<div dir="ltr">OK, I understand, Clever - I didn't know anything could read packets before iptables.<div><br></div><div>And sorry about the formatting - I tried to make it all neat, but it looks like it got excessively word wrapped.</div><div><br></div><div>Thanks for putting my mind at ease.</div></div><div class="gmail_extra"><br><div class="gmail_quote">On 28 March 2017 at 16:12, Andres <span dir="ltr"><<a href="mailto:andres@telesip.net" target="_blank">andres@telesip.net</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 3/28/17 9:32 AM, Jonathan H wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
My firewall and asterisk pjsip config only has "permit" options for my<br>
ITSP's (SIP trunk) IPs.<br>
<br>
Here's the script that sets it up.<br>
<br>
------------------------------<wbr>--------------------<br>
#!/bin/bash<br>
EXIF="eth0"<br>
<br>
/sbin/iptables --flush<br>
/sbin/iptables --policy INPUT DROP<br>
/sbin/iptables --policy OUTPUT ACCEPT<br>
/sbin/iptables -A INPUT -i lo -j ACCEPT<br>
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP<br>
/sbin/iptables -A INPUT -f -j DROP<br>
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT<br>
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP<br>
<br>
# Voipfone<br>
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s<br>
<a href="http://195.189.173.0/24" rel="noreferrer" target="_blank">195.189.173.0/24</a> -j ACCEPT<br>
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s<br>
<a href="http://195.189.173.0/24" rel="noreferrer" target="_blank">195.189.173.0/24</a> -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s<br>
<a href="http://46.31.225.0/24" rel="noreferrer" target="_blank">46.31.225.0/24</a> -j ACCEPT<br>
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s<br>
<a href="http://46.31.225.0/24" rel="noreferrer" target="_blank">46.31.225.0/24</a> -j ACCEPT<br>
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s<br>
<a href="http://46.31.231.0/24" rel="noreferrer" target="_blank">46.31.231.0/24</a> -j ACCEPT<br>
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s<br>
<a href="http://46.31.231.0/24" rel="noreferrer" target="_blank">46.31.231.0/24</a> -j ACCEPT<br>
<br>
# my SSH<br>
/sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate<br>
NEW,ESTABLISHED -j ACCEPT<br>
/sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate<br>
ESTABLISHED -j ACCEPT<br>
<br>
# HTTP<br>
/sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate<br>
NEW,ESTABLISHED -j ACCEPT<br>
/sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate<br>
ESTABLISHED -j ACCEPT<br>
<br>
<br>
# Allow icmp input so that people can ping us<br>
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT<br>
<br>
# Log then drop any packets that are not allowed. You will probably<br>
want to turn off the logging<br>
# /sbin/iptables -A INPUT -j LOG<br>
/sbin/iptables -A INPUT -j REJECT<br>
<br>
------------------------------<wbr>--------------------<br>
<br>
Then one day, sngrep was running in the background, and I noticed lots<br>
of these...<br>
</blockquote></div></div>
ngrep and tcpdump will show you packets before they reach iptables, so you can see attacks like below.<br>
You should not see responses if the firewall is working and I don't see any responses below so you<br>
should be safe.<div class="HOEnZb"><div class="h5"><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<br>
<br>
OPTIONS sip:50901@46.101.X.X SIP/2.0<br>
<a href="http://163.172.210.65:5089" rel="noreferrer" target="_blank">163.172.210.65:5089</a> 46.101.X.X:5060 │Via:<br>
SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-<wbr>786048925;rport<br>
──────────┬───────── ──────────┬─────────│Content-L<wbr>ength: 0<br>
│ OPTIONS │ │From:<br>
"sipvicious"<<a href="mailto:sip%3A100@1.1.1.1" target="_blank">sip:100@1.1.1.1</a>>;<wbr>tag=32653635303466303133633401<wbr>32333439343631383137<br>
13:26:10.350316 │ ──────────────────────────> │ │Accept:<br>
application/sdp<br>
│ │<br>
│User-Agent: friendly-scanner<br>
│ │ │To:<br>
"sipvicious"<<a href="mailto:sip%3A100@1.1.1.1" target="_blank">sip:100@1.1.1.1</a>><br>
│ │ │Contact:<br>
<a href="http://sip:50901@127.0.1.1:5089" rel="noreferrer" target="_blank">sip:50901@127.0.1.1:5089</a><br>
│ │ │CSeq: 1 OPTIONS<br>
│ │ │Call-ID:<br>
67968489840845542823418<br>
│ │ │Max-Forwards: 70<br>
<br>
[ ] 4 OPTIONS <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a> <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a><br>
1 <a href="http://163.172.210.65:5089" rel="noreferrer" target="_blank">163.172.210.65:5089</a> 46.101.X.X:5060<br>
[ ] 5 OPTIONS <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a> <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a><br>
1 <a href="http://89.163.242.118:5089" rel="noreferrer" target="_blank">89.163.242.118:5089</a> 46.101.X.X:5060<br>
[ ] 6 OPTIONS <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a> <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a><br>
1 <a href="http://142.54.162.58:5061" rel="noreferrer" target="_blank">142.54.162.58:5061</a> 46.101.X.X:5060<br>
[ ] 7 OPTIONS <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a> <a href="mailto:100@1.1.1.1" target="_blank">100@1.1.1.1</a><br>
1 <a href="http://95.211.197.176:5065" rel="noreferrer" target="_blank">95.211.197.176:5065</a> 46.101.X.X:5060<br>
<br>
<br>
------------------------------<wbr>------------------------------<wbr>-----<br>
<br>
This is what nmap from a remote machine can see:<br>
<br>
Not shown: 65534 filtered ports<br>
PORT STATE SERVICE<br>
22XXX/tcp open unknown<br>
8443/tcp open https-alt<br>
<br>
------------------------------<wbr>--------------------<br>
<br>
How are these SipVicious probes getting through? Clearly the firewall<br>
is misconfigured.. or maybe not?<br>
I'm not seeing these warnings in Asterisk of course, as it's not<br>
listening on these other ports.<br>
<br>
Together with the allow/deny pjsip settings, I *think* I'm reasonably safe?<br>
<br>
What bothers me is that don't understand how/why this is happening.<br>
And that makes me nervous!<br>
<br>
Thanks.<br>
<br>
</blockquote>
<br>
<br></div></div><span class="HOEnZb"><font color="#888888">
-- <br>
Andres<br>
<br>
-- <br>
______________________________<wbr>______________________________<wbr>_________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" rel="noreferrer" target="_blank">http://www.api-digital.com</a> --<br>
<br>
Check out the new Asterisk community forum at: <a href="https://community.asterisk.org/" rel="noreferrer" target="_blank">https://community.asterisk.org<wbr>/</a><br>
<br>
New to Asterisk? Start here:<br>
<a href="https://wiki.asterisk.org/wiki/display/AST/Getting+Started" rel="noreferrer" target="_blank">https://wiki.asterisk.org/wik<wbr>i/display/AST/Getting+Started</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" rel="noreferrer" target="_blank">http://lists.digium.com/mailma<wbr>n/listinfo/asterisk-users</a></font></span></blockquote></div><br></div>