OSBiz v2 UNEXPECTED RESTART

[htapih]

Hi Masters,

need your expertise/comment with our problem.

we have a OpenScape Business x8 v2 which is up and running for a couple of months now,
then suddenly UNEXPECTED RESTART Happens and recurring.

i try to find whats the root cause of the restart, but i don't know how to translate these codes.

I have also attached the eventlog created from the system.

Appreciate your BIG HELP!


2016/05/13 11:35:33 alert OCSME user fp[4514]: EventText: 0xff C #11/42 0x2-0x5 !L1 asynchron off: 32050407000000000000

2016/05/13 11:35:33 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:33 notice OCSME user fp[4514]: EventLogEntry from FP_RECOVERY [fp:192.168.85.242] (0xb4ae4450 \"05/13/2016 11:35:33.817091\" E 0):
2016/05/13 11:35:33 notice OCSME user fp[4514]: EventType: Cleared

2016/05/13 11:35:33 notice OCSME user fp[4514]: EventCode: FP_EVT_DH_005

2016/05/13 11:35:33 notice OCSME user fp[4514]: EventText: 0xff C #21/5 0x2-0x5 !Port in service: 82000101000031300400

2016/05/13 11:35:34 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 03:35:35 warning OCSME mail postfix/postdrop[19036]: warning: mail_queue_enter: create file maildrop/80677.19036: No such file or directory

2016/05/13 11:35:35 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:36 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:37 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:38 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:39 crit OCSME user oso_observ.sh: missing LDH

2016/05/13 11:35:39 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:39 crit OCSME user oso_observ.sh: request restart

2016/05/13 11:35:39 crit OCSME user oso_restart.sh: ##### Restart requested #####

2016/05/13 11:35:39 notice OCSME user oso_restart.sh: executing ocab_command: touch /mnt/persistent/occReboot.txt; init 6
2016/05/13 11:35:39 info OCSME daemon init: Switching to runlevel: 6
2016/05/13 03:35:40 warning OCSME mail postfix/postdrop[18854]: warning: mail_queue_enter: create file maildrop/149764.18854: No such file or directory

2016/05/13 11:35:40 err OCSME daemon arpwatch: report: pausing (cdepth 3)

2016/05/13 11:35:40 notice OCSME user /etc/rc6.d/K03commserv: stop
2016/05/13 11:35:41 debug OCSME user start-up-measurement: OSO system stop initiated

2016/05/13 11:35:41 info OCSME user oso_basis.sh: ##############################################

2016/05/13 11:35:41 info OCSME user oso_basis.sh: ###### called with parameter stop

2016/05/13 11:35:41 info OCSME user oso_basis.sh: ##############################################

2016/05/13 11:35:41 debug OCSME user oso_basis.sh: execute ulimit

THANKYOU!!

 

[obtsystems]

Hi Htapih,

I am no expert on the logs,

daemon arpwatch,monitors changes in mac address/IP.

EventType: Major
EventCode: MSG_ERH_SECURITY_DENIAL
EventText: fGetERHSIPSubConfigValues: Warning! SIP Authentication is deactivated for subscriber=644

Did you disable sip extension need for passwords.

I would say either there is an issue with the local network or your system is being attacked by someone trying to brute force on

Is port 5060 open on the firewall pointing to the system?

 

[htapih]

Hi obtsystems, Thank you for the response.

YES I deactivate security/password for sip phones registration.

YES sip port 5060 is open on firewall

I just don't know what to do, how to prevent this from happening again and again.

 

[xs650]

osbiz_v2_R0.2.0_081 that you are using is rather old software.
There are a lot of restarts reasons solved in newer versions, so I would update to V2MR1 asap

 

[htapih]

Hello xs650

Thans' for the reply, unfortunately i don't have a access on unify.

do you have link where can i download it?

thank you!

 

[xs650]

The easiest way is to use the online update function via internet.

 

[htapih]

hmmm... problem is, due to clients security. we are not allowed to do so.

anyway thank you so much for the help.

 

[sbcsu]

The client's security does not allow update from internet but it does allow access to port 5060 ???

 

[htapih]

Hi sbcsu,

If i'm not mistaken, I assumed that 5060 is used for SIP port.

 

[xs650]

an open port 5060 plus sip phones without a password and your
system is wide open for hackers.
We had several OsBiz customers were this happened.
Now they have a view thousand bucks less but really strong passwords.

 

[sbcsu]

That is exactly the point I am making,
You have a system that is wide open for attacks etc.
yet the 'policy' is not to upgrade/update over the internet ???

 

[htapih]

thanks' for the info, i am really not into deep knowledge with this.

just to clarify, can i close the port 5060 on the network firewall without getting any issue
on SIP extension?

or what is the better way to protect the system from possible attacks!

 

[xs650]

In the unify wiki you can find some security issues

http://wiki.unify.com/wiki/How_to_enable_blocked_SIP_Providers