Home › Forums › SecAst (Security for Asterisk) › Installation & Upgrade › iptables+fireHOL not blocking IP’s
-
AuthorPosts
-
Ubuntu 16.04 LTS x64
Asterisk 11.25.1 LTS
Secast-1.4.7-x86_64-ub16
FireHOL 2.0.3 Home Page: http://firehol.orgProblem 1:
“IP’s manually banned aren’t setting iptables entries”from /var/log/secast
Wed Apr 19 00:00:07 2017, 00000204, I, Telnet Server, Client 7: Executing command [banip add 195.154.38.22]
Wed Apr 19 00:00:07 2017, 00000608, S, Security Event Queue, