Discussion:
firewall/iptables suggestion for preventing brute-force SIP attempts?
Per Jessen
2013-04-04 08:47:15 UTC
Permalink
Our asterisk server is seeing numerous brute force attempts to get
access to a SIP account. I've tried setting up a 'prevent flood'
config with iptables, but wihtout much success. fail2ban et al does
not work, so I was hoping someone might have a hint wrt an iptables
setup to stop such brute force attacks?


thanks
Per
--
Per Jessen, Zürich (4.4°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 09:18:09 UTC
Permalink
Post by Per Jessen
Our asterisk server is seeing numerous brute force attempts to get
access to a SIP account. I've tried setting up a 'prevent flood'
config with iptables, but wihtout much success. fail2ban et al does
not work, so I was hoping someone might have a hint wrt an iptables
setup to stop such brute force attacks?
Well not the answer you are looking for, but don't find yourself alone
in this game, as my server is also under brute force attack, and no till
now I have not been able to find any solution also, I have tried all the
approaches you have tried but no success. I can't find a way to block as
most of these attacks are logged as below where XXX is my servers own
address, hence fail2ban unfortunately fails , or I can't find a better
way to get the attackers' ip address.

100000<sip:***@XXX.XXX.XXX.XX>;tag=eb6db4c6

So if you find a solution please share, as this issue is nerving me for
a long time now


Togan
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2013-04-04 11:19:23 UTC
Permalink
Post by Togan Muftuoglu
Post by Per Jessen
Our asterisk server is seeing numerous brute force attempts to get
access to a SIP account. I've tried setting up a 'prevent flood'
config with iptables, but wihtout much success. fail2ban et al does
not work, so I was hoping someone might have a hint wrt an iptables
setup to stop such brute force attacks?
Well not the answer you are looking for, but don't find yourself alone
in this game, as my server is also under brute force attack, and no till
now I have not been able to find any solution also, I have tried all the
approaches you have tried but no success. I can't find a way to block as
most of these attacks are logged as below where XXX is my servers own
address, hence fail2ban unfortunately fails , or I can't find a better
way to get the attackers' ip address.
So if you find a solution please share, as this issue is nerving me for
a long time now
Is this always the same TCP/UDP port?

Then add a filter like the ssh "recent" filtering?

remove it from the generic
FW_SERVICES_EXT_TCP
line, and add to the FW_SERVICES_ACCEPT_EXT line:
something like the ssh example:
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 11:31:35 UTC
Permalink
Post by Marcus Meissner
remove it from the generic
FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Been there already does not work and of course EXT_UDP is not including
5060 :(

FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh
0/0,udp,5060,,hitcount=3,blockseconds=180,recentname=voip"


Togan
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-04 11:41:46 UTC
Permalink
Post by Togan Muftuoglu
Post by Marcus Meissner
remove it from the generic
FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Post by Togan Muftuoglu
Been there already does not work and of course EXT_UDP is not
including 5060 :(
Hi Togan

do you remember why it doesn't work? It's been a while since I disabled
my attempts, I can't remember why it didn't work.
--
Per Jessen, Zürich (7.1°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 12:10:58 UTC
Permalink
Hi Per,
Post by Marcus Meissner
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Post by Togan Muftuoglu
Been there already does not work and of course EXT_UDP is not
including 5060 :(
Hi Togan
do you remember why it doesn't work? It's been a while since I disabled
my attempts, I can't remember why it didn't work.
Can't remember it either, it has been a while but it is not the case
that the rule does not catch because it does

Apr 4 06:26:11 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=773 TOS=0x00 PREC=0x00 TTL=120 ID=1888 PROTO=UDP
SPT=5078 DPT=5060 LEN=753

Apr 4 06:26:12 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=778 TOS=0x00 PREC=0x00 TTL=120 ID=1963 PROTO=UDP
SPT=5073 DPT=5060 LEN=758

Apr 4 06:26:26 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=781 TOS=0x00 PREC=0x00 TTL=120 ID=2836 PROTO=UDP
SPT=5070 DPT=5060 LEN=761

