Jonathan H
2017-Mar-28 13:32 UTC
[asterisk-users] SipVicious scans getting through iptables firewall - but how?
My firewall and asterisk pjsip config only has "permit" options for my
ITSP's (SIP trunk) IPs.
Here's the script that sets it up.
--------------------------------------------------
#!/bin/bash
EXIF="eth0"
/sbin/iptables --flush
/sbin/iptables --policy INPUT DROP
/sbin/iptables --policy OUTPUT ACCEPT
/sbin/iptables -A INPUT -i lo -j ACCEPT
/sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
/sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP
/sbin/iptables -A INPUT -f -j DROP
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT
/sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP
# Voipfone
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
195.189.173.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.225.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT
/sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s
46.31.231.0/24 -j ACCEPT
# my SSH
/sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate
ESTABLISHED -j ACCEPT
# HTTP
/sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate
NEW,ESTABLISHED -j ACCEPT
/sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate
ESTABLISHED -j ACCEPT
# Allow icmp input so that people can ping us
/sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT
# Log then drop any packets that are not allowed. You will probably
want to turn off the logging
# /sbin/iptables -A INPUT -j LOG
/sbin/iptables -A INPUT -j REJECT
--------------------------------------------------
Then one day, sngrep was running in the background, and I noticed lots
of these...
OPTIONS sip:50901 at 46.101.X.X SIP/2.0
163.172.210.65:5089 46.101.X.X:5060 ?Via:
SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport
???????????????????? ?????????????????????Content-Length: 0
? OPTIONS ? ?From:
"sipvicious"<sip:100 at
1.1.1.1>;tag=3265363530346630313363340132333439343631383137
13:26:10.350316 ? ??????????????????????????> ? ?Accept:
application/sdp
? ?
?User-Agent: friendly-scanner
? ? ?To:
"sipvicious"<sip:100 at 1.1.1.1>
? ? ?Contact:
sip:50901 at 127.0.1.1:5089
? ? ?CSeq: 1 OPTIONS
? ? ?Call-ID:
67968489840845542823418
? ? ?Max-Forwards: 70
[ ] 4 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 163.172.210.65:5089 46.101.X.X:5060
[ ] 5 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 89.163.242.118:5089 46.101.X.X:5060
[ ] 6 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 142.54.162.58:5061 46.101.X.X:5060
[ ] 7 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1
1 95.211.197.176:5065 46.101.X.X:5060
-----------------------------------------------------------------
This is what nmap from a remote machine can see:
Not shown: 65534 filtered ports
PORT STATE SERVICE
22XXX/tcp open unknown
8443/tcp open https-alt
--------------------------------------------------
How are these SipVicious probes getting through? Clearly the firewall
is misconfigured.. or maybe not?
I'm not seeing these warnings in Asterisk of course, as it's not
listening on these other ports.
Together with the allow/deny pjsip settings, I *think* I'm reasonably safe?
What bothers me is that don't understand how/why this is happening.
And that makes me nervous!
Thanks.
Andres
2017-Mar-28 15:12 UTC
[asterisk-users] SipVicious scans getting through iptables firewall - but how?
