[asterisk-users] Can't block intrusion

D'Arcy Cain darcy at VybeNetworks.com
Wed Apr 1 16:02:07 CDT 2020


On 2020-04-01 15:12, Greg Troxel wrote:
> D'Arcy Cain <darcy at VybeNetworks.com> writes:
> But yet, new packets from that IP address reach asterisk.   It seems
> almost entirely clear to me that you have a firewall problem, not an
> asterisk problem.

This could well be but Asterisk is the only thing that continues to
communicate.

> I would test this out with a remote machine under your control, and
> packet trace.  I would check for a buggy firewall rule that is somehow
> accepting packets from new tcp or udp packets as matching an old
> connection state object.  I would check for the new attempts as coming
> from something that matches the original "connection", even if UDP.

Here is the first four lines from "pfctl -sr":

pass in quick on bge0 from <FRIENDS> to any flags S/SA keep state
block drop in log quick on bge0 from <ENEMIES> to any
block drop in log quick on bge0 from <AUTOBLOCK> to any
block drop out log quick on bge0 from any to <AUTOBLOCK>

Unless pf is broken I can't see how anything besides my "friends" can be
getting through.

>> The weird thing is that the attempts don't stop.  That IP continues to
>> try different numbers.  There are two ways that I have found so far to
> 
> You say "continues to try", but surely you are not surprised that
> packets arrive at your computer.  I think you are surprised that they
> make it to asterisk.  But your language doesn't quite line up with
> that.  Am I misinterpreting?

Maybe.  By "try" I don't mean "try to get through".  I mean "try to
access my switch".  They aren't actually breaking in.  My passwords are
strong enough to frustrate them.

-- 
D'Arcy J.M. Cain
Vybe Networks Inc.
A unit of Excelsior Solutions Corporation - Propelling Business Forward
http://www.VybeNetworks.com/
IM:darcy at VybeNetworks.com VoIP: sip:darcy at VybeNetworks.com



More information about the asterisk-users mailing list