[asterisk-users] SipVicious scans getting through iptables firewall - but how?
Jonathan H
lardconcepts at gmail.com
Tue Mar 28 08:32:48 CDT 2017
My firewall and asterisk pjsip config only has "permit" options for my
ITSP's (SIP trunk) IPs.
Here's the script that sets it up.
--------------------------------------------------
#!/bin/bash
EXIF="eth0"
/sbin/iptables --flush
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -f -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Voipfone
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT
# my SSH
/sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate
ESTABLISHED -j ACCEPT
# HTTP
/sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate
ESTABLISHED -j ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Log then drop any packets that are not allowed. You will probably
want to turn off the logging
# /sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
--------------------------------------------------
Then one day, sngrep was running in the background, and I noticed lots
of these...
OPTIONS sip:50901 at 46.101.X.X SIP/2.0
163.172.210.65:5089 46.101.X.X:5060 │Via:
SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport
──────────┬───────── ──────────┬─────────│Content-Length: 0
│ OPTIONS │ │From:
"sipvicious"<sip:100 at 1.1.1.1>;tag=3265363530346630313363340132333439343631383137
13:26:10.350316 │ ──────────────────────────> │ │Accept:
application/sdp
│ │
│User-Agent: friendly-scanner
│ │ │To:
"sipvicious"<sip:100 at 1.1.1.1>
│ │ │Contact:
sip:50901 at 127.0.1.1:5089
│ │ │CSeq: 1 OPTIONS
│ │ │Call-ID:
67968489840845542823418
│ │ │Max-Forwards: 70
[ ] 4 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 163.172.210.65:5089 46.101.X.X:5060
[ ] 5 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 89.163.242.118:5089 46.101.X.X:5060
[ ] 6 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 142.54.162.58:5061 46.101.X.X:5060
[ ] 7 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 95.211.197.176:5065 46.101.X.X:5060
-----------------------------------------------------------------
This is what nmap from a remote machine can see:
Not shown: 65534 filtered ports
PORT STATE SERVICE
22XXX/tcp open unknown
8443/tcp open https-alt
--------------------------------------------------
How are these SipVicious probes getting through? Clearly the firewall
is misconfigured.. or maybe not?
I'm not seeing these warnings in Asterisk of course, as it's not
listening on these other ports.
Together with the allow/deny pjsip settings, I *think* I'm reasonably safe?
What bothers me is that don't understand how/why this is happening.
And that makes me nervous!
Thanks.
More information about the asterisk-users
mailing list