Nasser Heidari

2009-04-29

Cable Pin-Outs

Filed under: Cisco,Networking — Nasser Heidari @ 06:20

http://wiki.sangoma.com/Cablepinouts

RJ-45 pin numbering
RJ-45 Pin Count

Hook is underneath.



T1 – RJ-45 Pin-outs (For A101/A102/A104)

1 -> RRING
2 -> RTIP
4 -> TRING
5 -> TTIP
If you are connecting the card to a smart jack (incoming line from Telco), then you need a straight T1/E1 Cable, which is identical to a straight Ethernet cable.

T1/E1 cross-over cable
If you are doing a back-to-back configuration, or connecting the card to another PBX or channel bank, then you need a cross-T1/E1 cable with the following pin-outs:

1 <-> 4
2 <-> 5
4 <-> 1
5 <-> 2


Pin-outs for T1/E1/J1 the loopback cable:
1<->4
2<->5



A108 “Y” Cable Pin-outs

Y Cable for A108 to 2 separate T1/E1 (straight). This is to connect the A108 against lines from the Telco.
A = port N; B = port N + 4
1 <-> 1A
2 <-> 2A
3 <-> 1B
4 <-> 4A
5 <-> 5A
6 <-> 2B
7 <-> 4B
8 <-> 5B

Y Cable for A108 to 2 separate T1/E1 (cross). This is to connect the A108 against another T1/E1 card.
A = port N; B = port N + 4
1 <-> 4A
2 <-> 5A
3 <-> 4B
4 <-> 1A
5 <-> 2A
6 <-> 5B
7 <-> 1B
8 <-> 2B

A108 to A108 (cross). This is to connect two A108s in a back-to-back configuration.
1 <-> 4
2 <-> 5
3 <-> 7
4 <-> 1
5 <-> 2
6 <-> 8
7 <-> 3
8 <-> 6



T1-E1 Tap pin-outs (Datascope)
Sangoma Tap.jpg



Analog lines color code (for Sangoma A400)

Port Number Wire color (Ring/Tip)
1 Blue-White/White-Blue
2 Orange-White/White-Orange
3 Green-White/White-Green
4 Brown-White/White-Brown
5 Slate-White/White-Slate
6 Blue-Red/Red-Blue
7 Orange-Red/Red-Orange
8 Red-Green/Green-Red
9 Brown-Red/Red-Brown
10 Slate-Red/Red-Slate
11 Blue-Black/Black-Blue
12 Orange-Black/Black-Orange



S514-56 and A056K cable pin-outs

Cross-over cable:

If you are doing a back-to-back configuration, then you need a cross-over cable with the following pin-outs:
1 <-> 7
2 <-> 8
3 <-> 6
4 <-> 5
5 <-> 4
6 <-> 3
7 <-> 1
8 <-> 2

Loopback cable:

1 <-> 7
2 <-> 8
3 <-> 6
4 <-> 5


A500 Pin-outs

Connector Pin-out:

1-> Port N+1 TX+
2-> Port N+1 RX+
3-> Port N TX+
4-> Port N RX+
5-> Port N RX-
6-> Port N TX-
7-> Port N+1RX-
8-> Port N+1 TX-
A500 Loop Back Connector:
a500_loop_back.jpg
B700 Cable Pinouts
BRI Pinouts (same cable is used for both NT and TE modes)
TE MODE
Pin B700 Side Port N Port N+1
1 N+1 TX+
2 N+1 RX+
3 N TX+ TX+ TX+
4 N RX+ RX+ RX+
5 N RX- RX- RX-
6 N TX- TX- TX-
7 N+1 RX-
8 N+1 TX-
NT MODE
Pin B700 Side Port N Port N+1
1 N+1 RX+
2 N+1 TX+
3 N RX+ RX+ RX+
4 N TX+ TX+ TX+
5 N TX- TX- TX-
6 N RX- RX- RX-
7 N+1 TX-
8 N+1 RX-
Analog
Pin B700 Side Port N Port N+1
1
2 Ring N+1
3 Ring N Ring Ring
4 Tip N Tip Tip
5 Tip N+1
6

How to Connect Lines to the A500:
BRIDIAGRAM1.jpg

2009-04-14

Firewall Script

Filed under: Linux — Nasser Heidari @ 19:42

I recommend to take a look at this pages before you start :
Linux Firewall-related /proc Entries
http://iptables-tutorial.frozentux.net/other/ip-sysctl.txt

