Home Forums SecAst (Security for Asterisk) Installation & Upgrade iptables+fireHOL not blocking IP’s

Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • teliumcustomer19
    Member
    Post count: 2

    Ubuntu 16.04 LTS x64
    Asterisk 11.25.1 LTS
    Secast-1.4.7-x86_64-ub16
    FireHOL 2.0.3 Home Page: http://firehol.org

    Problem 1:
    “IP’s manually banned aren’t setting iptables entries”

    from /var/log/secast

    Wed Apr 19 00:00:07 2017, 00000204, I, Telnet Server, Client 7: Executing command [banip add 195.154.38.22]
    Wed Apr 19 00:00:07 2017, 00000608, S, Security Event Queue, Banning manual IP ‘195.154.38.22’ as managed
    Wed Apr 19 00:00:07 2017, 00000707, E, System Command, Failed to find rules for iptables chain. Run result 0; exitcode 1
    Wed Apr 19 00:00:07 2017, 00000710, E, System Command, Failed to add rule to iptables chain. Run result 0; exitcode 1

    Problem 2:
    “attacks aren’t being detected”

    On the Asterisk console:

    [Apr 19 00:16:26] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”104″‘ failed for ‘163.172.121.136:1331’ – Wrong password
    [Apr 19 00:17:10] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”108″‘ failed for ‘163.172.121.136:1343’ – Wrong password
    [Apr 19 00:17:29] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”110″‘ failed for ‘163.172.121.136:1347’ – Wrong password
    [Apr 19 00:18:22] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”106″‘ failed for ‘163.172.121.136:1337’ – Wrong password

    in /var/log/asterisk/messages

    [Apr 19 00:16:26] NOTICE[23258] chan_sip.c: Registration from ‘”104″‘ failed for ‘163.172.121.136:1331’ – Wrong password
    [Apr 19 00:16:26] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586186-906350″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”104″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1331″,Challenge=”6635aaf4″,ReceivedChallenge=”6635aaf4″,ReceivedHash=”7e1c6cf66d26143aaf2fe34b13b2d7cf”
    [Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586230-312224″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”108″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1343″,Challenge=”60b81fa1″
    [Apr 19 00:17:10] NOTICE[23258] chan_sip.c: Registration from ‘”108″‘ failed for ‘163.172.121.136:1343’ – Wrong password
    [Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586230-463449″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”108″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1343″,Challenge=”60b81fa1″,ReceivedChallenge=”60b81fa1″,ReceivedHash=”4dc53d20eaa6dd25c508ba7b79a4570a”
    [Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586249-415321″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”110″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1347″,Challenge=”01bb4376″
    [Apr 19 00:17:29] NOTICE[23258] chan_sip.c: Registration from ‘”110″‘ failed for ‘163.172.121.136:1347’ – Wrong password
    [Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586249-562681″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”110″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1347″,Challenge=”01bb4376″,ReceivedChallenge=”01bb4376″,ReceivedHash=”54b8e6ac114d6bddaf083230e11a35fc”
    [Apr 19 00:18:21] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586301-854490″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”106″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1337″,Challenge=”7e9808a1″
    [Apr 19 00:18:22] NOTICE[23258] chan_sip.c: Registration from ‘”106″‘ failed for ‘163.172.121.136:1337’ – Wrong password
    [Apr 19 00:18:22] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586302-7541″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”106″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1337″,Challenge=”7e9808a1″,ReceivedChallenge=”7e9808a1″,ReceivedHash=”490071a90f52500759e89e1392e177f9″

    Some relevant /etc/xdg/telium/secast.conf snippets

    [banip] ;==================================================================
    ; This stanza refers to how SecAst will block/allow IP addresses, as well
    ; as how it tracks blocked IP addresses.