On 3/28/17 9:32 AM, Jonathan H wrote:> My firewall and asterisk pjsip config only has "permit" options for my > ITSP's (SIP trunk) IPs. > > Here's the script that sets it up. > > -------------------------------------------------- > #!/bin/bash > EXIF="eth0" > > /sbin/iptables --flush > /sbin/iptables --policy INPUT DROP > /sbin/iptables --policy OUTPUT ACCEPT > /sbin/iptables -A INPUT -i lo -j ACCEPT > /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP > /sbin/iptables -A INPUT -f -j DROP > /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT > /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP > > # Voipfone > /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s > 195.189.173.0/24 -j ACCEPT > /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s > 195.189.173.0/24 -j ACCEPT > /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s > 46.31.225.0/24 -j ACCEPT > /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s > 46.31.225.0/24 -j ACCEPT > /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s > 46.31.231.0/24 -j ACCEPT > /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s > 46.31.231.0/24 -j ACCEPT > > # my SSH > /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate > ESTABLISHED -j ACCEPT > > # HTTP > /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate > NEW,ESTABLISHED -j ACCEPT > /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate > ESTABLISHED -j ACCEPT > > > # Allow icmp input so that people can ping us > /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j ACCEPT > > # Log then drop any packets that are not allowed. You will probably > want to turn off the logging > # /sbin/iptables -A INPUT -j LOG > /sbin/iptables -A INPUT -j REJECT > > -------------------------------------------------- > > Then one day, sngrep was running in the background, and I noticed lots > of these...ngrep and tcpdump will show you packets before they reach iptables, so you can see attacks like below. You should not see responses if the firewall is working and I don't see any responses below so you should be safe.> > > OPTIONS sip:50901 at 46.101.X.X SIP/2.0 > 163.172.210.65:5089 46.101.X.X:5060 ?Via: > SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport > ???????????????????? ?????????????????????Content-Length: 0 > ? OPTIONS ? ?From: > "sipvicious"<sip:100 at 1.1.1.1>;tag=3265363530346630313363340132333439343631383137 > 13:26:10.350316 ? ??????????????????????????> ? ?Accept: > application/sdp > ? ? > ?User-Agent: friendly-scanner > ? ? ?To: > "sipvicious"<sip:100 at 1.1.1.1> > ? ? ?Contact: > sip:50901 at 127.0.1.1:5089 > ? ? ?CSeq: 1 OPTIONS > ? ? ?Call-ID: > 67968489840845542823418 > ? ? ?Max-Forwards: 70 > > [ ] 4 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 > 1 163.172.210.65:5089 46.101.X.X:5060 > [ ] 5 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 > 1 89.163.242.118:5089 46.101.X.X:5060 > [ ] 6 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 > 1 142.54.162.58:5061 46.101.X.X:5060 > [ ] 7 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 > 1 95.211.197.176:5065 46.101.X.X:5060 > > > ----------------------------------------------------------------- > > This is what nmap from a remote machine can see: > > Not shown: 65534 filtered ports > PORT STATE SERVICE > 22XXX/tcp open unknown > 8443/tcp open https-alt > > -------------------------------------------------- > > How are these SipVicious probes getting through? Clearly the firewall > is misconfigured.. or maybe not? > I'm not seeing these warnings in Asterisk of course, as it's not > listening on these other ports. > > Together with the allow/deny pjsip settings, I *think* I'm reasonably safe? > > What bothers me is that don't understand how/why this is happening. > And that makes me nervous! > > Thanks. >-- Andres
Jonathan H
2017-Mar-28 15:15 UTC
[asterisk-users] SipVicious scans getting through iptables firewall - but how?
