[asterisk-users] Can't block intrusion
Greg Troxel
gdt at lexort.com
Wed Apr 1 15:12:39 CDT 2020
D'Arcy Cain <darcy at VybeNetworks.com> writes:
> I have a script that checks for things like this and adds them to my
> packet filter (pf). Everything seems to work up to a point. The IP
> address gets added to my AUTOBLOCK table. The second rule, right after
> the friends whitelist, blocks any IP in that table. If I try to ping or
> traceroute to it I can't get through. I ran netstat -a and sockstat -c
> and the IP address does not show up in the connections. Every test
> suggests that the system is doing exactly what I want it to do.
But yet, new packets from that IP address reach asterisk. It seems
almost entirely clear to me that you have a firewall problem, not an
asterisk problem.
I would test this out with a remote machine under your control, and
packet trace. I would check for a buggy firewall rule that is somehow
accepting packets from new tcp or udp packets as matching an old
connection state object. I would check for the new attempts as coming
from something that matches the original "connection", even if UDP.
> The weird thing is that the attempts don't stop. That IP continues to
> try different numbers. There are two ways that I have found so far to
You say "continues to try", but surely you are not surprised that
packets arrive at your computer. I think you are surprised that they
make it to asterisk. But your language doesn't quite line up with
that. Am I misinterpreting?
More information about the asterisk-users
mailing list