    ; Flush any pre-existing IP’s found in fireall’s SecAst list on program
    ; start. Any pre-existing IP’s found will not be automatically removed
    ; after timeout period (they can be manually controlled only)
    ; Valid values: Yes/True/1 / No/False/0
    flushonstart=0

    ; Flush any pre-existing IP’s found in firewalls’ SecAst list on program
    ; exit
    ; Valid values: Yes/True/1 / No/False/0
    flushonexit=0

    ; Perform internal tracking as if an IP were banned by firewall, but do not
    ; actually add detected intrusion IP’s to firewall. Affecting messages will be
    ; prefixed with [TESTMODE] in the event log. This may cause some additional
    ; warnings to appear in the log file but they can be safely ignored.
    ; Valid values: Yes/True/1 No/False/0
    testmode=false

    ; Number of hours for which an IP will be banned. Minimum is 1 hour,
    ; maximum is 168 hours (i.e. 1 week). Warning: if you firewall is slowing
    ; down network traffic because the SecAst list is too large, reduce the
    ; duration.
    ; Valid range: 1 to 168 hours (i.e. 1 hour to 7 days)
    duration=72

    ; Should IP addresses already found blocked in firewall’s SecAst list be
    ; treated as managed (i.e. automatically delete after duration)
    ; Valid values include Yes/True/1 / No/False/0
    manageexisting=true

    ; Should IP addresses manually added be treated as managed
    ; (i.e. automatically delete after duration)
    ; Valid values include Yes/True/1 / No/False/0
    managemanual=true

    ; Should firewall actions use iptables. If set to false, then SecAst will
    ; rely only on the external program listed below. If the externalprogam is blank,
    ; then no ip firewalling will take place
    ; Valid values include Yes/True/1 / No/False/0
    useiptables=true

    ; Whether or not to save banip data to the SQL database.
    ; Valid values include Yes/True/1 / No/False/0
    ; If left blank will default to false
    savetodb=

    ; Number of days of banip data to retain. Data beyond this number
    ; of days will be purged on a daily basis. This value is measured in days. If
    ; set to 0 then data will be retained indefinately (i.e. never purge).
    ; Valid range: 0, 1 to 1095 (i.e. indefinite, or 1 day to 3 years)
    ; If left blank will default to 30
    dbretentiondays=20

    [network] ;==================================================================

    ;Address to listen on for management interface
    ; LocalHostIPv4 The IPv4 localhost address. Equivalent to
    ; QHostAddress(“127.0.0.1”).
    ; LocalHostIPv6 The IPv6 localhost address. Equivalent to
    ; QHostAddress(“::1”).
    ; AnyIPv4 The IPv4 any-address. Equivalent to
    ; QHostAddress(“0.0.0.0”). A socket bound with this
    ; address will listen only on IPv4 interaces.
    ; AnyIPv6 The IPv6 any-address. Equivalent to QHostAddress(“::”).
    ; A socket bound with this address will listen only on
    ; IPv6 interaces.
    ; Any The dual stack any-address. A socket bound with this
    ; address will listen on both IPv4 and IPv6 interfaces.
    ; 1.2.3.4 The specific IPv4 address
    ; 1111:2222:3333:4444:5555:6666:7777:8888 The specific IPv6 address
    managementaddress=anyipv4

    ;Port to listen on for management interface.
    ; Set to 0 to use a random port
    managementport=3000

    ; Subnets considered trusted. If more than one network is required then
    ; seperate them with pipes (|). Networks must be in the form: X.X.X.X/B
    ; For example, 1.2.3.4/24 means subnet 1.2.3.4 with 24 bit mask, also known
    ; as 255.255.255.0 bitmask
    trustednetworks=10.0.0.0/24 | 192.168.90.0/24

    [credentials] ;=================================================================
    ; This stanza refers to detection attempts to gain access to the Asterisk system
    ; resources using invalid credentials

