vicidial.org

[virtualpbx]

Whenever I run sip set debug on on. I see a lot of activity going on. is this a hacking attempts?


[May 6 03:13:13] To: <sip:2121@8.25.156.2:37447;rinstance=001674dd851f054e>
[May 6 03:13:13] Contact: <sip:asterisk@149.28.231.1:8988>
[May 6 03:13:13] Call-ID: 4fbb0eb0408f05e317c216a01f6f7b7d@149.28.231.1:8988
[May 6 03:13:13] CSeq: 102 OPTIONS
[May 6 03:13:13] User-Agent: Asterisk PBX 13.29.2-vici
[May 6 03:13:13] Date: Wed, 06 May 2020 03:13:13 GMT
[May 6 03:13:13] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[May 6 03:13:13] Supported: replaces, timer
[May 6 03:13:13] Content-Length: 0
[May 6 03:13:13]
[May 6 03:13:13]
[May 6 03:13:13] ---
[May 6 03:13:14] Reliably Transmitting (NAT) to 8.25.156.2:36630:
[May 6 03:13:14] OPTIONS sip:2113@8.25.156.2:36630;rinstance=3a5271547e6bc977 SIP/2.0
[May 6 03:13:14] Via: SIP/2.0/UDP 149.28.231.1:8988;branch=z9hG4bK5ff99acb;rport
[May 6 03:13:14] Max-Forwards: 70
[May 6 03:13:14] From: "asterisk" <sip:asterisk@149.28.231.1:8988>;tag=as491b700c
[May 6 03:13:14] To: <sip:2113@8.25.156.2:36630;rinstance=3a5271547e6bc977>
[May 6 03:13:14] Contact: <sip:asterisk@149.28.231.1:8988>
[May 6 03:13:14] Call-ID: 08c4978a11307151489af38715be4717@149.28.231.1:8988
[May 6 03:13:14] CSeq: 102 OPTIONS
[May 6 03:13:14] User-Agent: Asterisk PBX 13.29.2-vici
[May 6 03:13:14] Date: Wed, 06 May 2020 03:13:14 GMT
[May 6 03:13:14] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[May 6 03:13:14] Supported: replaces, timer
[May 6 03:13:14] Content-Length: 0
[May 6 03:13:14]
[May 6 03:13:14]
[May 6 03:13:14] ---
[May 6 03:13:14] Retransmitting #1 (NAT) to 8.25.156.2:37447:
[May 6 03:13:14] OPTIONS sip:2121@8.25.156.2:37447;rinstance=001674dd851f054e SIP/2.0
[May 6 03:13:14] Via: SIP/2.0/UDP 149.28.231.1:8988;branch=z9hG4bK68d7254c;rport
[May 6 03:13:14] Max-Forwards: 70
[May 6 03:13:14] From: "asterisk" <sip:asterisk@149.28.231.1:8988>;tag=as7564df86
[May 6 03:13:14] To: <sip:2121@8.25.156.2:37447;rinstance=001674dd851f054e>
[May 6 03:13:14] Contact: <sip:asterisk@149.28.231.1:8988>
[May 6 03:13:14] Call-ID: 4fbb0eb0408f05e317c216a01f6f7b7d@149.28.231.1:8988
[May 6 03:13:14] CSeq: 102 OPTIONS
[May 6 03:13:14] User-Agent: Asterisk PBX 13.29.2-vici
[May 6 03:13:14] Date: Wed, 06 May 2020 03:13:13 GMT
[May 6 03:13:14] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[May 6 03:13:14] Supported: replaces, timer
[May 6 03:13:14] Content-Length: 0
[May 6 03:13:14]
[May 6 03:13:14]
[May 6 03:13:14] ---
[May 6 03:13:15] Reliably Transmitting (NAT) to 174.197.204.183:11392:
[May 6 03:13:15] OPTIONS sip:2264@174.197.204.183:11392;rinstance=f50448dfa054af7a SIP/2.0
[May 6 03:13:15] Via: SIP/2.0/UDP 149.28.231.1:8988;branch=z9hG4bK5518a9dd;rport
[May 6 03:13:15] Max-Forwards: 70
[May 6 03:13:15] From: "asterisk" <sip:asterisk@149.28.231.1:8988>;tag=as24dc47ef
[May 6 03:13:15] To: <sip:2264@174.197.204.183:11392;rinstance=f50448dfa054af7a>
[May 6 03:13:15] Contact: <sip:asterisk@149.28.231.1:8988>
[May 6 03:13:15] Call-ID: 51ccfb0a6a76d2b72d810d5c7647a752@149.28.231.1:8988
[May 6 03:13:15] CSeq: 102 OPTIONS
[May 6 03:13:15] User-Agent: Asterisk PBX 13.29.2-vici
[May 6 03:13:15] Date: Wed, 06 May 2020 03:13:15 GMT
[May 6 03:13:15] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[May 6 03:13:15] Supported: replaces, timer
[May 6 03:13:15] Content-Length: 0
[May 6 03:13:15]
[May 6 03:13:15]
[May 6 03:13:15] ---

