market" of any product in the category. The other borders on being the least

Thinking SMB, this makes perfect sense. No way in [insert expletive] I would make a SMB sell their soul for Cisco gear when other gear would be just as good (or better) at a fraction of the cost.

Does getting bigger than SMB suddenly make ASA make sense when it does less?

I would have to compare hardware specs and throughput capabilities to really make a determination on that. If they can both process the same number of packets per second (or at least meet the requirements of the organization), then of course not.

Oh no, it's not even close. The Ubiquiti's claim to fame is its ability to destroy the Cisco in performance. That's specifically why the ASA is seen as such a joke, it's SO slow - without being $20 which is what it should be considering the performance.

Oh? Did someone do some sort of benchmark comparison or something? If so, I'd love to read/see it.

Found your thread, actually: https://mangolassi.it/topic/14570/comparing-ubiquiti-edgerouter-and-cisco-asa-pps-performance-and-cost