RPL modification tracking 1

[Lynx77]

Hi All,

We are using CallPilot server 201i rls4.0.
We need to know when the RPL (Restriction Permission List) has been modified. In callpilot manager, we have the date/time of the last modification.

Anyway to track previous modifications in callpilot DB or Logs?

Thanks.

 

[dj4020]

Should not be accessible to the average Joe, but rather to those who won't change things they shouldn't But if you want to play the slueth which will require due diligence. You will need to verify everyday if it has been changed if it has using event veiwer see who connected to your server. Look in event browser, alarm monitor to see if you can associate an IP or user login to any changes then look for who has that IP.

 

[Lynx77]

Hi dj4020,

Thanks for your reply.

We are actually suspecting a mis-usage of the RPL (allow external dialing from mailbox).
We really need to track old changes.
The callpilot access is localally on the server so no IP tarck in the event viewer.
Anyway to check logs or database?

Thanks.

 

[dj4020]

Lynx you can require the desktop to be locked requiring a login. This will at least give you an indication of when someone logged in. Also there should only be one or two accounts that should even have the ability to make changes. You could look into the CallPilot Manager "Event Browser" you can get to it through "CallPilot Manager" Click on "System" then click on "Event Browser" then Click on "Change Filter Criteria" select everything. Whenever anyone logs in to the Manager it will show who and when. Unfortunately I don't see in my CallPilot any thing about any changes made I experimented by creating a new RPL and the deleting it did not show up. I believe you will only be able to monitor for future abuses. Give everyone who would need access to CallPilot Manager there own login at least that way you will know who's been in there. Turn on hacker monitor it will show who dialed in and where they thru dialed to.

Thru-dial attempt from Hacker Monitored mailbox. Calling DN, Mailbox# = XXXXXXXXX,XXXX.

Hope this helps some. . .

 

[Lynx77]

Hi dj4020,

We have locked the CallPilot PC, changed the user:000000 password.

Unfortunately, we do not know which mailbox to monitor. Anyway, we do not need it anymore since we restricted the callpilot ports using RPL and TGAR/NCOS in the PABX.

Too bad we can not check the history since we have a big problem with the customer (abuse of mailbox for international calls with thousands of $).

Will escalate the issue to Nortel support.

Anyway thanks a lot for your help.

 

[dj4020]

Lynx Hacker Monitor is a system wide option everyone gets monitored. Then use Event Browser to see who is thru dialing. We have all selected on our CP, we don't want to be discriminating.

Monitoring options
You can monitor
• all CLIDs for suspicious behavior, or you can specify certain CLIDs to be monitored
• logon or thru-dial attempts
• for the entire day, or for a specified time period

To monitor CLIDs
Step Action
1 On the CallPilot Manager toolbar, select Messaging > Security Administration.
2 Under the CLIDs section, click the checkbox Monitor CLIDs for All Mailbox Logins and all Thru-Dials on the System. Result: The Add and Delete buttons are enabled.
3 Select the times when you would like the Hacker Monitor active
4 Enter the phone number (DN) you would like to monitor in the Internal or External box and click Add.
5 Click Save.
Result: The entered DN is now activated and will be monitored.

 

[Lynx77]

Thanks dj4020.

Your tips were helpful.

But unfortunately, we can not track the modifications history. We are following up the issue with Nortel.