OK, I understand, Clever - I didn't know anything could read packets before iptables.
And sorry about the formatting - I tried to make it all neat, but it looks like it got excessively word wrapped. Thanks for putting my mind at ease. On 28 March 2017 at 16:12, Andres <and...@telesip.net> wrote: > On 3/28/17 9:32 AM, Jonathan H wrote: > >> My firewall and asterisk pjsip config only has "permit" options for my >> ITSP's (SIP trunk) IPs. >> >> Here's the script that sets it up. >> >> -------------------------------------------------- >> #!/bin/bash >> EXIF="eth0" >> >> /sbin/iptables --flush >> /sbin/iptables --policy INPUT DROP >> /sbin/iptables --policy OUTPUT ACCEPT >> /sbin/iptables -A INPUT -i lo -j ACCEPT >> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP >> /sbin/iptables -A INPUT -f -j DROP >> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT >> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP >> >> # Voipfone >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 195.189.173.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 195.189.173.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 46.31.225.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 46.31.225.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 46.31.231.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 46.31.231.0/24 -j ACCEPT >> >> # my SSH >> /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate >> ESTABLISHED -j ACCEPT >> >> # HTTP >> /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate >> ESTABLISHED -j ACCEPT >> >> >> # Allow icmp input so that people can ping us >> /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j >> ACCEPT >> >> # Log then drop any packets that are not allowed. You will probably >> want to turn off the logging >> # /sbin/iptables -A INPUT -j LOG >> /sbin/iptables -A INPUT -j REJECT >> >> -------------------------------------------------- >> >> Then one day, sngrep was running in the background, and I noticed lots >> of these... >> > ngrep and tcpdump will show you packets before they reach iptables, so you > can see attacks like below. > You should not see responses if the firewall is working and I don't see > any responses below so you > should be safe. > > >> >> OPTIONS sip:50901@46.101.X.X SIP/2.0 >> 163.172.210.65:5089 46.101.X.X:5060 │Via: >> SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport >> ──────────┬───────── ──────────┬─────────│Content-Length: >> 0 >> │ OPTIONS │ │From: >> "sipvicious"<sip:100@1.1.1.1>;tag=32653635303466303133633401 >> 32333439343631383137 >> 13:26:10.350316 │ ──────────────────────────> │ │Accept: >> application/sdp >> │ │ >> │User-Agent: friendly-scanner >> │ │ │To: >> "sipvicious"<sip:100@1.1.1.1> >> │ │ │Contact: >> sip:50901@127.0.1.1:5089 >> │ │ │CSeq: 1 >> OPTIONS >> │ │ │Call-ID: >> 67968489840845542823418 >> │ │ >> │Max-Forwards: 70 >> >> [ ] 4 OPTIONS 100@1.1.1.1 100@1.1.1.1 >> 1 163.172.210.65:5089 46.101.X.X:5060 >> [ ] 5 OPTIONS 100@1.1.1.1 100@1.1.1.1 >> 1 89.163.242.118:5089 46.101.X.X:5060 >> [ ] 6 OPTIONS 100@1.1.1.1 100@1.1.1.1 >> 1 142.54.162.58:5061 46.101.X.X:5060 >> [ ] 7 OPTIONS 100@1.1.1.1 100@1.1.1.1 >> 1 95.211.197.176:5065 46.101.X.X:5060 >> >> >> ----------------------------------------------------------------- >> >> This is what nmap from a remote machine can see: >> >> Not shown: 65534 filtered ports >> PORT STATE SERVICE >> 22XXX/tcp open unknown >> 8443/tcp open https-alt >> >> -------------------------------------------------- >> >> How are these SipVicious probes getting through? Clearly the firewall >> is misconfigured.. or maybe not? >> I'm not seeing these warnings in Asterisk of course, as it's not >> listening on these other ports. >> >> Together with the allow/deny pjsip settings, I *think* I'm reasonably >> safe? >> >> What bothers me is that don't understand how/why this is happening. >> And that makes me nervous! >> >> Thanks. >> >> > > -- > Andres > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users
-- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- Check out the new Asterisk community forum at: https://community.asterisk.org/ New to Asterisk? Start here: https://wiki.asterisk.org/wiki/display/AST/Getting+Started asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users