[carpenox]

yes, those are sip attacks, try enabling whitelist or blacklist using vb-firewall, this reduced those for me greatly.

[mbaret]

ummm FYI by me , it is that for example hacking attempts always give me the wrong password, they try to enter the extensions (PHONES).

[carpenox]

yea just use the whitelist feature it stops all that

[williamconley]

1) Welcome to the Party!

2) As you are obviously new here, I have some suggestions to help us all help you:

When you post, please post your entire configuration including (but not limited to) your installation method (7.X.X?) and vicidial version with build (VERSION: 2.X-XXXx ... BUILD: #####-####).

This IS a requirement for posting along with reading the stickies (at the top of each forum) and the manager's manual (available on EFLO.net, both free and paid versions)

You should also post: Asterisk version, telephony hardware (model number is helpful here), cluster information if you have one, and whether any other software is installed in the box. If your installation method is "manual/from scratch" you must post your operating system with version (and the .iso version from which you installed your original operating system) plus a link to the installation instructions you used. If your installation is "Hosted" list the site name of the host.

If this is a "Cloud" or "Virtual" server, please note the technology involved along with the version of that techology (ie: VMware Server Version 2.0.2). If it is not, merely stating the Motherboard model # and CPU would be helpful.

Similar to This:

Vicibox X.X from .iso | Vicidial X.X.X-XXX Build XXXXXX-XXXX | Asterisk X.X.X | Single Server | No Digium/Sangoma Hardware | No Extra Software After Installation | Intel DG35EC | Core2Quad Q6600

3) Depends on whether those SIP accounts and IPs trying to register to them are your agents. If so, then those are just phones keeping in touch with their asterisk server. If not, then those are in fact hacking attempts.

In either case, if you are not yet using a whitelist approach for your firewall ... you need to be. Hacking will eventually occur even if it's not right now. And if it is right now, you'll need to set it up RIGHT now and then reboot to clear the previously authorized IPs out of the firewall's preapproved lists.

4) This is not a "general discussion". it's a Support Request. Moving this thread to the Support board accordingly.

[ambiorixg12]

Usually you will consider incoming REGISTER or INVITE request as a legitimate hacking attempt, but option OPTION request they are simply ping to detect if host is reachable by Asterisk

[williamconley]

And getting a phone call that just hangs up when you answer isn't a SPAM call. But they will rat you out to the spammers and you'll get many more calls as a result of "live answer" to that hangup. Same thing with OPTIONS. A successful response rats out your server as "active/live" and puts you in line for a script kitty to brute force you at 3AM on some saturday.

[ambiorixg12]

And getting a phone call that just hangs up when you answer isn't a SPAM call. But they will rat you out to the spammers and you'll get many more calls as a result of "live answer" to that hangup. Same thing with OPTIONS. A successful response rats out your server as "active/live" and puts you in line for a script kitty to brute force you at 3AM on some saturday.