OK, I understand, Clever - I didn't know anything could read packets before iptables. And sorry about the formatting - I tried to make it all neat, but it looks like it got excessively word wrapped. Thanks for putting my mind at ease. On 28 March 2017 at 16:12, Andres <andres at telesip.net> wrote:> On 3/28/17 9:32 AM, Jonathan H wrote: > >> My firewall and asterisk pjsip config only has "permit" options for my >> ITSP's (SIP trunk) IPs. >> >> Here's the script that sets it up. >> >> -------------------------------------------------- >> #!/bin/bash >> EXIF="eth0" >> >> /sbin/iptables --flush >> /sbin/iptables --policy INPUT DROP >> /sbin/iptables --policy OUTPUT ACCEPT >> /sbin/iptables -A INPUT -i lo -j ACCEPT >> /sbin/iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT >> /sbin/iptables -A INPUT -p tcp ! --syn -m state --state NEW -j DROP >> /sbin/iptables -A INPUT -f -j DROP >> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL ALL -j REJECT >> /sbin/iptables -A INPUT -p tcp --tcp-flags ALL NONE -j DROP >> >> # Voipfone >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 195.189.173.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 195.189.173.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 46.31.225.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 46.31.225.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p tcp -i $EXIF -m state --state NEW -s >> 46.31.231.0/24 -j ACCEPT >> /sbin/iptables -A INPUT -p udp -i $EXIF -m state --state NEW -s >> 46.31.231.0/24 -j ACCEPT >> >> # my SSH >> /sbin/iptables -A INPUT -p tcp --dport 22XXX -m conntrack --ctstate >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -A OUTPUT -p tcp --sport 22XXX -m conntrack --ctstate >> ESTABLISHED -j ACCEPT >> >> # HTTP >> /sbin/iptables -A INPUT -p tcp --dport 8443 -m conntrack --ctstate >> NEW,ESTABLISHED -j ACCEPT >> /sbin/iptables -A OUTPUT -p tcp --sport 8443 -m conntrack --ctstate >> ESTABLISHED -j ACCEPT >> >> >> # Allow icmp input so that people can ping us >> /sbin/iptables -A INPUT -p icmp --icmp-type 8 -m state --state NEW -j >> ACCEPT >> >> # Log then drop any packets that are not allowed. You will probably >> want to turn off the logging >> # /sbin/iptables -A INPUT -j LOG >> /sbin/iptables -A INPUT -j REJECT >> >> -------------------------------------------------- >> >> Then one day, sngrep was running in the background, and I noticed lots >> of these... >> > ngrep and tcpdump will show you packets before they reach iptables, so you > can see attacks like below. > You should not see responses if the firewall is working and I don't see > any responses below so you > should be safe. > > >> >> OPTIONS sip:50901 at 46.101.X.X SIP/2.0 >> 163.172.210.65:5089 46.101.X.X:5060 ?Via: >> SIP/2.0/UDP 127.0.1.1:5089;branch=z9hG4bK-786048925;rport >> ???????????????????? ?????????????????????Content-Length: >> 0 >> ? OPTIONS ? ?From: >> "sipvicious"<sip:100 at 1.1.1.1>;tag=32653635303466303133633401 >> 32333439343631383137 >> 13:26:10.350316 ? ??????????????????????????> ? ?Accept: >> application/sdp >> ? ? >> ?User-Agent: friendly-scanner >> ? ? ?To: >> "sipvicious"<sip:100 at 1.1.1.1> >> ? ? ?Contact: >> sip:50901 at 127.0.1.1:5089 >> ? ? ?CSeq: 1 >> OPTIONS >> ? ? ?Call-ID: >> 67968489840845542823418 >> ? ? >> ?Max-Forwards: 70 >> >> [ ] 4 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 >> 1 163.172.210.65:5089 46.101.X.X:5060 >> [ ] 5 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 >> 1 89.163.242.118:5089 46.101.X.X:5060 >> [ ] 6 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 >> 1 142.54.162.58:5061 46.101.X.X:5060 >> [ ] 7 OPTIONS 100 at 1.1.1.1 100 at 1.1.1.1 >> 1 95.211.197.176:5065 46.101.X.X:5060 >> >> >> ----------------------------------------------------------------- >> >> This is what nmap from a remote machine can see: >> >> Not shown: 65534 filtered ports >> PORT STATE SERVICE >> 22XXX/tcp open unknown >> 8443/tcp open https-alt >> >> -------------------------------------------------- >> >> How are these SipVicious probes getting through? Clearly the firewall >> is misconfigured.. or maybe not? >> I'm not seeing these warnings in Asterisk of course, as it's not >> listening on these other ports. >> >> Together with the allow/deny pjsip settings, I *think* I'm reasonably >> safe? >> >> What bothers me is that don't understand how/why this is happening. >> And that makes me nervous! >> >> Thanks. >> >> > > -- > Andres > > -- > _____________________________________________________________________ > -- Bandwidth and Colocation Provided by http://www.api-digital.com -- > > Check out the new Asterisk community forum at: > https://community.asterisk.org/ > > New to Asterisk? Start here: > https://wiki.asterisk.org/wiki/display/AST/Getting+Started > > asterisk-users mailing list > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.digium.com/pipermail/asterisk-users/attachments/20170328/0db37b9d/attachment.html>