Apr 4 06:26:32 whale kernel: SFW2-INext-DROPr IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=784 TOS=0x00 PREC=0x00 TTL=120 ID=3157 PROTO=UDP
SPT=5071 DPT=5060 LEN=764
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2013-04-04 12:19:25 UTC
Permalink
Post by Togan Muftuoglu
Hi Per,
Post by Marcus Meissner
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Post by Togan Muftuoglu
Been there already does not work and of course EXT_UDP is not
including 5060 :(
Hi Togan
do you remember why it doesn't work? It's been a while since I disabled
my attempts, I can't remember why it didn't work.
Can't remember it either, it has been a while but it is not the case
that the rule does not catch because it does
Apr 4 06:26:11 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=773 TOS=0x00 PREC=0x00 TTL=120 ID=1888 PROTO=UDP
SPT=5078 DPT=5060 LEN=753
Apr 4 06:26:12 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=778 TOS=0x00 PREC=0x00 TTL=120 ID=1963 PROTO=UDP
SPT=5073 DPT=5060 LEN=758
Apr 4 06:26:26 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=781 TOS=0x00 PREC=0x00 TTL=120 ID=2836 PROTO=UDP
SPT=5070 DPT=5060 LEN=761
Apr 4 06:26:32 whale kernel: SFW2-INext-DROPr IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=91.121.0.209
DST=XXX.XXX.XXX.XX LEN=784 TOS=0x00 PREC=0x00 TTL=120 ID=3157 PROTO=UDP
SPT=5071 DPT=5060 LEN=764
There is the first drop...

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 12:30:55 UTC
Permalink
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker for
a long time in hold was the issue for me

Togan

PS. please keep replies to list only
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-04 13:49:46 UTC
Permalink
Post by Togan Muftuoglu
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker
for a long time in hold was the issue for me
Togan
Here is what used to have:

## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --set
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SIP attack: '
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j DROP

I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem. I'm wondering
if it is because the firewall needs to look into the SIP packet to
be able to determine what it is.
--
Per Jessen, Zürich (8.4°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 15:34:49 UTC
Permalink
Post by Per Jessen
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --set
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j LOG --log-prefix 'SIP attack: '
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update --seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem. I'm wondering
if it is because the firewall needs to look into the SIP packet to
be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is

rtpstart=10000
rtpend=20000


On the other hand today is (touch wood) relatively silent day


Togan
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-04 15:39:53 UTC
Permalink
Post by Togan Muftuoglu
Post by Per Jessen
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent
--name sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp
--dport 5060 -m recent --name sipattack --update --seconds 60
--hitcount 6 -j LOG --log-prefix 'SIP attack: ' $IPTABLES -A INPUT -i
$EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update
--seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem. I'm
wondering if it is because the firewall needs to look into the SIP
packet to be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is
rtpstart=10000
rtpend=20000
Yes, I also have those open

# SIP traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -j ACCEPT
# these are STUN ports
$IPTABLES -A INPUT -p udp --dport 3478:3479 -i $EXTERNALIF -j ACCEPT
# IAX2 traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 4569 -j ACCEPT
#
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 10000:20000 -j ACCEPT


/Per
--
Per Jessen, Zürich (9.2°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2013-04-04 15:58:53 UTC
Permalink
Post by Per Jessen
Post by Togan Muftuoglu
Post by Per Jessen
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent
--name sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp
--dport 5060 -m recent --name sipattack --update --seconds 60
--hitcount 6 -j LOG --log-prefix 'SIP attack: ' $IPTABLES -A INPUT -i
$EXTERNALIF -p udp --dport 5060 -m recent --name sipattack --update
--seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem. I'm
wondering if it is because the firewall needs to look into the SIP
packet to be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is
rtpstart=10000
rtpend=20000
Yes, I also have those open
# SIP traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -j ACCEPT
Well if you do this, they are of course not hitting the RECENT matcher.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-04 17:02:51 UTC
Permalink
Post by Marcus Meissner
Post by Per Jessen
Post by Togan Muftuoglu
Post by Per Jessen
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent
--name sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp
--dport 5060 -m recent --name sipattack --update --seconds 60
--hitcount 6 -j LOG --log-prefix 'SIP attack: ' $IPTABLES -A INPUT
-i $EXTERNALIF -p udp --dport 5060 -m recent --name sipattack
--update --seconds 60 --hitcount 6 -j DROP
I don't currently have any external SIP users, but I'm pretty
certain the above also gave legitimate users a problem. I'm
wondering if it is because the firewall needs to look into the SIP
packet to be able to determine what it is.
In addition I have FW_EXT_UDP=10000:20000 since my rtf.conf is
rtpstart=10000
rtpend=20000
Yes, I also have those open
# SIP traffic
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -j ACCEPT
Well if you do this, they are of course not hitting the RECENT
matcher.
No, my SIP flood protect rules are placed before that accept-rule.
--
Per Jessen, Zürich (8.1°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-05 07:24:21 UTC
Permalink
Post by Per Jessen
Post by Togan Muftuoglu
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker
for a long time in hold was the issue for me
Togan
## SIP flood protection
$IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060 -m recent --name
sipattack --set $IPTABLES -A INPUT -i $EXTERNALIF -p udp --dport 5060
-m recent --name sipattack --update --seconds 60 --hitcount 6 -j LOG
--log-prefix 'SIP attack: ' $IPTABLES -A INPUT -i $EXTERNALIF -p udp
--dport 5060 -m recent --name sipattack --update --seconds 60
--hitcount 6 -j DROP
Update - the above does in fact work, it was triggered quite a few times
last night. However, as I said yesterday, I don't currently have any
external SIP users, but I'm pretty certain the above also gave
legitimate users a problem.
--
Per Jessen, Zürich (3.4°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-13 09:08:59 UTC
Permalink
Post by Togan Muftuoglu
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker for
a long time in hold was the issue for me
Ok here we go again and in addition to the attacker not being held for a
long time, the problem is in dictionary attacks SuSEfirewall2 fails, or
I haven't been able to find a better way, since it takes quite a time
for fail2ban to act.