#!/bin/bash
#http://github.com/jwiegley/jw.firewall/blob/57b08f6d01671336dca7474ca4f38e84fab583cd/firewall.iptables
IPTABLES=$1
MYNAME=$2
 
######################################################################
#
# rc.firewall
#
# version 1.13 (2007/11/03) by John Wiegley 
#
# This script is based on a similar firewalling script I wrote for ipfw,
# but has been changed to utilize iptables. Also, it is customized
# solely for running on johnwiegley.com, and does not contain any
# configuration options.
#
# Revision history:
# 1.01: Added port knocking for ssh access.
# 1.02: Lock out ssh port scanners for 5 minutes.
# 1.03: Remove port scanners from lockout after 5 mins good behavior.
# 1.04: Flush the nat table as well as the filter (default) table.
# 1.05: Use hashlimit for connection rate limiting instead of recent.
# 1.06: Extended portscan lockout to an entire day.
# 1.07: Removed an excessive rule.
# 1.08: Commented out rate limiting of Apache.
# 1.09: Increased SSH availability to one day.
# 1.10: Drop ICMP redirect packets.
# 1.11: Decrease SYN flood rate limit to 60 conns per second.
# 1.12: Don't filter based on the connection source port.
# 1.13: Opened up the IMAP/S port 993.
#
######################################################################
 
$IPTABLES -F
$IPTABLES -t nat -F
$IPTABLES -X
 
$IPTABLES -t nat -P PREROUTING ACCEPT
$IPTABLES -t nat -P POSTROUTING ACCEPT
$IPTABLES -t nat -P OUTPUT ACCEPT
 
$IPTABLES -t nat -A POSTROUTING -o eth0 -j MASQUERADE
 
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
$IPTABLES -P OUTPUT ACCEPT
 
if [[ $2 == flush ]]; then
exit 0
fi
 
######################################################################
 
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
$IPTABLES -P OUTPUT ACCEPT
 
# Drop invalid packets immediately
$IPTABLES -A INPUT -m state --state INVALID -j DROP
$IPTABLES -A FORWARD -m state --state INVALID -j DROP
$IPTABLES -A OUTPUT -m state --state INVALID -j DROP
 
# Allow trusted interfaces
$IPTABLES -A INPUT -i lo -j ACCEPT
$IPTABLES -A INPUT -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -i tun+ -j ACCEPT
$IPTABLES -A FORWARD -o tun+ -j ACCEPT
 
# Drop suspicious IP packets
#$IPTABLES -A INPUT -m ipv4options --rr -j DROP
#$IPTABLES -A INPUT -m ipv4options --ts -j DROP
#$IPTABLES -A INPUT -m ipv4options --lsrr -j DROP
#$IPTABLES -A INPUT -m ipv4options --ssrr -j DROP
 
# Drop bogus TCP packets
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
 
# Allow multicast DNS packets. jww (2007-09-09): This may be needed at
# Server Axis for determining server presence. I have to ask them.
$IPTABLES -A INPUT -d 224.0.0.251 -p udp -m udp --dport mdns -j ACCEPT
 
# Reject packets from RFC1918 class networks (i.e., spoofed)
$IPTABLES -A INPUT -i eth0 -s 10.0.0.0/8 -j DROP
$IPTABLES -A INPUT -s 192.168.0.0/16 -j DROP
$IPTABLES -A INPUT -s 169.254.0.0/16 -j DROP
if [[ $MYNAME == "johnwiegley.com" ]]; then
    $IPTABLES -A INPUT -s 172.16.0.0/12 -j DROP
fi
$IPTABLES -A INPUT -s 127.0.0.0/8 -j DROP
 
$IPTABLES -A INPUT -s 224.0.0.0/4 -j DROP
$IPTABLES -A INPUT -d 224.0.0.0/4 -j DROP
$IPTABLES -A INPUT -s 240.0.0.0/5 -j DROP
$IPTABLES -A INPUT -d 240.0.0.0/5 -j DROP
$IPTABLES -A INPUT -s 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -d 0.0.0.0/8 -j DROP
$IPTABLES -A INPUT -d 239.255.255.0/24 -j DROP
$IPTABLES -A INPUT -d 255.255.255.255 -j DROP
 
# Reject packets spoofed to appear as if from us
if [[ $MYNAME == "johnwiegley.com" ]]; then
    $IPTABLES -A INPUT -s 208.70.150.153 -j DROP
    $IPTABLES -A INPUT -s 208.70.150.154 -j DROP
    $IPTABLES -A INPUT -s 208.70.150.155 -j DROP
    $IPTABLES -A INPUT -s 208.70.150.156 -j DROP
    $IPTABLES -A INPUT -s 208.70.150.157 -j DROP
fi
 
