Difference between revisions of "User:Sfiggins/Broadworks Controlled Registration"

From Labrats.us
Jump to navigationJump to search
Line 157: Line 157:
 
=== Verify om AS1/2 that the RegistrationsPerMinute has dropped ===
 
=== Verify om AS1/2 that the RegistrationsPerMinute has dropped ===
  
While still logged into AS1 or AS2, verify that the registrationsPerMinute count has dropped.
+
While still logged into AS1 or AS2, verify that the '''RegistrationsPerMinute''' count has dropped.
  
 
<pre>
 
<pre>
Line 211: Line 211:
 
If '''Enterprise Support''' team is in Loveland, and '''72.19.129.42''' is not in the ACL, they can check to see if their phones are working.  If it is in the ACL, you can remove that line, and have '''Enterprise Support''' retest.
 
If '''Enterprise Support''' team is in Loveland, and '''72.19.129.42''' is not in the ACL, they can check to see if their phones are working.  If it is in the ACL, you can remove that line, and have '''Enterprise Support''' retest.
  
When this has dropped to a substantially low number, like '''39''' shown above, you can start to remove lines from the ACL.
+
When the '''RegistrationsPerMinute''' has dropped to a substantially low number, like '''39''' shown above, you can start to remove lines from the ACL.
  
 
=== Controlled Registration / Removal of ACL ===
 
=== Controlled Registration / Removal of ACL ===

Revision as of 01:02, 27 May 2019

Grab packet capture from cn10-inverness-co on eth1, and format into the top 110 hosts.

Log into cn10-inverness-co.suburbanbroadband.net and run the following commands: 

# DATE=`date +%Y-%m-%d-%H%M`; sudo timeout 60s /usr/sbin/tcpdump -n -i eth1 port 5060 \
   and dst 64.1.10.130 > /tmp/sbc-$DATE.pcap
 
# echo "ip access-list extended SBC-Security-$DATE"; cat /tmp/sbc-$DATE.pcap \
   | awk '{print $3}' | perl -npe 's/^([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+).*$/$1/g' | sort \
   | uniq -c | sort -n | tail -n 110 | awk '{print " deny ip host "$2" host 64.1.10.130"}' \
   | sort -V  | uniq; echo " permit ip any any";echo '!'; echo "interface vlan80"; \
   echo " ip access-group SBC-Security-$DATE out"; rm -f /tmp/sbc-$DATE.pcap

This will generate a configuration that looks like this: 