In this case the logs show is asterisk who is sending the OPTION request packages, So this is not a hacking attempt, if you care about this just disable the qualify option

[May 6 03:13:14] Reliably Transmitting (NAT) to 8.25.156.2:36630:
[May 6 03:13:14] OPTIONS sip:2113@8.25.156.2:36630;rinstance=3a5271547e6bc977 SIP/2.0
[May 6 03:13:14] Via: SIP/2.0/UDP 149.28.231.1:8988;branch=z9hG4bK5ff99acb;rport
[May 6 03:13:14] Max-Forwards: 70
[May 6 03:13:14] From: "asterisk" <sip:asterisk@149.28.231.1:8988>;tag=as491b700c
[May 6 03:13:14] To: <sip:2113@8.25.156.2:36630;rinstance=3a5271547e6bc977>
[May 6 03:13:14] Contact: <sip:asterisk@149.28.231.1:8988>
[May 6 03:13:14] Call-ID: 08c4978a11307151489af38715be4717@149.28.231.1:8988
[May 6 03:13:14] CSeq: 102 OPTIONS
[May 6 03:13:14] User-Agent: Asterisk PBX 13.29.2-vici
[May 6 03:13:14] Date: Wed, 06 May 2020 03:13:14 GMT
[May 6 03:13:14] Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
[May 6 03:13:14] Supported: replaces, timer
[May 6 03:13:14] Content-Length: 0

[williamconley]

In this case the logs show is asterisk who is sending the OPTION request packages, So this is not a hacking attempt, if you care about this just disable the qualify option

Always verify the IPs. If they don't belong to someone who should be accessing your server, that's hacking. How they managed to register would be your next question.

[ambiorixg12]

Always verify the IPs. If they don't belong to someone who should be accessing your server, that's hacking.

Again here is Asterisk that is making a ping to a remote peer, if is doing that is because the peer is created on the sip.conf file , so IP is a known and trusted by Asterisk.



if was Asterisk who is replying to an OPTION request it will reply back with a 200 OK , assuming is reachable. Like this


IP/2.0 200 OK
Via: SIP/2.0/UDP 192.168.101.99:5066;received=217.15.39.46;rport=35921;branch=z9hG4bKPj6280c4e9-e1e3-4231-9690-757d3902a9d3
From: <sip:twilio@192.168.101.99>;tag=7d6268d8-ac8c-44e4-aa9c-83a30558c19c
To: <sip:asteriskpjsip.pstn.us1.twilio.com>;tag=51026399c684defae5dc2ecd5fc38069.b474
Call-ID: 70d477f6-c823-4293-8b95-91deff2c7030
CSeq: 48289 OPTIONS
Server: Twilio Gateway

So there is not reason to tell that this a hacking attempt when it is not, Asterisk that is checking that the device is still online sending OPTION request

[williamconley]

Again here is Asterisk that is making a peer to a remote peer, if is doing that is because the peer is created on the sip.conf file , so IP is known and trusted by Asterisk.

Yeah, you're right. It's not like a hacker would ever successfully register to a sip account you created. Wait a minute ... that's what they do! lol.

Always verify the IPs of anything you find even slightly suspicious. Because hackers break rules. For a living. Literally, that's what they do. So if you see a suspicious entry, check the IP. If it's not a good IP, you need to whitelist NOW. Any reliance on "but the rules wouldn't allow that" are relegated to Inexperienced Ideologicals and/or Engineers who think everything fits into cute little cubbyholes. They are thoroughly amazed (and apologetic) after you blow $8k on something they were "sure" was bullletproof according to the "rules".

I can't count the number of times I've had this conversation (or one very close to it) with a business owner and had that same business owner call back a few weeks/months/years later to say "um ... something bad happened ...". I love saying "I told you so" at that moment, but I'm not allowed to. (It's NOT that I "know it all", but I know MY limitations, and hope others are aware of their own!)