# Allow most ICMP packets to be received (so people can check our
# presence), but restrict the flow to avoid ping flood attacks
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type address-mask-request -j DROP
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type timestamp-request -j DROP
$IPTABLES -A INPUT -p icmp -m icmp --icmp-type redirect -j DROP
$IPTABLES -A INPUT -p icmp -m icmp -m limit --limit 1/second -j ACCEPT
 
# Anyone trying to portscan us at port 139 is locked out for 1 day.
$IPTABLES -A INPUT -m recent --name portscan --rcheck --seconds 86400 -j DROP
$IPTABLES -A FORWARD -m recent --name portscan --rcheck --seconds 86400 -j DROP
$IPTABLES -A INPUT -m recent --name portscan --remove
 
$IPTABLES -A INPUT -p tcp -m tcp -i eth0 --dport 139 \
    -m recent --name portscan --set -j LOG --log-level 4 --log-prefix "Portscan:"
$IPTABLES -A INPUT -p tcp -m tcp -i eth0 --dport 139 \
    -m recent --name portscan --set -j DROP
$IPTABLES -A FORWARD -p tcp -m tcp -i eth0 --dport 139 \
    -m recent --name portscan --set -j LOG --log-level 4 --log-prefix "Portscan:"
$IPTABLES -A FORWARD -p tcp -m tcp -i eth0 --dport 139 \
    -m recent --name portscan --set -j DROP
 
# jww (2007-09-09): I don't think this can be done with iptables alone,
# so I satisfy myself with limiting RST packets instead. Intention:
# Delay RST packets by 0.5 seconds to avoid SMURF attacks, by given the
# next real data packet in the sequence a better chance to arrive first.
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags RST RST \
    -m limit --limit 2/second --limit-burst 2 -j ACCEPT
 
# If we are using IPsec, these rules allow such packets through
#$IPTABLES -A INPUT -p ah -j ACCEPT
#$IPTABLES -A INPUT -p esp -j ACCEPT
 
# Allow established and related packets
$IPTABLES -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
 
# Discard any left over fragments
$IPTABLES -A INPUT -f -j DROP
 
# Protect against SYN floods by rate limiting the number of new
# connections from any host to 60 per second. This does *not* do rate
# limiting overall, because then someone could easily shut us down by
# saturating the limit.
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --syn \
    -m recent --name synflood --update --seconds 1 --hitcount 60 -j DROP
 
# Reply to unknown "NEW" SYN/ACK packets with a RESET, so we can't be
# used as a middle-man for Sequence Number Prediction based spoof
# attacks.
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp \
    --tcp-flags SYN,ACK SYN,ACK -j REJECT --reject-with tcp-reset
 
# Log and drop NEW packets which don't have the SYN bit set
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp ! --syn \
    -j LOG --log-level 4 --log-prefix "New !SYN:"
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp ! --syn -j DROP
 
# If any packets reach this point that have the ACK bit sent (but not
# SYN), respond with a TCP reset
$IPTABLES -A INPUT -p tcp -m tcp --tcp-flags ACK ACK \
    -j REJECT --reject-with tcp-reset
 
# DNS
$IPTABLES -A INPUT -m state --state NEW -p udp -m udp --dport domain -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -p tcp -m tcp --dport domain -j ACCEPT
 
# OpenVPN
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p udp -m udp --dport 1194 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport 1195 -j ACCEPT
 
# FTP, but allow only 5 open connections per host, and 5 new connections
# per minute from any given host (to block brute force scans)
#$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
# --dport ftp -m connlimit --connlimit-above 5 -j DROP
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport ftp -m hashlimit \
    --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name ftpusers -j ACCEPT
 
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport rsync -m hashlimit \
    --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name ftpusers -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p udp -m udp --dport rsync -m hashlimit \
    --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name ftpusers -j ACCEPT
 
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport git -m hashlimit \
    --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name gitusers -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p udp -m udp --dport git -m hashlimit \
    --hashlimit 5/min --hashlimit-mode srcip --hashlimit-name gitusers -j ACCEPT
 
# SSH, but allow only 2 new connections per minute from any given host
# (to block brute force scans), and only after knocking first at port
# 1908.
#$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
# --dport ssh -m recent --rcheck --seconds 86400 --name sshusers -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
    --dport ssh -j ACCEPT
 