ip access-list extended SBC-Security-2019-05-26-1728
 deny ip host 12.44.24.2 host 64.1.10.130
 deny ip host 12.70.162.58 host 64.1.10.130
 deny ip host 12.119.159.66 host 64.1.10.130
 deny ip host 24.149.3.162 host 64.1.10.130
 deny ip host 24.196.104.14 host 64.1.10.130
 deny ip host 24.234.156.148 host 64.1.10.130
 deny ip host 35.130.74.43 host 64.1.10.130
 deny ip host 38.76.99.26 host 64.1.10.130
 deny ip host 40.131.51.194 host 64.1.10.130
 deny ip host 47.44.70.163 host 64.1.10.130
 deny ip host 50.234.168.98 host 64.1.10.130
 deny ip host 50.234.168.174 host 64.1.10.130
 deny ip host 63.225.119.2 host 64.1.10.130
 deny ip host 63.248.254.18 host 64.1.10.130
 deny ip host 63.249.33.34 host 64.1.10.130
 deny ip host 63.249.43.58 host 64.1.10.130
 deny ip host 64.6.11.61 host 64.1.10.130
 deny ip host 64.64.154.144 host 64.1.10.130
 deny ip host 64.64.154.205 host 64.1.10.130
 deny ip host 64.92.130.162 host 64.1.10.130
 deny ip host 65.114.218.19 host 64.1.10.130
 deny ip host 65.158.61.2 host 64.1.10.130
 deny ip host 66.160.212.190 host 64.1.10.130
 deny ip host 66.160.219.2 host 64.1.10.130
 deny ip host 66.160.223.26 host 64.1.10.130
 deny ip host 66.160.255.66 host 64.1.10.130
 deny ip host 66.185.12.38 host 64.1.10.130
 deny ip host 66.211.11.196 host 64.1.10.130
 deny ip host 67.202.159.242 host 64.1.10.130
 deny ip host 67.217.11.105 host 64.1.10.130
 deny ip host 67.237.218.163 host 64.1.10.130
 deny ip host 69.169.254.178 host 64.1.10.130
 deny ip host 69.170.67.222 host 64.1.10.130
 deny ip host 69.197.98.22 host 64.1.10.130
 deny ip host 70.166.203.100 host 64.1.10.130
 deny ip host 71.237.0.218 host 64.1.10.130
 deny ip host 72.19.129.42 host 64.1.10.130
 deny ip host 72.19.143.166 host 64.1.10.130
 deny ip host 72.19.143.190 host 64.1.10.130
 deny ip host 72.19.147.229 host 64.1.10.130
 deny ip host 72.19.179.138 host 64.1.10.130
 deny ip host 72.19.183.78 host 64.1.10.130
 deny ip host 72.19.183.86 host 64.1.10.130
 deny ip host 72.19.183.122 host 64.1.10.130
 deny ip host 72.19.184.211 host 64.1.10.130
 deny ip host 72.19.185.122 host 64.1.10.130
 deny ip host 72.164.199.218 host 64.1.10.130
 deny ip host 72.250.209.146 host 64.1.10.130
 deny ip host 72.250.209.147 host 64.1.10.130
 deny ip host 72.250.209.156 host 64.1.10.130
 deny ip host 72.250.212.203 host 64.1.10.130
 deny ip host 72.250.213.133 host 64.1.10.130
 deny ip host 72.250.219.56 host 64.1.10.130
 deny ip host 72.250.220.99 host 64.1.10.130
 deny ip host 72.250.221.41 host 64.1.10.130
 deny ip host 72.250.221.150 host 64.1.10.130
 deny ip host 72.250.221.194 host 64.1.10.130
 deny ip host 72.250.222.164 host 64.1.10.130
 deny ip host 73.8.213.51 host 64.1.10.130
 deny ip host 73.63.8.101 host 64.1.10.130
 deny ip host 74.84.74.74 host 64.1.10.130
 deny ip host 74.205.144.106 host 64.1.10.130
 deny ip host 74.205.144.211 host 64.1.10.130
 deny ip host 74.205.144.218 host 64.1.10.130
 deny ip host 74.205.145.122 host 64.1.10.130
 deny ip host 74.205.146.219 host 64.1.10.130
 deny ip host 74.205.147.42 host 64.1.10.130
 deny ip host 74.205.148.78 host 64.1.10.130
 deny ip host 74.205.148.126 host 64.1.10.130
 deny ip host 74.205.148.171 host 64.1.10.130
 deny ip host 75.87.37.174 host 64.1.10.130
 deny ip host 76.77.241.166 host 64.1.10.130
 deny ip host 96.66.68.142 host 64.1.10.130
 deny ip host 97.64.160.82 host 64.1.10.130
 deny ip host 98.158.33.10 host 64.1.10.130
 deny ip host 98.158.33.26 host 64.1.10.130
 deny ip host 104.201.67.26 host 64.1.10.130
 deny ip host 147.92.49.189 host 64.1.10.130
 deny ip host 162.17.54.34 host 64.1.10.130
 deny ip host 173.198.165.166 host 64.1.10.130
 deny ip host 173.198.166.66 host 64.1.10.130
 deny ip host 173.198.166.70 host 64.1.10.130
 deny ip host 173.225.234.10 host 64.1.10.130
 deny ip host 173.240.87.182 host 64.1.10.130
 deny ip host 173.244.141.22 host 64.1.10.130
 deny ip host 199.19.115.248 host 64.1.10.130
 deny ip host 199.168.68.171 host 64.1.10.130
 deny ip host 199.168.71.118 host 64.1.10.130
 deny ip host 204.28.241.58 host 64.1.10.130
 deny ip host 204.28.241.90 host 64.1.10.130
 deny ip host 204.28.241.150 host 64.1.10.130
 deny ip host 204.28.242.2 host 64.1.10.130
 deny ip host 204.28.242.38 host 64.1.10.130
 deny ip host 204.28.242.42 host 64.1.10.130
 deny ip host 204.28.242.62 host 64.1.10.130
 deny ip host 204.28.253.32 host 64.1.10.130
 deny ip host 204.235.44.3 host 64.1.10.130
 deny ip host 205.170.23.26 host 64.1.10.130
 deny ip host 205.185.94.42 host 64.1.10.130
 deny ip host 205.185.94.238 host 64.1.10.130
 deny ip host 206.248.58.243 host 64.1.10.130
 deny ip host 207.109.154.114 host 64.1.10.130
 deny ip host 208.73.252.226 host 64.1.10.130
 deny ip host 208.81.199.22 host 64.1.10.130
 deny ip host 208.123.252.72 host 64.1.10.130
 deny ip host 209.206.65.254 host 64.1.10.130
 deny ip host 216.73.236.30 host 64.1.10.130
 deny ip host 216.114.45.2 host 64.1.10.130
 deny ip host 216.114.62.146 host 64.1.10.130
 deny ip host 216.228.69.74 host 64.1.10.130
 permit ip any any
!
interface vlan80
 ip access-group SCB-Security-2019-05-26-1728 out

Apply ACL on sw4-inverness-co

Log into sw4-inverness-co.suburbanbroadband.net and run the following command: 

w4-inverness-co# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw4-inverness-co(config)#

Paste in the ACL generated from the cn10-inverness-co.

