larzeb
(Lars Zeb)
October 21, 2014, 4:55pm
1
My FreePBX box is behind a router which is set to reject all SIP traffic not coming from my ISP, Flowroute.
The CDR Reports show connections like the one below. I don’t know where it’s coming from but it’s annoying. Is there any way to stop this traffic from getting to the PBX?
Thanks Larry
dicko
(dicko)
October 21, 2014, 5:14pm
2
You need to check your firewall rules, Palestinians ARE trying to eat your phone system
(or perhaps someone within your own Comcast/TimeWarner network maybe )
post the issue of
iptables -L
(obfuscate your own networking though)
larzeb
(Lars Zeb)
October 21, 2014, 10:35pm
3
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
syn_flood tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN
input_rule all -- anywhere anywhere
input all -- anywhere anywhere
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
forwarding_rule all -- anywhere anywhere
forward all -- anywhere anywhere
reject all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ACCEPT all -- anywhere anywhere ctstate RELATED,ESTABLISHED
ACCEPT all -- anywhere anywhere
output_rule all -- anywhere anywhere
output all -- anywhere anywhere
Chain forward (1 references)
target prot opt source destination
zone_lan_forward all -- anywhere anywhere
zone_wan_forward all -- anywhere anywhere
Chain forwarding_lan (1 references)
target prot opt source destination
Chain forwarding_rule (1 references)
target prot opt source destination
nat_reflection_fwd all -- anywhere anywhere
Chain forwarding_wan (1 references)
target prot opt source destination
Chain input (1 references)
target prot opt source destination
zone_lan all -- anywhere anywhere
zone_wan all -- anywhere anywhere
Chain input_lan (1 references)
target prot opt source destination
Chain input_rule (1 references)
target prot opt source destination
Chain input_wan (1 references)
target prot opt source destination
Chain nat_reflection_fwd (1 references)
target prot opt source destination
ACCEPT tcp -- 10.0.0.0/24 10.0.0.41 tcp dpt:8080 /* wan */
ACCEPT udp -- 10.0.0.0/24 10.0.0.41 udp dpt:8080 /* wan */
ACCEPT tcp -- 10.0.0.0/24 10.0.0.41 tcp dpt:51413 /* wan */
ACCEPT udp -- 10.0.0.0/24 10.0.0.41 udp dpt:51413 /* wan */
ACCEPT tcp -- 10.0.0.0/24 zebay.lan tcp dpt:www /* wan */
ACCEPT tcp -- 10.0.0.0/24 zebay.lan tcp dpt:https /* wan */
ACCEPT udp -- 10.0.0.0/24 freepbx.lan udp dpts:sip:5082 /* wan */
ACCEPT udp -- 10.0.0.0/24 freepbx.lan udp dpts:19000:20000 /* wan */
Chain output (1 references)
target prot opt source destination
zone_lan_ACCEPT all -- anywhere anywhere
zone_wan_ACCEPT all -- anywhere anywhere
Chain output_rule (1 references)
target prot opt source destination
Chain reject (5 references)
target prot opt source destination
REJECT tcp -- anywhere anywhere reject-with tcp-reset
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Chain syn_flood (1 references)
target prot opt source destination
RETURN tcp -- anywhere anywhere tcp flags:FIN,SYN,RST,ACK/SYN limit: avg 25/sec burst 50
DROP all -- anywhere anywhere
Chain zone_lan (1 references)
target prot opt source destination
input_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_lan_ACCEPT (3 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_lan_DROP (0 references)
target prot opt source destination
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_lan_REJECT (0 references)
target prot opt source destination
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_lan_forward (1 references)
target prot opt source destination
zone_wan_ACCEPT all -- anywhere anywhere
forwarding_lan all -- anywhere anywhere
zone_lan_ACCEPT all -- anywhere anywhere
Chain zone_wan (1 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT icmp -- anywhere anywhere icmp echo-request
ACCEPT udp -- sip-lv1.flowroute.com anywhere udp spt:sip dpt:sip
ACCEPT udp -- wsip-70-167-153-130.oc.oc.cox.net anywhere udp spt:sip dpt:sip
REJECT udp -- anywhere anywhere udp dpt:sip reject-with icmp-port-unreachable
ACCEPT tcp -- anywhere anywhere tcp dpt:www
input_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
Chain zone_wan_ACCEPT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere
Chain zone_wan_DROP (0 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `DROP(wan):'
DROP all -- anywhere anywhere
DROP all -- anywhere anywhere
Chain zone_wan_REJECT (2 references)
target prot opt source destination
LOG all -- anywhere anywhere limit: avg 10/min burst 5 LOG level warning prefix `REJECT(wan):'
reject all -- anywhere anywhere
reject all -- anywhere anywhere
Chain zone_wan_forward (1 references)
target prot opt source destination
ACCEPT tcp -- anywhere 10.0.0.41 tcp dpt:8080
ACCEPT udp -- anywhere 10.0.0.41 udp dpt:8080
ACCEPT tcp -- anywhere 10.0.0.41 tcp dpt:51413
ACCEPT udp -- anywhere 10.0.0.41 udp dpt:51413
ACCEPT tcp -- anywhere zebay.lan tcp dpt:www
ACCEPT tcp -- anywhere zebay.lan tcp dpt:https
ACCEPT udp -- anywhere freepbx.lan udp dpts:sip:5082
ACCEPT udp -- anywhere freepbx.lan udp dpts:19000:20000
forwarding_wan all -- anywhere anywhere
zone_wan_REJECT all -- anywhere anywhere
zebay.lan = 10.0.0.23
freepbx.lan = 10.0.0.38
dicko
(dicko)
October 21, 2014, 10:50pm
4
I suggested that you obfuscate your network please edit your post
nmap -vv your.ip.address
shows that you have sip on tcp open, these guys are not stupid they have read the SIPVicious manual and many more. . .
(also never ever run ssh on port 22, that is also just plain asking for it, some might consider it "theatrically " a waste of time but I would never run SIP on 5060 either 99.999% of all attacks are against that port ;-))
larzeb
(Lars Zeb)
October 21, 2014, 11:37pm
5
Dicko, I’m confused about obfuscating my address. There’s no reference to a WAN address and the class C internal address (10.0.0.0/24) is not accurate as posted.
This stuff is new to me. I thought I had enabled SIP only on UDP, not TCP. Also, where is SSH defined; I don’t see it?
I also thought that restricting inbound SIP from only two IP addresses would take care of noisy people. But I can change that.
dicko
(dicko)
October 21, 2014, 11:42pm
6
Well, something is getting in, don’t you agree ?
Perhaps it’s time for tcpdump to see what
tcpdump -vvnn port 5060
larzeb
(Lars Zeb)
October 23, 2014, 6:13pm
7
Thanks dicko, I resolved the issue.
I was not restrictive enough with the SIP protocol. It was allowing traffic from the outside rather than just the provider’s IP addresses.