My firewall and asterisk pjsip config only has "permit" options for my ITSP's (SIP trunk) IPs.
Here's the script that sets it up. -------------------------------------------------- #!/bin/bash EXIF="eth0" /sbin/iptables --flush /sbin/iptables --policy INPUT DROP /sbin/iptables --policy OUTPUT ACCEPT /sbin/iptables -A INPUT -i lo -j ACCEPT /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP /sbin/iptables -A INPUT -f -j DROP /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP # Voipfone /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 195.189.173.0/24 -j ACCEPT /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s 195.189.173.0/24 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 46.31.225.0/24 -j ACCEPT /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s 46.31.225.0/24 -j ACCEPT /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s 46.31.231.0/24 -j ACCEPT /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s 46.31.231.0/24 -j ACCEPT # my SSH /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate ESTABLISHED -j ACCEPT # HTTP /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate NEW,ESTABLISHED -j ACCEPT /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate ESTABLISHED -j ACCEPT # Allow icmp input so that people can ping us /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT # Log then drop any packets that are not allowed. You will probably want to turn off the logging # /sbin/iptables -A INPUT -j LOG /sbin/iptables -A INPUT -j REJECT -------------------------------------------------- Then one day, sngrep was running in the background, and I noticed lots of these... OPTIONS sip:50901@46.101.X.X SIP/2.0 163.172.210.65:5089 46.101.X.X:5060 │Via: SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport ──────────┬───────── ──────────┬─────────│Content-Length: 0 │ OPTIONS │ │From: "sipvicious"<sip:100@1.1.1.1>;tag=3265363530346630313363340132333439343631383137 13:26:10.350316 │ ──────────────────────────> │ │Accept: application/sdp │ │ │User-Agent: friendly-scanner │ │ │To: "sipvicious"<sip:100@1.1.1.1> │ │ │Contact: sip:50901@127.0.1.1:5089 │ │ │CSeq: 1 OPTIONS │ │ │Call-ID: 67968489840845542823418 │ │ │Max-Forwards: 70 [ ] 4 OPTIONS 100@1.1.1.1 100@1.1.1.1 1 163.172.210.65:5089 46.101.X.X:5060 [ ] 5 OPTIONS 100@1.1.1.1 100@1.1.1.1 1 89.163.242.118:5089 46.101.X.X:5060 [ ] 6 OPTIONS 100@1.1.1.1 100@1.1.1.1 1 142.54.162.58:5061 46.101.X.X:5060 [ ] 7 OPTIONS 100@1.1.1.1 100@1.1.1.1 1 95.211.197.176:5065 46.101.X.X:5060 ----------------------------------------------------------------- This is what nmap from a remote machine can see: Not shown: 65534 filtered ports PORT STATE SERVICE 22XXX/tcp open unknown 8443/tcp open https-alt -------------------------------------------------- How are these SipVicious probes getting through? Clearly the firewall is misconfigured.. or maybe not? I'm not seeing these warnings in Asterisk of course, as it's not listening on these other ports. Together with the allow/deny pjsip settings, I *think* I'm reasonably safe? What bothers me is that don't understand how/why this is happening. And that makes me nervous! Thanks. -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users