[asterisk-users] SipVicious scans getting through iptables firewall - but how?

Andres andres at telesip.net
Tue Mar 28 10:12:18 CDT 2017


On 3/28/17 9:32 AM, Jonathan H wrote:
> My firewall and asterisk pjsip config only has "permit" options for my
> ITSP's (SIP trunk) IPs.
>
> Here's the script that sets it up.
>
> --------------------------------------------------
> #!/bin/bash
> EXIF="eth0"
>
> /sbin/iptables --flush
> /sbin/iptables --policy INPUT DROP
> /sbin/iptables --policy OUTPUT ACCEPT
> /sbin/iptables -A INPUT -i lo -j ACCEPT
> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
> /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
> /sbin/iptables -A INPUT -f -j DROP
> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT
> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>
> # Voipfone
> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
> 195.189.173.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
> 195.189.173.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
> 46.31.225.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
> 46.31.225.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
> 46.31.231.0/24 -j ACCEPT
> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
> 46.31.231.0/24 -j ACCEPT
>
> # my SSH
> /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate
> ESTABLISHED -j ACCEPT
>
> # HTTP
> /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate
> NEW,ESTABLISHED -j ACCEPT
> /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate
> ESTABLISHED -j ACCEPT
>
>
> # Allow icmp input so that people can ping us
> /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
>
> # Log then drop any packets that are not allowed. You will probably
> want to turn off the logging
> # /sbin/iptables -A INPUT -j LOG
> /sbin/iptables -A INPUT -j REJECT
>
> --------------------------------------------------
>
> Then one day, sngrep was running in the background, and I noticed lots
> of these...
ngrep and tcpdump will show you packets before they reach iptables, so 
you can see attacks like below.
You should not see responses if the firewall is working and I don't see 
any responses below so you
should be safe.
>
>
> OPTIONS sip:50901 at 46.101.X.X SIP/2.0
>             163.172.210.65:5089            46.101.X.X:5060 │Via:
> SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport
>            ──────────┬─────────          ──────────┬─────────│Content-Length: 0
>                      │           OPTIONS           │         │From:
> "sipvicious"<sip:100 at 1.1.1.1>;tag=3265363530346630313363340132333439343631383137
>    13:26:10.350316   │ ──────────────────────────> │         │Accept:
> application/sdp
>                      │                             │
> │User-Agent: friendly-scanner
>                      │                             │         │To:
> "sipvicious"<sip:100 at 1.1.1.1>
>                      │                             │         │Contact:
> sip:50901 at 127.0.1.1:5089
>                      │                             │         │CSeq: 1 OPTIONS
>                      │                             │         │Call-ID:
> 67968489840845542823418
>                      │                             │         │Max-Forwards: 70
>
> [ ] 4    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>   1     163.172.210.65:5089    46.101.X.X:5060
> [ ] 5    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>   1     89.163.242.118:5089    46.101.X.X:5060
> [ ] 6    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>   1     142.54.162.58:5061     46.101.X.X:5060
> [ ] 7    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>   1     95.211.197.176:5065    46.101.X.X:5060
>
>
> -----------------------------------------------------------------
>
> This is what nmap from a remote machine can see:
>
> Not shown: 65534 filtered ports
> PORT     STATE SERVICE
> 22XXX/tcp open  unknown
> 8443/tcp open  https-alt
>
> --------------------------------------------------
>
> How are these SipVicious probes getting through? Clearly the firewall
> is misconfigured.. or maybe not?
> I'm not seeing these warnings in Asterisk of course, as it's not
> listening on these other ports.
>
> Together with the allow/deny pjsip settings, I *think* I'm reasonably safe?
>
> What bothers me is that don't understand how/why this is happening.
> And that makes me nervous!
>
> Thanks.
>


-- 
Andres



More information about the asterisk-users mailing list