    ; Maximum number of seconds between intrusion attempts (use of resources with
    ; invalid credentials), to be considered part of a single attack window. (If
    ; intrusions are spaced beyond this interval, then they are considered to be in
    ; seperate attack windows). Extend this number if you find attackers are
    ; spreading their attempts over hours or days.
    ; Valid range: 1-604800 (i.e. 1 second to 1 week)
    ; Default: 60
    maxintrusioninterval=3500

    ; Maximum number of intrusion attempts within a single attack window before banning
    ; the source IP. Set this number as low as possible without frustrating valid
    ; users.
    ; Valid range: 1 to 100
    ; Default: 3
    maxintrusions=1

    Secast Console:
    All banned IP’s enetered manually with “banip add nnn.nnn.nnn.nnn”


    SecAst>status
    SecAst state: protecting
    Asterisk connection state: logged in
    Threat level: low
    IP banning enforcement: enforced
    Database status: disconnected
    Run Time: 2 hours, 36 minutes, 11 seconds
    Intrusion attempts in window: 0
    Total instrusion attempts: 0
    IP’s Banned: 4 addresses
    IP’s Watched: 0 addresses
    Users Watched: 0 users
    SecAst>banip list
    163.172.121.136 2 days, 23 hours, 11 minutes, 58 seconds
    212.83.134.244 2 days, 23 hours, 14 minutes, 8 seconds
    212.83.130.10 2 days, 23 hours, 20 minutes, 42 seconds
    195.154.38.22 2 days, 23 hours, 21 minutes, 6 seconds

    iptables content
    In case it’s relevant to Secast operation


    Chain INPUT (policy DROP)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
    DROP all -f 0.0.0.0/0 0.0.0.0/0
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    in_mylan all — 0.0.0.0/0 0.0.0.0/0
    in_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 10.0.0.0/8 0.0.0.0/0
    DROP all — 169.254.0.0/16 0.0.0.0/0
    DROP all — 172.16.0.0/12 0.0.0.0/0
    DROP all — 127.0.0.0/8 0.0.0.0/0
    DROP all — 192.168.0.0/24 0.0.0.0/0
    DROP all — 224.0.0.0/4 0.0.0.0/0
    DROP all — 0.0.0.0/0 224.0.0.0/4
    DROP all — 240.0.0.0/5 0.0.0.0/0
    DROP all — 0.0.0.0/0 240.0.0.0/5
    DROP all — 0.0.0.0/8 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/8
    DROP all — 0.0.0.0/0 239.255.255.0/24
    DROP all — 0.0.0.0/0 255.255.255.255
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
    ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    out_mylan all — 0.0.0.0/0 0.0.0.0/0
    out_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain in_internet (1 references)
    target prot opt source destination
    pr_internet_fragments all -f 0.0.0.0/0 0.0.0.0/0
    pr_internet_nosyn tcp — 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp flags:!0x17/0x02
    pr_internet_icmpflood icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8
    pr_internet_synflood tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
    pr_internet_malxmas tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
    pr_internet_malnull tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
    pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
    pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
    pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
    pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
    DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
    pr_internet_allflood all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW
    in_internet_ping_s1 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_dns_s2 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_sip_s3 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_rtp_s4 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_smtp_s5 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_imaps_s6 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_pop3s_s7 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_http_s8 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_https_s9 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_ssh_s10 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_ident_s11 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_all_c12 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_ftp_c13 all — 0.0.0.0/0 0.0.0.0/0
    in_internet_irc_c14 all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-internet:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain in_internet_all_c12 (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED

    Chain in_internet_dns_s2 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW,ESTABLISHED

    Chain in_internet_ftp_c13 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:32768:60999 ctstate ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”

    Chain in_internet_http_s8 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 ctstate NEW,ESTABLISHED

    Chain in_internet_https_s9 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 ctstate NEW,ESTABLISHED

    Chain in_internet_ident_s11 (1 references)
    target prot opt source destination
    REJECT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:113 ctstate NEW,ESTABLISHED reject-with tcp-reset