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
    --dport 1907 -m recent --name sshusers --remove \
    -j REJECT --reject-with icmp-admin-prohibited
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
    --dport 1908 -m recent --name sshusers --set \
    -j REJECT --reject-with icmp-admin-prohibited
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
    --dport 1909 -m recent --name sshusers --remove \
    -j REJECT --reject-with icmp-admin-prohibited
 
# Web, but allow only 10 open connections per host, and 40 new
# connections per minute from any given host
#$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
# -m multiport --dports http,https -m connlimit --connlimit-above 10 -j DROP
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp \
    -m multiport --dports http,https -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport 8080 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport 8007 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport 9090 -j ACCEPT
$IPTABLES -A INPUT -m state --state NEW -i eth0 -p tcp -m tcp --dport 5050 -j ACCEPT
# -m hashlimit --hashlimit 40/min --hashlimit-mode srcip --hashlimit-name webusers -j ACCEPT
 
# if a connection comes in to .157:80, redirect it to local port 8080
$IPTABLES -t nat -A PREROUTING -s 208.70.150.157 -p tcp -m tcp --dport 80 \
    -j REDIRECT --to-ports 8080
 
# SMTP, but allow only 5 open connections per host, and 10 new connections per
# minute from any given host. And only listen at mail.johnwiegley.com.
DEST=""
if [[ $MYNAME == "johnwiegley.com" ]]; then
DEST="-d 208.70.150.154"
fi
#$IPTABLES -A INPUT -m state --state NEW $DEST -p tcp -m tcp \
# -m multiport --dports smtp,submission -m connlimit --connlimit-above 5 -j DROP
$IPTABLES -A INPUT -m state --state NEW $DEST -p tcp -m tcp \
    -m multiport --dports smtp,submission,imaps -m hashlimit \
    --hashlimit 10/min --hashlimit-mode srcip --hashlimit-name mailusers -j ACCEPT
 
# Reject all others by letting them know that such communication with the host
# is forbidden
$IPTABLES -A INPUT -j REJECT --reject-with icmp-admin-prohibited
 
echo If you can exit me now, things are OK...
sleep 120
 
exec $0 $IPTABLES flush

2009-04-11

Protecting Server Against TCP Syn-Flood Attack !!!

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 00:24
#iptables -I INPUT -m state --state NEW -p tcp -m tcp --syn -m recent --name synflood 
--update --seconds 1 --hitcount 60 -j DROP

iptables -N syn-flood 

iptables -A syn-flood -m limit --limit 10/s --limit-burst 24 -j RETURN 

iptables -A syn-flood -j DROP 

iptables -I INPUT -i eth0 -p tcp --syn -j syn-flood

These rules limit new inbound TCP Connections (Packets with SYN bit set) to 10 per second after 24 connections per second have been seen .

2009-04-03

MultiTail !!!

Filed under: Linux — Nasser Heidari @ 08:06

Imagine being able to use tail to follow multiple files in one window. That is what MultiTail does. MultiTail is a Linux administrators’ dream come true. With the ability to follow any log file (and as many log files as you can stand in one window) MultiTail can stack multiple tails of log files vertically or horizontally, with colors or without.

# multitail -s 2 /var/log/messages /var/log/security.log

above command will follow the messages and the security.log logs in two vertical columns in one window.

# multitail -R 2 -l "netstat -tunapo"

This runs netstat every 2 seconds and then shows what has changed since the previous run. That way one can see new connections being made and closed connections fading away.

# multitail logfile -l "4.2.2.4"

This creates two windows. One with the contents of logfile, one with with the output of ‘ping 4.2.2.4’ .

# multitail /var/log/apache/access_log -I /var/log/apache/error_log

This creates one window with the contents of /var/log/apache/access_log merged with the contents of /var/log/apache/error_log.

MultiTail is very easy to use.
Thanks to Techrepublic

2009-04-01

Block ssh brute force attacks with iptables

Filed under: Linux,Security Tips and Issues — Nasser Heidari @ 12:22
 # iptables -N SSH_CHECK
 # iptables -I INPUT -p tcp --dport 22 -m state --state NEW -j SSH_CHECK
 # iptables -A SSH_CHECK -m recent --set --name SSH
 # iptables -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
 # iptables -A SSH_CHECK -m recent --update --seconds 180 --hitcount 5 --rttl --name SSH -j DROP

Create a free website or blog at WordPress.com.