[carpenox]

Bill,

I have whitelist enabled and just recently I am receiving SIP attacks again from IP's not on whitelist. Ive checked crontab to make sure vb-firewall --white --dynamic --quiet still listed and it is. Any suggestions on how to stop this?

[williamconley]

"I have whitelist enabled" isn't very much information. My only reply, then, would be "nope, you don't" unless these IPs were already communicating with you previously and are already pre-authorized. Best bet in that case is a reboot to clear out the authorized entries. But it seems likely you are not actually whitelisted.

We use yast to whitelist. Turn off all perl scripts and modifiers and several opensuse-specific iptables rules (like ping and icmp). Then we add a package we built a decade ago called Dynamic Good Guys to make it easy to add "good" IPs. But the whitelist is pure IPTables with limited exceptions for "already authorized" and "related to already authorized" and "in response to our request" (such as DNS responses).

If you were to list steps involved in your whitelist attempt, we may be able to help with your apparent lack of whitelist. But without step-by-step ... "it doesn't work" can only be answered with "yep, it appears broken".

[carpenox]

Bill,

I followed the steps on the installation manual:

White List and Dynamic List control
1. If not already, please login as the ‘root’ user to get to the root prompt.
2. Type ‘crontab -e’ to edit the crontab entry; Please be careful making modifications in this
screen as it may result in undesired system behavior
3. Using the up and down arrow keys put a # at the beginning of any line containing ‘VBfirewall.pl’ in it; You can modify these lines instead but for simplicity we are commenting them
out, making them not run at all
4. Using the down arrow key, scroll to the very end of the screen until the cursor no longer moves
down
5. Type in the following and then press ENTER when done: * * * * * /usr/local/bin/VB-firewall.pl
--white --dynamic --quiet
6. Type in the following and then press ENTER when done: @reboot /usr/local/bin/VB-firewall.pl
--white --dynamic --quiet
7. Press CTRL-X to exit this screen
8. When asked to Save, press the Y key

[williamconley]

did you reboot?

output from "iptables-save"?

did you also try executing those commands with --debugX and checking for errors?

[carpenox]

Bill,

Here is the output from the debug:

Code: Select all

/usr/local/bin/VB-firewall.pl --white --dynamic --quiet --debugX
   ViciBox Firewall white/dynamic/black list integration

        ----- DEBUG Extended Enabled -----

         Database Host :   localhost
         Database Name :   asterisk2
         Database User :   username
         Database Pass :   password
         Database Port :   3309
            White list :   Enabled
       Vici White List :   ViciWhite
  IPSet White List IPs :   whiteips
 IPSet White List Nets :   whitenets
    RFC1918 White List :   YES
          Dynamic list :   Enabled
     IPSet Dynamic Age :   14
    IPSet Dynamic List :   dynamiclist
            Black list :   Disabled
       VoIP Black List :   Disabled
        Geo Block list :   Disabled


  Running Agent Script :      VB-firewall.pl
  Generating White List from IP List 'ViciWhite'...
    Whitelist IPSet rules not found in iptables, white listing might not work
    Please run 'touch /etc/sysconfig/scripts/SuSEfirewall2-viciwhite' followed by
    SuSEfirewall2 to install and setup the White List rules.

