Hi, I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server. -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP Regards Jennifer Botten ETECH -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos/attachments/20110926/2f78b32c/attachment-0002.html>
On 09/26/2011 07:02 AM, Jennifer Botten wrote:> -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROPThis needs to be: -A OUTPUT -i eth0 -d 209.61.231.42 -p udp -j DROP ...if you want to drop packets initiated from your system to that ip...which doesn't make any sense if you're dropping all the incoming connection from that ip. On why are you still getting packets from that ip... perhaps there's also TCP traffic? If you want to completely drop packets from that ip simply remove the protocol argument like this: -A INPUT -i eth0 -s 209.61.231.42 -j DROP HTH, Jorge
On Mon, 26 Sep 2011, Jennifer Botten wrote:> To: centos at centos.org > From: Jennifer Botten <jennifer at etech.co.za> > Subject: [CentOS] Hacking Issue > > Hi, > > > > I am having an issue with someone accessing our server via a SIP/VOIP > connection. I have changed my iptables rules to drop all UDP traffic from > and too this IP address, but this traffic seems to still run through my > server. These are the iptables rules that I current have on the server. > > -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP > > -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROPYou might find it helps to analyse this traffic with a network analyser, like Wireshark. That would allow you to see in almost real time what is happening on the line. Kind Regards, Keith Roberts ----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
On 09/26/2011 01:02 PM, Jennifer Botten wrote:> > Hi, > > > > I am having an issue with someone accessing our server via a SIP/VOIP > connection. I have changed my iptables rules to drop all UDP traffic > from and too this IP address, but this traffic seems to still run > through my server. These are the iptables rules that I current have on > the server. > > -A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP > > -A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP > >If your SIP server needs to be accessed from any IP address, consider to use fail2ban. Easy to setup and it will block access to your SIP server after so many false attempts. I started using fail2ban to prevent the logs (Asterisk) from cluttering failed logons. Theo