Fail2ban was in action

The IP 62.75.202.56 has just been banned by Fail2Ban after
58 attempts against ASTERISK.

So wandering what the hell SuSEfirewall2 doing

Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=442 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5098 DPT=5060 LEN=422

Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=463 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5068 DPT=5060 LEN=443

So there are two packets and they are both accepted. There are no droped
packets from this attacker

Looking to asterisk this is again a brute force dictionary attack and
SuSEfirewall2 is not sufficient with

FW_SERVICES_ACCEPT_EXT="0/0,udp,5060,,hitcount=3,blockseconds=60,recentname=voip"


[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"2276679141"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56'
- No matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"1"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching peer
found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"2"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching peer
found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"3"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching peer
found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"10"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"11"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"12"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"13"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"20"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"21"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"22"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"30"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"31"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"40"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"41"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"50"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"51"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"60"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"61"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"70"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"71"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"80"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"81"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"90"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"91"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"100"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"101"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"102"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"103"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"104"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"105"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"106"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"200"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"201"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"202"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"203"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"300"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"301"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"302"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"303"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"400"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"401"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"402"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"403"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"500"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"501"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"502"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"503"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"600"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"601"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"602"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"603"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"700"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"701"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"702"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"703"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"800"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"801"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"802"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"803"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"900"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"901"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"902"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"903"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No matching
peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"1000"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"1001"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"1002"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"1003"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"2000"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
[2013-04-13 03:56:10] NOTICE[20816] chan_sip.c: Registration from
'"2001"<sip:***@XXX.XXX.XXX.XX>' failed for '62.75.202.56' - No
matching peer found
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2013-04-13 09:24:49 UTC
Permalink
Post by Togan Muftuoglu
Post by Togan Muftuoglu
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker for
a long time in hold was the issue for me
Ok here we go again and in addition to the attacker not being held for a
long time, the problem is in dictionary attacks SuSEfirewall2 fails, or
I haven't been able to find a better way, since it takes quite a time
for fail2ban to act.
Fail2ban was in action
The IP 62.75.202.56 has just been banned by Fail2Ban after
58 attempts against ASTERISK.
So wandering what the hell SuSEfirewall2 doing
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=442 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5098 DPT=5060 LEN=422
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=463 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5068 DPT=5060 LEN=443
So there are two packets and they are both accepted. There are no droped
packets from this attacker
Looking to asterisk this is again a brute force dictionary attack and
SuSEfirewall2 is not sufficient with
FW_SERVICES_ACCEPT_EXT="0/0,udp,5060,,hitcount=3,blockseconds=60,recentname=voip"
We have found one issue with this..

Can you look at or better post _all_ above "dmesg" entries?