--- SUB getiplist BEGIN ---
   IP List ID: ViciWhite
--- SUB checkipv4 BEGIN ---
   Valid IP: 7xx.110.xx.205
   Valid Netmask: 32
--- SUB checkipv4 END ---
    Added IP xx.110.xx.205
--- SUB checkipv4 BEGIN ---
   Valid IP: xx.192.xx.210
   Valid Netmask: 32
--- SUB checkipv4 END ---
    Added IP xx.192.xx.210
--- SUB checkipv4 BEGIN ---
   Valid IP: xx.171.xx.213
   Valid Netmask: 32
--- SUB checkipv4 END ---
    Added IP xx.171.xx.213
--- SUB checkipv4 BEGIN ---
   Valid IP: xx.212.xx.143
   Valid Netmask: 32
--- SUB checkipv4 END ---
    Added IP xx.212.xx.143
    Found 4 entires to process
    Adding RFC1918 IPs to white lists
    Writing IPSet rule files to /tmp//VB-WHITE-tmp and /tmp//VB-WHITENET-tmp
    Loading white list IPSet rules into Kernel
ipset v6.36: Error in line 1: The set with the given name does not exist
ipset v6.36: Error in line 1: The set with the given name does not exist
  White List had been loaded!

  Generating Dynamic IP List rules...
    Dynamic IPSet rules not found in iptables, dynamic listing might not work.
    Please run 'touch /etc/sysconfig/scripts/SuSEfirewall2-vicidynamic' followed by
    SuSEfirewall2 to install and setup the Dynamic List rules.

    Looking for valid web logins within the last 14 days
    stmtLOGINIP: SELECT computer_ip FROM vicidial_user_log WHERE event IN ('LOGIN', 'VICIBOX') and event_date >= DATE_SUB(NOW(), INTERVAL 14 DAY) group by computer_ip;
      Found IP xx.192.xx.210
      Found IP xx.58.xx.226
      Found IP xx.110.xx.205
      Found IP xx.77.xx.137
    Writing IPSet rule file to /tmp//VB-DYNAMIC-tmp
    Loading dynamic list IPSet rules into kernel
ipset v6.36: Error in line 1: The set with the given name does not exist
  Dynamic List had been loaded!


IPtables-save:

# Generated by iptables-save v1.6.2 on Thu Jun 11 15:16:40 2020
*filter
:INPUT ACCEPT [184295:29483609]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [204422:90481106]
COMMIT
# Completed on Thu Jun 11 15:16:40 2020

[williamconley]

Houston, we have a problem. iptables-save should have a lot of output. Your firewall is completely OFF.

This is dangerous.

[carpenox]

Code: Select all

cyburity:~ # cat iptables.txt
# Generated by iptables-save v1.6.2 on Thu Jun 11 20:35:27 2020
*nat
:PREROUTING ACCEPT [77:11090]
:INPUT ACCEPT [23:8130]
:OUTPUT ACCEPT [6:376]
:POSTROUTING ACCEPT [6:376]
:OUTPUT_direct - [0:0]
:POSTROUTING_ZONES - [0:0]
:POSTROUTING_ZONES_SOURCE - [0:0]
:POSTROUTING_direct - [0:0]
:POST_public - [0:0]
:POST_public_allow - [0:0]
:POST_public_deny - [0:0]
:POST_public_log - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A POSTROUTING -j POSTROUTING_ZONES_SOURCE
-A POSTROUTING -j POSTROUTING_ZONES
-A POSTROUTING_ZONES -g POST_public
-A POST_public -j POST_public_log
-A POST_public -j POST_public_deny
-A POST_public -j POST_public_allow
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jun 11 20:35:27 2020
# Generated by iptables-save v1.6.2 on Thu Jun 11 20:35:27 2020
*mangle
:PREROUTING ACCEPT [1013:171127]
:INPUT ACCEPT [1013:171127]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1026:286261]
:POSTROUTING ACCEPT [1026:286261]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
:POSTROUTING_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
-A POSTROUTING -j POSTROUTING_direct
-A PREROUTING_ZONES -g PRE_public
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
COMMIT
# Completed on Thu Jun 11 20:35:27 2020
# Generated by iptables-save v1.6.2 on Thu Jun 11 20:35:27 2020
*raw
:PREROUTING ACCEPT [1013:171127]
:OUTPUT ACCEPT [1026:286261]
:OUTPUT_direct - [0:0]
:PREROUTING_ZONES - [0:0]
:PREROUTING_ZONES_SOURCE - [0:0]
:PREROUTING_direct - [0:0]
:PRE_public - [0:0]
:PRE_public_allow - [0:0]
:PRE_public_deny - [0:0]
:PRE_public_log - [0:0]
:blacklist - [0:0]
:geoblock - [0:0]
:voipbl - [0:0]
-A PREROUTING -j PREROUTING_direct
-A PREROUTING -j PREROUTING_ZONES_SOURCE
-A PREROUTING -j PREROUTING_ZONES
-A OUTPUT -j OUTPUT_direct
-A PREROUTING_ZONES -g PRE_public
-A PREROUTING_direct -p udp -m set --match-set blackips src -m udp --dport 5060 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blackips src -m udp --dport 4569 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 8089 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 80 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blackips src -m tcp --dport 443 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blacknets src -m udp --dport 5060 -j blacklist
-A PREROUTING_direct -p udp -m set --match-set blacknets src -m udp --dport 4569 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 8089 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 80 -j blacklist
-A PREROUTING_direct -p tcp -m set --match-set blacknets src -m tcp --dport 443 -j blacklist
-A PREROUTING_direct -m set --match-set geoblock src -j geoblock
-A PREROUTING_direct -p udp -m set --match-set voipblip src -m udp --dport 5060 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblip src -m udp --dport 4569 -j voipbl
-A PREROUTING_direct -p tcp -m set --match-set voipblip src -m tcp --dport 8089 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblnet src -m udp --dport 5060 -j voipbl
-A PREROUTING_direct -p udp -m set --match-set voipblnet src -m udp --dport 4569 -j voipbl
-A PREROUTING_direct -p tcp -m set --match-set voipblnet src -m tcp --dport 8089 -j voipbl
-A PRE_public -j PRE_public_log
-A PRE_public -j PRE_public_deny
-A PRE_public -j PRE_public_allow
-A blacklist -m limit --limit 1/min -j LOG --log-prefix "BlackList: "
-A blacklist -j DROP
-A geoblock -m limit --limit 1/min -j LOG --log-prefix "GeoBlock: "
-A geoblock -j DROP
-A voipbl -m limit --limit 1/min -j LOG --log-prefix "VoIPBL: "
-A voipbl -j DROP
COMMIT
# Completed on Thu Jun 11 20:35:27 2020
# Generated by iptables-save v1.6.2 on Thu Jun 11 20:35:27 2020
*security
:INPUT ACCEPT [959:168167]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1026:286261]
:FORWARD_direct - [0:0]
:INPUT_direct - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -j INPUT_direct
-A FORWARD -j FORWARD_direct
-A OUTPUT -j OUTPUT_direct
COMMIT
# Completed on Thu Jun 11 20:35:27 2020
# Generated by iptables-save v1.6.2 on Thu Jun 11 20:35:27 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1026:286261]
:FORWARD_IN_ZONES - [0:0]
:FORWARD_IN_ZONES_SOURCE - [0:0]
:FORWARD_OUT_ZONES - [0:0]
:FORWARD_OUT_ZONES_SOURCE - [0:0]
:FORWARD_direct - [0:0]
:FWDI_public - [0:0]
:FWDI_public_allow - [0:0]
:FWDI_public_deny - [0:0]
:FWDI_public_log - [0:0]
:FWDO_public - [0:0]
:FWDO_public_allow - [0:0]
:FWDO_public_deny - [0:0]
:FWDO_public_log - [0:0]
:INPUT_ZONES - [0:0]
:INPUT_ZONES_SOURCE - [0:0]
:INPUT_direct - [0:0]
:IN_public - [0:0]
:IN_public_allow - [0:0]
:IN_public_deny - [0:0]
:IN_public_log - [0:0]
:OUTPUT_direct - [0:0]
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -j INPUT_direct
-A INPUT -j INPUT_ZONES_SOURCE
-A INPUT -j INPUT_ZONES
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i lo -j ACCEPT
-A FORWARD -j FORWARD_direct
-A FORWARD -j FORWARD_IN_ZONES_SOURCE
-A FORWARD -j FORWARD_IN_ZONES
-A FORWARD -j FORWARD_OUT_ZONES_SOURCE
-A FORWARD -j FORWARD_OUT_ZONES
-A FORWARD -m conntrack --ctstate INVALID -j DROP
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
-A OUTPUT -j OUTPUT_direct
-A FORWARD_IN_ZONES -g FWDI_public
-A FORWARD_OUT_ZONES -g FWDO_public
-A FWDI_public -j FWDI_public_log
-A FWDI_public -j FWDI_public_deny
-A FWDI_public -j FWDI_public_allow
-A FWDI_public -p icmp -j ACCEPT
-A FWDO_public -j FWDO_public_log
-A FWDO_public -j FWDO_public_deny
-A FWDO_public -j FWDO_public_allow
-A INPUT_ZONES -g IN_public
-A IN_public -j IN_public_log
-A IN_public -j IN_public_deny
-A IN_public -j IN_public_allow
-A IN_public -p icmp -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 22 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 10000:20000 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 80 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 443 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whiteips src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whiteips src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whiteips src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whitenets src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set whitenets src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set whitenets src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set dynamiclist src -m udp --dport 5060 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p udp -m set --match-set dynamiclist src -m udp --dport 4569 -m conntrack --ctstate NEW -j ACCEPT
-A IN_public_allow -p tcp -m set --match-set dynamiclist src -m tcp --dport 8089 -m conntrack --ctstate NEW -j ACCEPT
COMMIT
# Completed on Thu Jun 11 20:35:27 2020


