[asterisk-users] SipVicious scans getting through iptables firewall - but how?

Jonathan H lardconcepts at gmail.com
Tue Mar 28 10:15:14 CDT 2017 

OK, I understand, Clever - I didn't know anything could read packets before
iptables.

And sorry about the formatting - I tried to make it all neat, but it looks
like it got excessively word wrapped.

Thanks for putting my mind at ease.

On 28 March 2017 at 16:12, Andres <andres at telesip.net> wrote:

> On 3/28/17 9:32 AM, Jonathan H wrote:
>
>> My firewall and asterisk pjsip config only has "permit" options for my
>> ITSP's (SIP trunk) IPs.
>>
>> Here's the script that sets it up.
>>
>> --------------------------------------------------
>> #!/bin/bash
>> EXIF="eth0"
>>
>> /sbin/iptables --flush
>> /sbin/iptables --policy INPUT DROP
>> /sbin/iptables --policy OUTPUT ACCEPT
>> /sbin/iptables -A INPUT -i lo -j ACCEPT
>> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
>> /sbin/iptables -A INPUT -f -j DROP
>> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT
>> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
>>
>> # Voipfone
>> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
>> 195.189.173.0/24 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
>> 195.189.173.0/24 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
>> 46.31.225.0/24 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
>> 46.31.225.0/24 -j ACCEPT
>> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
>> 46.31.231.0/24 -j ACCEPT
>> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
>> 46.31.231.0/24 -j ACCEPT
>>
>> # my SSH
>> /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate
>> NEW,ESTABLISHED -j ACCEPT
>> /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate
>> ESTABLISHED -j ACCEPT
>>
>> # HTTP
>> /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate
>> NEW,ESTABLISHED -j ACCEPT
>> /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate
>> ESTABLISHED -j ACCEPT
>>
>>
>> # Allow icmp input so that people can ping us
>> /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j
>> ACCEPT
>>
>> # Log then drop any packets that are not allowed. You will probably
>> want to turn off the logging
>> # /sbin/iptables -A INPUT -j LOG
>> /sbin/iptables -A INPUT -j REJECT
>>
>> --------------------------------------------------
>>
>> Then one day, sngrep was running in the background, and I noticed lots
>> of these...
>>
> ngrep and tcpdump will show you packets before they reach iptables, so you
> can see attacks like below.
> You should not see responses if the firewall is working and I don't see
> any responses below so you
> should be safe.
>
>
>>
>> OPTIONS sip:50901 at 46.101.X.X SIP/2.0
>>             163.172.210.65:5089            46.101.X.X:5060 │Via:
>> SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport
>>            ──────────┬─────────          ──────────┬─────────│Content-Length:
>> 0
>>                      │           OPTIONS           │         │From:
>> "sipvicious"<sip:100 at 1.1.1.1>;tag=32653635303466303133633401
>> 32333439343631383137
>>    13:26:10.350316   │ ──────────────────────────> │         │Accept:
>> application/sdp
>>                      │                             │
>> │User-Agent: friendly-scanner
>>                      │                             │         │To:
>> "sipvicious"<sip:100 at 1.1.1.1>
>>                      │                             │         │Contact:
>> sip:50901 at 127.0.1.1:5089
>>                      │                             │         │CSeq: 1
>> OPTIONS
>>                      │                             │         │Call-ID:
>> 67968489840845542823418
>>                      │                             │
>>  │Max-Forwards: 70
>>
>> [ ] 4    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>>   1     163.172.210.65:5089    46.101.X.X:5060
>> [ ] 5    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>>   1     89.163.242.118:5089    46.101.X.X:5060
>> [ ] 6    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>>   1     142.54.162.58:5061     46.101.X.X:5060
>> [ ] 7    OPTIONS    100 at 1.1.1.1               100 at 1.1.1.1
>>   1     95.211.197.176:5065    46.101.X.X:5060
>>
>>
>> -----------------------------------------------------------------
>>
>> This is what nmap from a remote machine can see:
>>
>> Not shown: 65534 filtered ports
>> PORT     STATE SERVICE
>> 22XXX/tcp open  unknown
>> 8443/tcp open  https-alt
>>
>> --------------------------------------------------
>>
>> How are these SipVicious probes getting through? Clearly the firewall
>> is misconfigured.. or maybe not?
>> I'm not seeing these warnings in Asterisk of course, as it's not
>> listening on these other ports.
>>
>> Together with the allow/deny pjsip settings, I *think* I'm reasonably
>> safe?
>>
>> What bothers me is that don't understand how/why this is happening.
>> And that makes me nervous!
>>
>> Thanks.
>>
>>
>
> --
> Andres
>
> --
> _____________________________________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> Check out the new Asterisk community forum at:
> https://community.asterisk.org/
>
> New to Asterisk? Start here:
>      https://wiki.asterisk.org/wiki/display/AST/Getting+Started
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170328/0db37b9d/attachment.html>

More information about the asterisk-users mailing list