Warning - attack server

Discussion in 'General' started by danardf, Aug 3, 2009.

  1. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    This night I had lots of attack to my server from SIP/124.217.254.190.
    So from Malaysa.

    15 calls tried from an Asterisk server.

    You must think to put a deny and permit access into sip.conf, and not as me. ;)
     
  2. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Re:Warning - attack server - Help me

    Hmmm... I did put the deny permit into sip.conf but the attack is always here.

    for exemple:
    Code:
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [900441616606147@from-sip-external:2] Set("SIP/124.217.254.194-09d10bd0", "DID=900441616606147") in new stack
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [900441616606147@from-sip-external:3] Goto("SIP/124.217.254.194-09d10bd0", "s|1") in new stack
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Goto (from-sip-external,s,1)
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/124.217.254.194-09d10bd0", "0?from-trunk|900441616606147|1") in new stack
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:2] Set("SIP/124.217.254.194-09d10bd0", "TIMEOUT(absolute)=15") in new stack
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Channel will hangup at 2009-08-04 01:50:27 UTC.
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:3] Answer("SIP/124.217.254.194-09d10bd0", "") in new stack
    [Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:4] Wait("SIP/124.217.254.194-09d10bd0", "2") in new stack
    [Aug  4 03:50:12] VERBOSE[23013] logger.c:     -- Executing [0441616606147@from-sip-external:1] NoOp("SIP/124.217.254.194-09d181d8", "Received incoming SIP connection from unknown peer to 0441616606147") in new stack
    
    Now I would like to put an iptable, but I don't know how I can do it!
    If someone can help me.

    I would like blocked only one netword like 124.0.0.0/255.0.0.0

    Into my configuration, there's not accept the anonymous call SIP, but i see that yes.
     
  3. Chilling_Silence

    Joined:
    Sep 23, 2008
    Messages:
    488
    Likes Received:
    0
    Re:Warning - attack server - Help me

    Here's a script I wrote that restricts VPN access to only certain IP Addresses, perhaps you could modify it to suit your needs:
    Code:
    iptables --flush
    cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 85 -j ACCEPT; done
    cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 1723 -j ACCEPT; done
    cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 8765:8767 -j ACCEPT; done
    cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p udp -m udp --dport 8765:8767 -j ACCEPT; done
    iptables -A INPUT -p tcp -m tcp --dport 85 -j DROP
    iptables -A INPUT -p tcp -m tcp --dport 1723 -j DROP
    iptables -A INPUT -p tcp -m tcp --dport 8765:8767 -j DROP
    iptables -A INPUT -p udp -m udp --dport 8765:8767 -j DROP
    iptables -A INPUT -s 192.168.7.0/24 -p tcp -m tcp --dport 6112:6119 -j ACCEPT
    
    The routes.txt file looks like this:
    Code:
    110.173.160.0/20
    110.44.16.0/22
    110.92.16.0/23
    111.65.224.0/20
    111.69.0.0/16
    111.69.2.0/24
    112.109.64.0/24
    112.109.80.0/21
    112.140.176.0/23
    112.140.178.0/23
    
     
  4. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Re:Warning - attack server - Help me

    Thanks Chilling_Sillence, I will look this example.
     
  5. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
    Re:Warning - attack server - Help me

    To block the network I believe you can put something like
    Code:
    iptables -A INPUT -s 124.0.0.0/255.0.0.0 -j DROP
    
    I think that would stop the attack, then you can do something more complete as Chilling Silence suggest.

    Best regards,

    Rafael
     
  6. danardf

    Joined:
    Dec 3, 2007
    Messages:
    8,069
    Likes Received:
    12
    Re:Warning - attack server - Help me

    Ok . I did put :
    Code:
    iptables -L
    Chain INPUT (policy ACCEPT)
    target     prot opt source               destination
    DROP       all  --  124.0.0.0/8          anywhere
    I don't know if it's right, but I think that yes.

    Thanks Rafa for your help

    2 Attacks from Malaysia and 1 from Portugal!

    I think that you could add a firewall module (simplified version)
    For instant, I use iptables from webmin.
     
