[asterisk-users] Can't block intrusion
D'Arcy Cain
darcy at VybeNetworks.com
Wed Apr 1 16:02:07 CDT 2020
On 2020-04-01 15:12, Greg Troxel wrote:
> D'Arcy Cain <darcy at VybeNetworks.com> writes:
> But yet, new packets from that IP address reach asterisk. It seems
> almost entirely clear to me that you have a firewall problem, not an
> asterisk problem.
This could well be but Asterisk is the only thing that continues to
communicate.
> I would test this out with a remote machine under your control, and
> packet trace. I would check for a buggy firewall rule that is somehow
> accepting packets from new tcp or udp packets as matching an old
> connection state object. I would check for the new attempts as coming
> from something that matches the original "connection", even if UDP.
Here is the first four lines from "pfctl -sr":
pass in quick on bge0 from <FRIENDS> to any flags S/SA keep state
block drop in log quick on bge0 from <ENEMIES> to any
block drop in log quick on bge0 from <AUTOBLOCK> to any
block drop out log quick on bge0 from any to <AUTOBLOCK>
Unless pf is broken I can't see how anything besides my "friends" can be
getting through.
>> The weird thing is that the attempts don't stop. That IP continues to
>> try different numbers. There are two ways that I have found so far to
>
> You say "continues to try", but surely you are not surprised that
> packets arrive at your computer. I think you are surprised that they
> make it to asterisk. But your language doesn't quite line up with
> that. Am I misinterpreting?
Maybe. By "try" I don't mean "try to get through". I mean "try to
access my switch". They aren't actually breaking in. My passwords are
strong enough to frustrate them.
--
D'Arcy J.M. Cain
Vybe Networks Inc.
A unit of Excelsior Solutions Corporation - Propelling Business Forward
http://www.VybeNetworks.com/
IM:darcy at VybeNetworks.com VoIP: sip:darcy at VybeNetworks.com
More information about the asterisk-users
mailing list