    Chain in_internet_imaps_s6 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:993 ctstate NEW,ESTABLISHED

    Chain in_internet_irc_c14 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:32768:60999 ctstate ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”

    Chain in_internet_ping_s1 (1 references)
    target prot opt source destination
    ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED icmptype 8

    Chain in_internet_pop3s_s7 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:995 ctstate NEW,ESTABLISHED

    Chain in_internet_rtp_s4 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000 ctstate NEW,ESTABLISHED

    Chain in_internet_sip_s3 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpt:5060 ctstate NEW,ESTABLISHED
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:5060 ctstate NEW,ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “sip”

    Chain in_internet_smtp_s5 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 ctstate NEW,ESTABLISHED

    Chain in_internet_ssh_s10 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 ctstate NEW,ESTABLISHED

    Chain in_lan2internet (1 references)
    target prot opt source destination
    in_lan2internet_all_s1 all — 0.0.0.0/0 0.0.0.0/0
    in_lan2internet_ftp_s2 all — 0.0.0.0/0 0.0.0.0/0
    in_lan2internet_irc_s3 all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-lan2internet:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain in_lan2internet_all_s1 (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED

    Chain in_lan2internet_ftp_s2 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 ctstate NEW,ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”

    Chain in_lan2internet_irc_s3 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:6667 ctstate NEW,ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”

    Chain in_mylan (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0

    Chain out_internet (1 references)
    target prot opt source destination
    out_internet_ping_s1 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_dns_s2 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_sip_s3 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_rtp_s4 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_smtp_s5 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_imaps_s6 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_pop3s_s7 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_http_s8 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_https_s9 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_ssh_s10 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_ident_s11 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_all_c12 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_ftp_c13 all — 0.0.0.0/0 0.0.0.0/0
    out_internet_irc_c14 all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-internet:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain out_internet_all_c12 (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED

    Chain out_internet_dns_s2 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:53 ctstate ESTABLISHED
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:53 ctstate ESTABLISHED

    Chain out_internet_ftp_c13 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:60999 dpt:21 ctstate NEW,ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”

    Chain out_internet_http_s8 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_internet_https_s9 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:443 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_internet_ident_s11 (1 references)
    target prot opt source destination
    REJECT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:113 dpts:1024:65535 ctstate ESTABLISHED reject-with tcp-reset

    Chain out_internet_imaps_s6 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:993 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_internet_irc_c14 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:60999 dpt:6667 ctstate NEW,ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”

    Chain out_internet_ping_s1 (1 references)
    target prot opt source destination
    ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED icmptype 0

    Chain out_internet_pop3s_s7 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:995 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_internet_rtp_s4 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spts:10000:20000 ctstate ESTABLISHED

    Chain out_internet_sip_s3 (1 references)
    target prot opt source destination
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpt:5060 ctstate ESTABLISHED
    ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpts:1024:65535 ctstate ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “sip”

    Chain out_internet_smtp_s5 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_internet_ssh_s10 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 ctstate ESTABLISHED

    Chain out_lan2internet (1 references)
    target prot opt source destination
    out_lan2internet_all_s1 all — 0.0.0.0/0 0.0.0.0/0
    out_lan2internet_ftp_s2 all — 0.0.0.0/0 0.0.0.0/0
    out_lan2internet_irc_s3 all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-lan2internet:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain out_lan2internet_all_s1 (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED

    Chain out_lan2internet_ftp_s2 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 ctstate ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”

    Chain out_lan2internet_irc_s3 (1 references)
    target prot opt source destination
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:1024:65535 ctstate ESTABLISHED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”

