[asterisk-users] SipVicious scans getting through iptables firewall - but how?

Jonathan H lardconcepts at gmail.com
Tue Mar 28 08:32:48 CDT 2017


My firewall and asterisk pjsip config only has "permit" options for my
ITSP's (SIP trunk) IPs.

Here's the script that sets it up.

--------------------------------------------------
#!/bin/bash
EXIF="eth0"

/sbin/iptables --flush
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -f -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP

# Voipfone
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT

# my SSH
/sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate
ESTABLISHED -j ACCEPT

# HTTP
/sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate
ESTABLISHED -j ACCEPT


# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT

# Log then drop any packets that are not allowed. You will probably
want to turn off the logging
# /sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT

--------------------------------------------------

Then one day, sngrep was running in the background, and I noticed lots
of these...


OPTIONS sip:50901 at 46.101.X.X SIP/2.0
           163.172.210.65:5089            46.101.X.X:5060 │Via:
SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport
          ──────────┬─────────          ──────────┬─────────│Content-Length: 0
                    │           OPTIONS           │         │From:
"sipvicious"<sip:100 at 1.1.1.1>;tag=3265363530346630313363340132333439343631383137
  13:26:10.350316   │ ──────────────────────────> │         │Accept:
application/sdp
                    │                             │
│User-Agent: friendly-scanner
                    │                             │         │To:
"sipvicious"<sip:100 at 1.1.1.1>
                    │                             │         │Contact:
sip:50901 at 127.0.1.1:5089
                    │                             │         │CSeq: 1 OPTIONS
                    │                             │         │Call-ID:
67968489840845542823418
                    │                             │         │Max-Forwards: 70

[ ] 4    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
 1     163.172.210.65:5089    46.101.X.X:5060
[ ] 5    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
 1     89.163.242.118:5089    46.101.X.X:5060
[ ] 6    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
 1     142.54.162.58:5061     46.101.X.X:5060
[ ] 7    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
 1     95.211.197.176:5065    46.101.X.X:5060


-----------------------------------------------------------------

This is what nmap from a remote machine can see:

Not shown: 65534 filtered ports
PORT     STATE SERVICE
22XXX/tcp open  unknown
8443/tcp open  https-alt

--------------------------------------------------

How are these SipVicious probes getting through? Clearly the firewall
is misconfigured.. or maybe not?
I'm not seeing these warnings in Asterisk of course, as it's not
listening on these other ports.

Together with the allow/deny pjsip settings, I *think* I'm reasonably safe?

What bothers me is that don't understand how/why this is happening.
And that makes me nervous!

Thanks.



More information about the asterisk-users mailing list