Bill, I feel like i have the firewall setup wrong now. Should i allow thru public to certain apps or to trusted?

[williamconley]

whitelisting = NOTHING is alllowed through except ... "previously authorized", "related" and authorized IPs. If you open any ports (especially known services on their known ports) you are authorizing brute force and DDOS attacks and defeating the concept of whitelisting.

[carpenox]

Ok so pit apache, apache-ssl, viciportal and asterisk on trusted only right? What about sip and rtp?

[williamconley]

NO services are "trusted". if you mean you want to open port 80 to the world, that is the opposite of whitelisting and the same applies for any other port/service. Opening any port is NOT whitelisting and allows china (and everyone else) to brute force attack your server. That's precisely what we are trying to avoid.

[carpenox]

Ok so no services set to allow on firewall, dynportal only one

[williamconley]

and dynportal only if you actually need it. if you have been attacked at all, leaving that off for a while is not a bad idea if you don't need it. depends a lot on who was attacking.

[carpenox]

It was the typical voipbl ips

[williamconley]

It was the typical voipbl ips

um ... there are no "typical hacker ips".

[carpenox]

No what i mean is when i used voipbl for vbfirewall it stopped them which i believe is a community blacklist Correct?

[williamconley]

Don't know. We use Dynamic Good Guys with a whitelisted firewall. Anything else (eventually) fails or falters. But do remember that a wide-range blockage for major national IPs doesn't in any way mean that those blocked are "normal/average" hackers. Any botnet can pop up anywhere and any hacker can run a botnet. So you may think this hacker is in some way related to others because of an ip range block ... but there's literally no way to be sure. By the same token, the hacker in question could be in Beijing or Nevada. The IPs that hit you are rarely the IP of the actual hacker. That's what botnets are for. And after you've had a few rotating IP brute force attacks, you have plenty of time to ponder that concept (because your network is down, of course).

[carpenox]

Botnets really aren't as prevalent as they once were. I chill on an irc channel with most the anonymous members, only a few have botnets these days and those are mostly pcs using win xp and win 7 still

[williamconley]

it doesn't take prevalence to get hacked. just bad luck, bad karma, or high risk.

I prefer to control the one thing I can: Risk.