    Chain out_mylan (1 references)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_allflood (1 references)
    target prot opt source destination
    RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 60/sec burst 10
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “ALL_FLOOD:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_fragments (1 references)
    target prot opt source destination
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PACKET_FRAGMENTS:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_icmpflood (1 references)
    target prot opt source destination
    RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “ICMP_FLOOD:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_malbad (4 references)
    target prot opt source destination
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_BAD:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_malnull (1 references)
    target prot opt source destination
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_NULL:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_malxmas (1 references)
    target prot opt source destination
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_XMAS:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_nosyn (1 references)
    target prot opt source destination
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “NEW_TCP_w/o_SYN:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain pr_internet_synflood (1 references)
    target prot opt source destination
    RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “SYN_FLOOD:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Avatar photoTelium Support Group
    Member
    Post count: 258

    Problem 1: iptables rules not being created

    When SecAst starts it creates a SECAST chain linked into your iptables’ INPUT chain like this:


    Chain INPUT (policy ACCEPT)
    target prot opt source destination
    SECAST all — anywhere anywhere

    And the SECAST chain is where dropping of attackers’ IP’s occurs. I see from your iptables list that the above rule is missing – and that’s why you are not able to block attacker IP’s. So the question is why is the SECAST chain rule being refused/lost. Are you updating/flushing your iptables rules (eg: regenerating using FireHOL) after SecAst starts? Is there an error in the SecAst log upon service start indicating any iptables related errors?

    Problem 2: Attackers not detected

    You did not include the [asterisk] stanza of your secast.conf, so ensure the securityevents key is blank (use the AMI), or points to a valid /var/log/asterisk/messages file. That’s usually the cause.

    I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@autocommander.aws2.ocg.ca if you are concerned about making content public) and we can look there for further clues.

    If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.

    teliumcustomer19
    Member
    Post count: 2

    Quote:
    I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@autocommander.aws2.ocg.ca if you are concerned about making content public) and we can look there for further clues.

    If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.

    Your recommendation may have worked. Evidence follows…

    /etc/xdg/telium/secast.conf


    [asterisk] ;=================================================================

    ; Location of logfile containing security related messages. In versions of
    ; Asterisk prior to 10 this would normally be the primary messages file
    ; (/var/log/asterisk/messages), while in later versions of Asterisk this would
    ; be the security file (/var/log/asterisk/security)
    securitylog=”/var/log/asterisk/messages”
    ;securitylog=/var/log/asterisk/security

    ; hostname or ip address of the Asterisk server. Normally this should be set
    ; to “localhost” but can be any valid IP/hostname
    hostname=”localhost”

    ; Port number to connect to Asterisk Management Interface (AMI). This should
    ; match the port settings of the manager.conf file on the Asterisk server.
    ; This is normally set to 5038
    port=5038

    ; Username used for authentication to the AMI. This should match the section
    ; heading in the manager.conf file on the Asterisk server. Normally this
    ; should be set to “secast”
    username=”secast”

    ; Secret used for authentication to the AMI. This should match the secret set
    ; in the section heading for the username above, in the manager.conf file on
    ; the Asterisk server. This should not be left at the default of “secast”
    secret=”MySecret”

    Asterisk Console

    pluto*CLI>
    [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
    [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
    == Manager ‘secast’ logged off from 127.0.0.1
    == Manager ‘secast’ logged on from 127.0.0.1
    pluto*CLI>

    /var/log/secast

    root@pluto:/var/log# /usr/local/secast/secast
    secast version 1.4.7 started under PID 2502
    secast switched to daemon under PID 2503
    root@pluto:/var/log# cat /var/log/secast
    Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
    Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition
    Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
    Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
    Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
    Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1
    Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
    Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017
    Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
    Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
    Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
    Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
    Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed
    Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
    Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
    Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
    Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
    Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
    Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
    Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed
    Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
    root@pluto:/var/log#

