Security Alert
Posted: Wed Oct 13, 2010 10:36 am
IF you have installed Vicibox Redux 2.0 or Vicibox Redux 3.0 and have not altered your firewall settings, the following commands will remove this entire subnet's ability to send any traffic to your server (no warranty of course, this is free stuff!):
Immediate (but temporary, will not survive a reboot) fix:
I highly recommend that you use the above command to lock out IP address range 113.0.0.0 – 113.255.255.255 from all servers immediately.
This particular range is entirely located within China.
If you are curious to see whether you have had any of the same type of attacks ...
Do you have any calls from this IP range?
Handy Tool to view your IPtables:
--REVISED-- Thanks Kumba for pointing out that "iptables-save" does not "save" LOL
Step By Step Process to add this specific "Bad Guy" to a permanent lockout (obviously this process will work for any IP address range! and YES if you put in more than one it should work fine, just put in multiples and change the IP address range to lock out some other IP range, and POST your results after a reboot so everyone knows it works and on which .iso installs!)
1) View your existing rules
2) Verify they have these lines present:
3) Enable Custom Firewall Loader
change
to (just moved the "#" from one line to the other)
4) Disable this IP address range in custom rules
Change
to (added the line above "true" which disabled that IP range)
5) Verify it worked! After a reboot run iptables -L again and verify that it now has this:
Immediate (but temporary, will not survive a reboot) fix:
- Code: Select all
iptables -I input_ext 2 -s 113.0.0.0/8 -p all -j DROP
I highly recommend that you use the above command to lock out IP address range 113.0.0.0 – 113.255.255.255 from all servers immediately.
This particular range is entirely located within China.
If you are curious to see whether you have had any of the same type of attacks ...
- Code: Select all
mysql asterisk -p --execute="SELECT * FROM vicidial_did_log WHERE left( channel, 7 ) = 'SIP/113'"
Do you have any calls from this IP range?
Handy Tool to view your IPtables:
- Code: Select all
iptables -L -v --line-numbers
--REVISED-- Thanks Kumba for pointing out that "iptables-save" does not "save" LOL
Step By Step Process to add this specific "Bad Guy" to a permanent lockout (obviously this process will work for any IP address range! and YES if you put in more than one it should work fine, just put in multiples and change the IP address range to lock out some other IP range, and POST your results after a reboot so everyone knows it works and on which .iso installs!)
1) View your existing rules
- Code: Select all
iptables -L -v --line-numbers
2) Verify they have these lines present:
- Code: Select all
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
3) Enable Custom Firewall Loader
- Code: Select all
nano +874 /etc/sysconfig/SuSEfirewall2
change
- Code: Select all
#FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
FW_CUSTOMRULES=""
to (just moved the "#" from one line to the other)
- Code: Select all
FW_CUSTOMRULES="/etc/sysconfig/scripts/SuSEfirewall2-custom"
#FW_CUSTOMRULES=""
4) Disable this IP address range in custom rules
- Code: Select all
nano +45 /etc/sysconfig/scripts/SuSEfirewall2-custom
Change
- Code: Select all
fw_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
true
}
to (added the line above "true" which disabled that IP range)
- Code: Select all
fw_custom_before_port_handling() {
# these rules will be loaded after the anti-spoofing and icmp handling
# and after the input has been redirected to the input_XXX and
# forward_XXX chains and some basic chain-specific anti-circumvention
# rules have been set,
# but before any IP protocol or TCP/UDP port allow/protection rules
# will be set.
# You can use this hook to allow/deny certain IP protocols or TCP/UDP
# ports before the SuSEfirewall2 generated rules are hit.
iptables -I input_ext 2 -s 113.0.0.0/8 -p all -j DROP
true
}
5) Verify it worked! After a reboot run iptables -L again and verify that it now has this:
- Code: Select all
Chain input_ext (2 references)
target prot opt source destination
DROP all -- anywhere anywhere PKTTYPE = broadcast
DROP all -- 113.0.0.0/8 anywhere