Check especially if the TTL changes for the same SRC IP.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-13 09:38:22 UTC
Permalink
Post by Marcus Meissner
Post by Togan Muftuoglu
Post by Togan Muftuoglu
Post by Marcus Meissner
Post by Togan Muftuoglu
Hi Per,
There is the first drop...
I guess dropping was not the issue but keeping the dropped attacker for
a long time in hold was the issue for me
Ok here we go again and in addition to the attacker not being held for a
long time, the problem is in dictionary attacks SuSEfirewall2 fails, or
I haven't been able to find a better way, since it takes quite a time
for fail2ban to act.
Fail2ban was in action
The IP 62.75.202.56 has just been banned by Fail2Ban after
58 attempts against ASTERISK.
So wandering what the hell SuSEfirewall2 doing
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=442 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5098 DPT=5060 LEN=422
Apr 13 03:56:10 whale kernel: SFW2-INext-ACC IN=eth0 OUT=
MAC=00:19:66:3f:7f:fe:00:0d:65:ec:6e:ae:08:00 SRC=62.75.202.56
DST=XXX.XXX.XXX.XX LEN=463 TOS=0x00 PREC=0x00 TTL=57 ID=0 DF PROTO=UDP
SPT=5068 DPT=5060 LEN=443
So there are two packets and they are both accepted. There are no droped
packets from this attacker
Looking to asterisk this is again a brute force dictionary attack and
SuSEfirewall2 is not sufficient with
FW_SERVICES_ACCEPT_EXT="0/0,udp,5060,,hitcount=3,blockseconds=60,recentname=voip"
We have found one issue with this..
Can you look at or better post _all_ above "dmesg" entries?
As I said for that time window there are only two log messages from
SuSEfirewall2 which I posted before they are same for dmesg also.

Asterisk messages do not show anything about TTL,
Post by Marcus Meissner
Check especially if the TTL changes for the same SRC IP.
TTL is in all cases the same TTL=57

What else should I configure in maybe in asterisk ?

Togan
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2013-04-04 11:58:55 UTC
Permalink
Post by Togan Muftuoglu
Post by Marcus Meissner
remove it from the generic
FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Been there already does not work and of course EXT_UDP is not including
5060 :(
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh
0/0,udp,5060,,hitcount=3,blockseconds=180,recentname=voip"
Is this two lines or one?

I just tried to block zeroconf:
FW_SERVICES_ACCEPT_EXT="0/0,udp,5353,,hitcount=3,blockseconds=180,recentname=zeroconf"


dmesg|grep 5353
gives e.g entries like:

[1392831.200160] SFW2-INext-DROPr IN=eth0 OUT= MAC=01:00:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:SRC=<ip> DST=224.0.0.251 LEN=64 TOS=0x00 PREC=0x00 TTL=255 ID=0 DF PROTO=UDP SPT=5353 DPT=5353 LEN=44

"SFW2-INext-DROPr" is the drop target.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Togan Muftuoglu
2013-04-04 12:01:47 UTC
Permalink
Post by Marcus Meissner
Post by Togan Muftuoglu
Post by Marcus Meissner
remove it from the generic
FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
Been there already does not work and of course EXT_UDP is not including
5060 :(
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh
0/0,udp,5060,,hitcount=3,blockseconds=180,recentname=voip"
Is this two lines or one?
One line
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Per Jessen
2013-04-04 11:31:48 UTC
Permalink
Post by Marcus Meissner
Post by Togan Muftuoglu
Post by Per Jessen
Our asterisk server is seeing numerous brute force attempts to get
access to a SIP account. I've tried setting up a 'prevent flood'
config with iptables, but wihtout much success. fail2ban et al
does not work, so I was hoping someone might have a hint wrt an
iptables setup to stop such brute force attacks?
Well not the answer you are looking for, but don't find yourself
alone in this game, as my server is also under brute force attack,
and no till now I have not been able to find any solution also, I
have tried all the approaches you have tried but no success. I can't
find a way to block as most of these attacks are logged as below
where XXX is my servers own address, hence fail2ban unfortunately
fails , or I can't find a better way to get the attackers' ip
address.
So if you find a solution please share, as this issue is nerving me
for a long time now
Is this always the same TCP/UDP port?
Yes, always UDP port 5060.
Post by Marcus Meissner
Then add a filter like the ssh "recent" filtering?
remove it from the generic
FW_SERVICES_EXT_TCP
FW_SERVICES_ACCEPT_EXT="0/0,tcp,22,,hitcount=3,blockseconds=60,recentname=ssh"
I've tried that, but had to disable it. I can't remember why, but it
somehow interfered with legitimate SIP traffic.
--
Per Jessen, Zürich (7.3°C)
http://www.dns24.ch/ - free DNS hosting, made in Switzerland.
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
To contact the owner, e-mail: opensuse+***@opensuse.org
Loading...