[asterisk-users] Can't block intrusion

Greg Troxel gdt at lexort.com
Wed Apr 1 15:12:39 CDT 2020

D'Arcy Cain <darcy at VybeNetworks.com> writes:

> I have a script that checks for things like this and adds them to my
> packet filter (pf).  Everything seems to work up to a point.  The IP
> address gets added to my AUTOBLOCK table.  The second rule, right after
> the friends whitelist, blocks any IP in that table.  If I try to ping or
> traceroute to it I can't get through.  I ran netstat -a and sockstat -c
> and the IP address does not show up in the connections.  Every test
> suggests that the system is doing exactly what I want it to do.

But yet, new packets from that IP address reach asterisk.   It seems
almost entirely clear to me that you have a firewall problem, not an
asterisk problem.

I would test this out with a remote machine under your control, and
packet trace.  I would check for a buggy firewall rule that is somehow
accepting packets from new tcp or udp packets as matching an old
connection state object.  I would check for the new attempts as coming
from something that matches the original "connection", even if UDP.

> The weird thing is that the attempts don't stop.  That IP continues to
> try different numbers.  There are two ways that I have found so far to

You say "continues to try", but surely you are not surprised that
packets arrive at your computer.  I think you are surprised that they
make it to asterisk.  But your language doesn't quite line up with
that.  Am I misinterpreting?

More information about the asterisk-users mailing list