After it is pasted in, run the following command: 

sw4-inverness-co(config-if)# end
sw4-inverness-co#

Verify om AS1/2 that the RegistrationsPerMinute has dropped

While still logged into AS1 or AS2, verify that the RegistrationsPerMinute count has dropped. 

AS_CLI> qcurrent
May 24, 2019 =====================================
 NbOfActiveCalls                               5.0
 SIPSetupSignalDelay                          16.0
 SIPAnswerSignalDelay                          2.0
 RegistrationsPerMinute                      984.0
 SIPMsgRetryToNE::10.1.75.182                  0.0
 SIPMsgRetryToNE::172.16.18.4                  0.0
 SIPMsgRetryToNE::64.1.8.229                   0.0
 SIPMsgRetryToNE::172.16.18.5                  0.0
 SIPMsgRetryToNE::172.16.18.148               83.0
 SIPMsgRetryToNE::10.1.75.183                  0.0
 SIPMsgRetryToNE::172.16.18.3                  0.0
 SIPMsgRetryToNE::10.1.75.181                 83.0
 SIPMsgRetryToNE::172.16.18.130                0.0
 SIPMsgRetryPercentToOther                   100.0
 MGCPDialtoneDelay                             0.0
 MGCPSetupSignalDelay                          0.0
 MGCPAnswerSignalDelay                         0.0
 MGCPMessageRetryPercent                       0.0
 CallsPerSecond                                0.0

This should drop down to a very low number within a couple minutes of applying the ACL. If it has not, check your work. 

AS_CLI> qcurrent
May 24, 2019 =====================================
 NbOfActiveCalls                               5.0
 SIPSetupSignalDelay                          16.0
 SIPAnswerSignalDelay                          2.0
 RegistrationsPerMinute                       39.0
 SIPMsgRetryToNE::10.1.75.182                  0.0
 SIPMsgRetryToNE::172.16.18.4                  0.0
 SIPMsgRetryToNE::64.1.8.229                   0.0
 SIPMsgRetryToNE::172.16.18.5                  0.0
 SIPMsgRetryToNE::172.16.18.148               66.0
 SIPMsgRetryToNE::10.1.75.183                  0.0
 SIPMsgRetryToNE::172.16.18.3                  0.0
 SIPMsgRetryToNE::10.1.75.181                 83.0
 SIPMsgRetryToNE::172.16.18.130                0.0
 SIPMsgRetryPercentToOther                    73.0
 MGCPDialtoneDelay                             0.0
 MGCPSetupSignalDelay                          0.0
 MGCPAnswerSignalDelay                         0.0
 MGCPMessageRetryPercent                       0.0
 CallsPerSecond                                0.0

If Enterprise Support team is in Loveland, and 72.19.129.42 is not in the ACL, they can check to see if their phones are working. If it is in the ACL, you can remove that line, and have Enterprise Support retest.

When the RegistrationsPerMinute has dropped to a substantially low number, like 39 shown above, you can start to remove lines from the ACL.

Controlled Registration / Removal of ACL

Log into sw4-inverness-co.suburbanbroadband.com and issue the following commands: 

w4-inverness-co# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
sw4-inverness-co(config)# ip access-list extended SBC-Security-2019-05-26-1728

Enter the following commands, 5-10 at a time, while monitoring the per-minute registration rate on AS1/2. If the rate raises, ensure that it is dropping back to less than 200 before continuing with the next set of commands. Total time should be less than 10 minutes. 

no 10
no 20
no 30
no 40
no 50
no 60
no 70
no 80
no 90 
no 100
no 110
no 120
no 130
no 140
no 150
no 160
no 170
no 180
no 190
no 200
no 210
no 220
no 230
no 240
no 250
no 260
no 270
no 280
no 290
no 300
no 310
no 320
no 330
no 340
no 350
no 360
no 370
no 380
no 390
no 400
no 410
no 420
no 430
no 440
no 450
no 460
no 470
no 480
no 490
no 500
no 510
no 520
no 530
no 540
no 550
no 560 
no 570
no 580
no 590
no 600
no 610
no 620
no 630
no 640
no 650
no 660
no 670
no 680
no 690
no 700
no 700
no 710
no 720
no 730
no 740
no 750
no 760
no 770
no 780
no 790
no 800
no 810
no 820
no 830
no 840
no 850
no 860
no 870
no 880
no 890
no 900
no 910
no 920
no 930
no 940
no 950
no 960
no 970
no 980
no 990
no 1000
no 1010
no 1020
no 1030
no 1040
no 1050
no 1060
no 1070
no 1080
no 1090
no 1100

After these commands are entered, the ACL should be empty. You can remove the ACL from the config and the interface with the following commands: 

interface vlan80
 ip access-group SBC-Security-2019-05-26-1728 out
!
no ip access-list extended SBC-Security-2019-05-26-1728

Finish up by running these commands: 

sw4-inverness-co(config)# end
sw4-inverness-co#
Retrieved from "https://www.labrats.us//wiki/index.php?title=User:Sfiggins/Broadworks_Controlled_Registration&oldid=163"