  7. rafael

    Joined:
    May 14, 2007
    Messages:
    1,454
    Likes Received:
    1
  8. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    Some time ago there was a similar attack posted on the news from a fake MeucciNetworks id...
    the first line of defense is to block anonymous sip then IP tables and Deny/allow then DMZ with IPS/IDS...

    best regards
     
  9. Patrick_elx

    Joined:
    Dec 14, 2008
    Messages:
    1,120
    Likes Received:
    0

    Yes but that will defeat the ENUM inbound access...
     
  10. fmvillares

    Joined:
    Sep 8, 2007
    Messages:
    1,785
    Likes Received:
    0
    ok use dundi or other similar system or use more robust logging and firewalling not a single solution is always perfect...but the good news is that always have 2 or 3 ways to do the same things...
     
  11. apmuthu

    Joined:
    Aug 1, 2009
    Messages:
    60
    Likes Received:
    0
    I found some ATTACK in an intranet only Elastix v1.5.2-2.3 in
    Code:
    /var/log/secure
    having the following:
    Code:
    Aug 16 23:08:36 elastix sshd[5137]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 16 23:08:36 elastix sshd[5137]: Accepted password for root from 192.168.20.108 port 1288 ssh2
    Aug 16 23:08:36 elastix sshd[5137]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 16 23:08:36 elastix sshd[5137]: subsystem request for sftp
    Aug 16 23:09:01 elastix sshd[5137]: pam_unix(sshd:session): session closed for user root
    Aug 16 23:12:44 elastix sshd[5173]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 16 23:12:44 elastix sshd[5173]: Accepted password for root from 192.168.20.108 port 1291 ssh2
    Aug 16 23:12:44 elastix sshd[5173]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 16 23:12:45 elastix sshd[5190]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 16 23:12:45 elastix sshd[5190]: Accepted password for root from 192.168.20.108 port 1293 ssh2
    Aug 16 23:12:45 elastix sshd[5190]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 16 23:12:45 elastix sshd[5235]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
    Aug 16 23:12:46 elastix sshd[5235]: Accepted password for root from 192.168.20.108 port 1295 ssh2
    Aug 16 23:12:46 elastix sshd[5235]: pam_unix(sshd:session): session opened for user root by (uid=0)
    Aug 16 23:12:53 elastix sshd[5235]: pam_unix(sshd:session): session closed for user root
    
     
  12. jasong

    Joined:
    Aug 20, 2009
    Messages:
    34
    Likes Received:
    0
  13. loanrefi

    Joined:
    Aug 20, 2009
    Messages:
    41
    Likes Received:
    0
    Does anyone know how I can change the port number on the FreePBX GUI?

    I know I can change the port number in /etc/ssh/sshd_config but as soon as I do this the FreePBX GUI complains "SSH WARNING".

    Basically the GUI is telling me that the port has changed but where can I update the information for the GUI?

    I can also use the Java SSH built into FreePBX GUI with (-p "port#" root@192.168.1.1)

    The setting I changed in /etc/ssh/sshd_config are as follows

    Port = 2222

    PermitRootLogin No

    LoginGraceTime 15 (seconds)

    I already have fail2ban installed and want to complete securing my Elastix server by changing the port & not allowing root login via SSH.

    Thanks!
     
  14. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    add

    SSHPORT=2222

    to

    /etc/amportal.conf

    BTW consider that a beginning to your security steps, there is never an end , and you will never "complete" it

    quick check. can you get to https://<ip address>/admin with admin/admin credentials?
    or https://<IP address>/recordings with admin/password credentials.
     
  15. loanrefi

    Joined:
    Aug 20, 2009
    Messages:
    41
    Likes Received:
    0
    That worked!!

    I added SSHPORT=2222 at the very bottom of the file.

    Thanks!
     
  16. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    and the answer to my last two questions? (I edited my post)
     
  17. loanrefi

    Joined:
    Aug 20, 2009
    Messages:
    41
    Likes Received:
    0
    I'm sorry about that. I jumped on adding that last setting to amportal and overlooked your questinos.

    The answer is no.

    I changed the password to FreePBX http://192.168.1.1/admin - admin/newpassword

    I checked http://192.168.1.1/recordings using admin/password or admin/admin and can't get in.
     
  18. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Just checking, good for you, many folks don't +1 karma for rigorousness, well when I can , I'm apparently out of karmic power myself right now :)
     

Share This Page