Warning - attack server

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#1
This night I had lots of attack to my server from SIP/124.217.254.190.
So from Malaysa.

15 calls tried from an Asterisk server.

You must think to put a deny and permit access into sip.conf, and not as me. ;)
 

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#2
Re:Warning - attack server - Help me

Hmmm... I did put the deny permit into sip.conf but the attack is always here.

for exemple:
Code:
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [900441616606147@from-sip-external:2] Set("SIP/124.217.254.194-09d10bd0", "DID=900441616606147") in new stack
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [900441616606147@from-sip-external:3] Goto("SIP/124.217.254.194-09d10bd0", "s|1") in new stack
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Goto (from-sip-external,s,1)
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:1] GotoIf("SIP/124.217.254.194-09d10bd0", "0?from-trunk|900441616606147|1") in new stack
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:2] Set("SIP/124.217.254.194-09d10bd0", "TIMEOUT(absolute)=15") in new stack
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Channel will hangup at 2009-08-04 01:50:27 UTC.
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:3] Answer("SIP/124.217.254.194-09d10bd0", "") in new stack
[Aug  4 03:50:12] VERBOSE[23012] logger.c:     -- Executing [s@from-sip-external:4] Wait("SIP/124.217.254.194-09d10bd0", "2") in new stack
[Aug  4 03:50:12] VERBOSE[23013] logger.c:     -- Executing [0441616606147@from-sip-external:1] NoOp("SIP/124.217.254.194-09d181d8", "Received incoming SIP connection from unknown peer to 0441616606147") in new stack
Now I would like to put an iptable, but I don't know how I can do it!
If someone can help me.

I would like blocked only one netword like 124.0.0.0/255.0.0.0

Into my configuration, there's not accept the anonymous call SIP, but i see that yes.
 

Chilling_Silence

Joined
Sep 23, 2008
Messages
488
Likes
0
Points
0
#3
Re:Warning - attack server - Help me

Here's a script I wrote that restricts VPN access to only certain IP Addresses, perhaps you could modify it to suit your needs:
Code:
iptables --flush
cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 85 -j ACCEPT; done
cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 1723 -j ACCEPT; done
cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p tcp -m tcp --dport 8765:8767 -j ACCEPT; done
cat /root/firewall/routes.txt | while read currline; do iptables -A INPUT -s $currline -p udp -m udp --dport 8765:8767 -j ACCEPT; done
iptables -A INPUT -p tcp -m tcp --dport 85 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 1723 -j DROP
iptables -A INPUT -p tcp -m tcp --dport 8765:8767 -j DROP
iptables -A INPUT -p udp -m udp --dport 8765:8767 -j DROP
iptables -A INPUT -s 192.168.7.0/24 -p tcp -m tcp --dport 6112:6119 -j ACCEPT
The routes.txt file looks like this:
Code:
110.173.160.0/20
110.44.16.0/22
110.92.16.0/23
111.65.224.0/20
111.69.0.0/16
111.69.2.0/24
112.109.64.0/24
112.109.80.0/21
112.140.176.0/23
112.140.178.0/23
 

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#4
Re:Warning - attack server - Help me

Thanks Chilling_Sillence, I will look this example.
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#5
Re:Warning - attack server - Help me

To block the network I believe you can put something like
Code:
iptables -A INPUT -s 124.0.0.0/255.0.0.0 -j DROP
I think that would stop the attack, then you can do something more complete as Chilling Silence suggest.

Best regards,

Rafael
 

danardf

Joined
Dec 3, 2007
Messages
8,069
Likes
10
Points
88
#6
Re:Warning - attack server - Help me

Ok . I did put :
Code:
iptables -L
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
DROP       all  --  124.0.0.0/8          anywhere
I don't know if it's right, but I think that yes.

Thanks Rafa for your help

2 Attacks from Malaysia and 1 from Portugal!

I think that you could add a firewall module (simplified version)
For instant, I use iptables from webmin.
 

rafael

Joined
May 14, 2007
Messages
1,454
Likes
1
Points
0
#7

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#8
Some time ago there was a similar attack posted on the news from a fake MeucciNetworks id...
the first line of defense is to block anonymous sip then IP tables and Deny/allow then DMZ with IPS/IDS...

best regards
 

Patrick_elx

Joined
Dec 14, 2008
Messages
1,120
Likes
0
Points
0
#9
fmvillares said:
the first line of defense is to block anonymous sip

Yes but that will defeat the ENUM inbound access...
 

fmvillares

Joined
Sep 8, 2007
Messages
1,785
Likes
0
Points
0
#10
ok use dundi or other similar system or use more robust logging and firewalling not a single solution is always perfect...but the good news is that always have 2 or 3 ways to do the same things...
 

apmuthu

Joined
Aug 1, 2009
Messages
60
Likes
0
Points
0
#11
I found some ATTACK in an intranet only Elastix v1.5.2-2.3 in
Code:
/var/log/secure
having the following:
Code:
Aug 16 23:08:36 elastix sshd[5137]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 16 23:08:36 elastix sshd[5137]: Accepted password for root from 192.168.20.108 port 1288 ssh2
Aug 16 23:08:36 elastix sshd[5137]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 16 23:08:36 elastix sshd[5137]: subsystem request for sftp
Aug 16 23:09:01 elastix sshd[5137]: pam_unix(sshd:session): session closed for user root
Aug 16 23:12:44 elastix sshd[5173]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 16 23:12:44 elastix sshd[5173]: Accepted password for root from 192.168.20.108 port 1291 ssh2
Aug 16 23:12:44 elastix sshd[5173]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 16 23:12:45 elastix sshd[5190]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 16 23:12:45 elastix sshd[5190]: Accepted password for root from 192.168.20.108 port 1293 ssh2
Aug 16 23:12:45 elastix sshd[5190]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 16 23:12:45 elastix sshd[5235]: reverse mapping checking getaddrinfo for khl64 failed - POSSIBLE BREAK-IN ATTEMPT!
Aug 16 23:12:46 elastix sshd[5235]: Accepted password for root from 192.168.20.108 port 1295 ssh2
Aug 16 23:12:46 elastix sshd[5235]: pam_unix(sshd:session): session opened for user root by (uid=0)
Aug 16 23:12:53 elastix sshd[5235]: pam_unix(sshd:session): session closed for user root
 

jasong

Joined
Aug 20, 2009
Messages
34
Likes
0
Points
0
#12

loanrefi

Joined
Aug 20, 2009
Messages
41
Likes
0
Points
0
#13
Does anyone know how I can change the port number on the FreePBX GUI?

I know I can change the port number in /etc/ssh/sshd_config but as soon as I do this the FreePBX GUI complains "SSH WARNING".

Basically the GUI is telling me that the port has changed but where can I update the information for the GUI?

I can also use the Java SSH built into FreePBX GUI with (-p "port#" root@192.168.1.1)

The setting I changed in /etc/ssh/sshd_config are as follows

Port = 2222

PermitRootLogin No

LoginGraceTime 15 (seconds)

I already have fail2ban installed and want to complete securing my Elastix server by changing the port & not allowing root login via SSH.

Thanks!
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#14
add

SSHPORT=2222

to

/etc/amportal.conf

BTW consider that a beginning to your security steps, there is never an end , and you will never "complete" it

quick check. can you get to https://<ip address>/admin with admin/admin credentials?
or https://<IP address>/recordings with admin/password credentials.
 

loanrefi

Joined
Aug 20, 2009
Messages
41
Likes
0
Points
0
#15
That worked!!

I added SSHPORT=2222 at the very bottom of the file.

Thanks!
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#16
and the answer to my last two questions? (I edited my post)
 

loanrefi

Joined
Aug 20, 2009
Messages
41
Likes
0
Points
0
#17
I'm sorry about that. I jumped on adding that last setting to amportal and overlooked your questinos.

The answer is no.

I changed the password to FreePBX http://192.168.1.1/admin - admin/newpassword

I checked http://192.168.1.1/recordings using admin/password or admin/admin and can't get in.
 

dicko

Joined
Oct 24, 2008
Messages
4,099
Likes
0
Points
0
#18
Just checking, good for you, many folks don't +1 karma for rigorousness, well when I can , I'm apparently out of karmic power myself right now :)
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,887
Members
17,565
Latest member
omarmenichetti
Top