Ascend Archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: (ASCEND) Outgoing calls happening w/no callback enabled?




> When are the calls being made?

Purely random times.

> Is there a cluster to the times of the calls?

Unfortunately, no.

> If so, then you might try to monitor the equipment more closely at that time.

That's the problem.  It really does seem to come and go and random
times.  And very difficult to spot.
 
 
> Do any of the numbers match the numbers recorded in the RADIUS Accounting
> details file?

You mean the numbers that are dialing in?  And in the detail log?  I
don't see any numbers recorded there.


> > If we do set up a callback account, then sure enough the outgoing call
> > is logged to our access logs.
> 
> Do you mean the "Syslog" information or the Accounting information?

Yes, sorry.  Syslog.  And no outgoing calls get logged via syslog at
all.  But that's because I don't think we are doing any outgoing
calls.  Bell Atlantic insists we are.  So when I created a callback
account and made it dial it *did* get logged.  None of the calls BA is
talking about show up in logs.


> Dialout #1 - Setting up an Dialout user with a local profile

There are actuall *no* local profiles.  I've double checked that.

> Dialout #2 - Setting up an Dialout user with a RADIUS profile and route

We've only created profiles of people with a Framed-Protocol of PPP,
and I've confirmed there are no RADIUS profiles of any other type.
What actually enabled a dialout user?  I can't imagine there's one
there, but I'll certainly check.

> Dialout #3 - Setting up a Callback profile (local or RADIUS)

Checked.  There are none.  And when we did set one up, it *did* get
logged.

> Dialout #4 - The "immediate modem" feature
> 	note- Although this can be default disabled with the "Modem Dialout"
> 	paramter, the default can be over-ridden using the RADIUS attribute
> 	Ascend-Dialout-Allowed.

Modem-Dialout=No is set on the MAX's, which completely disables the
Immediate modem feature.

> Dialout #5 - terminal server (termsrv) "open" command
> Dialout #6 - terminal server (termsrv) "test" command

As I mentioned earlier, all users have a Framed-Protocol of PPP, MP or
MPP.  Is there a way for these people to still get termsrv access?
There are are telnet access lists, that prevent people from being able
to telnet to the router itself.


> Dialout #7 - Enabling either MPP or BACP protocols for a connection

This allows someone to dialout?

> You should try to follow the basic steps to secure your MAX to prevent
> people from modifying your configuration.
> 
> Security #1 - Make sure you enable Telnet Security and install a Telnet PW.

Already Done.

> Security #2 - Make sure you disable the Operations, Edit *, and * Diag
>               functions in the Default Security profile.

Already Done.

> Security #3 - Make sure you either disable the SNMP R/W Community or
>               change the default SNMP R/W Community or that you enable
>               SNMP security and define the WR Mgr addresses

Already Done.

> Security #4 - Read the MAX Security Supplement for more tips

Also done.

 
> Some steps you might take to try to see what is happening.  Make sure
> that you enable syslog on the MAX.  Enable the "mdialout" Diagnostic 
> command.  Periodically use the "mdialsess" Diagnostic command to check
> for dialout sessions.

Will do.

I should say that these are great sugguestions, and I'm not trying to
say, "been there, done that".  I confirmed all of those settings just
now.  It's certainly possible someone has gotten in there and messed
with things.  I'm still searching for possible ways this could be
happening, so far nothing explains the lack of logging, perhaps the
mdialout Diagnostic command will help.  Thanks very much!

Any other ideas welcome.

-rob

++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>


References: