Distro 10.13.66-17. Kernel error or attack?

dcitelecom · November 28, 2016, 7:23pm

FreePBX Distro 10.13.66-17 with Asterisk 13 updated to 17 the day it was released. All modules are up to date as well and I am running the integrated firewall.

We see thousands of lines like below in /var/log/messages followed by what appears to be a reboot, followed by thousands more lines of that. Blocking the src ip in the firewall does not work. Our hosting provider thinks it’s a kernel vulnerability but we checked and the kernel is up to date as per the 10/29 update.

Nov 28 13:29:51 myserver kernel: attacker: IN=eth0 OUT= MAC=00:xx:3e:xx:xx:xx:00:xx:9c:xx:ca:01:08:00 SRC=209.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=28236 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

dcitelecom · November 29, 2016, 1:40am

Does anyone have a fix for this? I don’t want to rebuild the entire server.

Nov 28 20:35:57 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42227 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

Nov 28 20:35:58 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42228 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

Nov 28 20:35:59 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42229 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

Nov 28 20:36:00 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42230 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

Nov 28 20:36:01 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42231 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

Nov 28 20:36:01 ny kernel: attacker: IN=eth0 OUT= MAC=xxxxxxxxxxxxxx SRC=x.x.x.x DST=x.x.x.x LEN=552 TOS=0x00 PREC=0x00 TTL=52 ID=42232 PROTO=UDP SPT=5060 DPT=5060 LEN=532 MARK=0x3

billsimon · November 29, 2016, 1:46am

I think it is an iptables rule set to log invalid SIP traffic. If you are adding the firewall rule after this one then you will still see it in the syslog.

dcitelecom · November 29, 2016, 2:03am

I am running the integrated system firewall 13.0.42 and I have thousands of these messages until it overloads the server and reboots.

billsimon · November 29, 2016, 2:11am

Are you sure this is what’s causing the reboot?

dcitelecom · November 29, 2016, 2:48am

I think the thousands of messages (one every second) are putting extra load on the server and it gets to the point where it hangs and reboots (my sysctl.conf reboots a hung server after 300 seconds)

billsimon · November 29, 2016, 3:14am

I doubt it. One syslog message per second is not really any load at all. But if you want to eliminate it then find the iptables rule that is doing the logging and delete it.

dcitelecom · November 29, 2016, 3:17am

I am not aware of any command that will turn off logging on the integrated firewall

dcitelecom · November 29, 2016, 3:33am

so you don’t think it’s a kernel error or new attack?

billsimon · November 29, 2016, 3:39am

Based on the logs and description you’ve posted here, no. Look for other reasons your server is hanging. I would not worry about this logging, but if you are concerned, use iptables -L -n --line-numbers to find the logging rule and then use iptables -D ... with the chain and line number of the logging rule in order to stop it, temporarily, until the next restart or if the firewall rules are reloaded.

xrobau · November 29, 2016, 11:01pm

These are log messages of blocked attacks from the attacker. They’re sayign that this packet was successfully intercepted and blocked.