Log Watch and Ban

From IPitomy Wiki
Revision as of 15:26, 1 April 2014 by John Wolfe (talk | contribs) (Created page with "=== <br/> === ==== <span class="mw-headline" id="Log_Watch.2FBan_Service">Log Watch/Ban Service </span><br/> ==== This feature allows the PBX to monitor the SIP registration...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search


Log Watch/Ban Service

This feature allows the PBX to monitor the SIP registration traffic and ban any IP address that makes 5 failed registration attempts. The IP address will be banned for either 3 days or until the service is restarted. Configuration settings allow you to ignore (not monitor) IP addresses that are communicating from the LocalNet, as well as allowing you to manually add addresses you want the system to ignore. If you set up an Admin Email Address under PBX Setup=>General and have Unified Messaging configured, the PBX will send you an email any time an IP address is banned via this feature. Follow this link to see what a Ban Email will look like.


 Enable Log Watch/Ban Service

STEPS:

  1. From the PBX Setup->General System Setup page, locate the Security Settings section.
  2. Enable the Log Watch Ban Service by setting the parameter to “Yes” on the drop-down list.
  3. Click the button to save the changes.

Once you have enabled the Log Watch/Ban Services, you will be able to configure the parameters for the security settings.

The following table describes the parameters and descriptions (recommended settings) for the Log Watch and Ban feature.


Sections/Fields
Description
Service is currently Running
This indicates the status of the service, either Running or Not Running.
Reload Button
Restarts the Ban service, clearing any existing banned IP addresses.
 Enable Log Watch & Ban Service
Set to Yes and the PBX will monitor failed SIP registration attempts. 5 failed attempts and the IP is blocked for:
  • 3days
  • Until system reboot
  • Until Reload button is clicked


 Ignore IPs in SIP LocalNets
Set to Yes and the PBX will ignore failed SIP registration attempts from IPs from the LocalNets configured in the system. When set to No, IP addresses from the LocalNets are ignored for failed attempts.
Ignoring Addresses
Lists the addresses that were manually entered to be ignored in regards to failed SIP registration attempts
 Add Entry
Enter the IP addresses you wish to be ignored by the PBX in regards to failed SIP registration attempts.

 Configure Log Watch/Ban Service

STEPS:

  1. Navigate to PBX Setup=>General.
  2. Scroll down to the Security Settings panel, set the parameters based on your general business requirements.
  3. Click the button to save the changes.
  4. Navigate to the PBX Setup=>General page. Locate the Admin Settings section (located at the top of the page).
  5. Enter an IP address for Admin Email Address field. Depending on whether you have Unified Messaging configured, the PBX will send an email to this address any time that it bans an IP address. See the Unified Messaging section of this guide for details on how to configure this parameter.
  6. Click the Apply Changes link located at the top right hand corner of the page, to commit the changes to the database.




Disable Log Set Security Setting

STEPS:

  1. From the PBX Setup=>General System Setup page, locate the Security Settings panel.
  2. Disable the security setting by selecting “No” from the drop-down list for the Log Watch Ban Service.
  3. Click the button to save the changes.
  4. Click the Apply Changes link located at the top right hand corner of the page, to commit the changes to the database.

It should be noted that the Log Watch is not intended to be the only line of defense for security. It is best practice that if you are being attacked by a intruder, that you permanently ban at the router/firewall level. This keeps the offending traffic off your LAN.