    SecAst Console

    pluto% telnet localhost 3000
    Trying ::1…
    Trying 127.0.0.1…
    Connected to localhost.
    Escape character is ‘^]’.
    SecAst telnet interface on ‘Arno-PBX’
    SecAst>status
    SecAst state: protecting
    Asterisk connection state: logged in
    Threat level: low
    IP banning enforcement: enforced
    Database status: disconnected
    Run Time: 31 seconds
    Intrusion attempts in window: 0
    Total instrusion attempts: 0
    IP’s Banned: 5 addresses
    IP’s Watched: 0 addresses
    Users Watched: 0 users
    SecAst>banip add 1.2.3.4
    Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add
    SecAst>banip list
    163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds
    212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds
    212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds
    195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds
    69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds
    1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds
    SecAst>

    iptables entries

    root@pluto:~# iptables -nL|less
    Chain INPUT (policy DROP)
    target prot opt source destination
    SECAST all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 69.30.245.18 0.0.0.0/0
    DROP all — 163.172.121.136 0.0.0.0/0
    DROP all — 212.83.130.10 0.0.0.0/0
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
    DROP all -f 0.0.0.0/0 0.0.0.0/0
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    in_mylan all — 0.0.0.0/0 0.0.0.0/0
    in_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 10.0.0.0/8 0.0.0.0/0
    DROP all — 169.254.0.0/16 0.0.0.0/0
    DROP all — 172.16.0.0/12 0.0.0.0/0
    DROP all — 127.0.0.0/8 0.0.0.0/0
    DROP all — 192.168.0.0/24 0.0.0.0/0
    DROP all — 224.0.0.0/4 0.0.0.0/0
    DROP all — 0.0.0.0/0 224.0.0.0/4
    DROP all — 240.0.0.0/5 0.0.0.0/0
    DROP all — 0.0.0.0/0 240.0.0.0/5
    DROP all — 0.0.0.0/8 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/8
    DROP all — 0.0.0.0/0 239.255.255.0/24
    DROP all — 0.0.0.0/0 255.255.255.255
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
    ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    out_mylan all — 0.0.0.0/0 0.0.0.0/0
    out_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain SECAST (1 references)
    target prot opt source destination
    DROP all — 1.2.3.4 0.0.0.0/0
    DROP all — 69.30.245.18 0.0.0.0/0
    DROP all — 195.154.38.22 0.0.0.0/0
    DROP all — 212.83.130.10 0.0.0.0/0
    DROP all — 212.83.134.244 0.0.0.0/0
    DROP all — 163.172.121.136 0.0.0.0/0
    RETURN all — 0.0.0.0/0 0.0.0.0/0

    . . .

    This is a home installation.

    My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables?

    I really like your phpBB installation, very effective!

    Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳

    Avatar photoTelium Support Group
    Member
    Post count: 258

    Glad you are up and running. If you need SecAst to recreate its iptables rules just restart the SecAst service (it will restore all banned IP since it keeps those in a recovery file). We’ll have to think about how/if SecAst should monitor the iptables. It’s unusual for the iptables rules to be lost (so SecAst shouldn’t have to check that) – but it’s on our discussion list.

    In regards to downloading, what error exactly are you experiencing? (Corrupt download, or download won’t start, etc). Downloading by browser is often unreliable for large files, but FTP normally works perfectly. We just tried FTP (pull) and the file downloaded perfectly (no corruption, etc). We also tried downloading with Firefox version 53 (32 bit) and browser download worked fine 2 of 3 times (one time download was corrupt so it would not untar). Similarly downloading by Chrome worked 3 of 4 times. You can see why we offer FTP…browsers aren’t great for this kind of thing. (Since this is a different topic feel free to email support@autocommander.aws2.ocg.ca if you have more details on file transfer issue)

    Avatar photoTelium Support Group
    Member
    Post count: 258

    Although this topic is a year old, it continues to get a lot of traffic. So, I would like to reiterate a key point mentioned above (in case you missed it):

    You should not block IP’s at the PBX. (Unless this is test/home system). Commercial environments should block attackers at the firewall. SecAst has the ability to add IP’s to ACL’s/lists on your router / firewall. You really should use this feature!

Viewing 5 posts - 1 through 5 (of 5 total)
  • You must be logged in to reply to this topic.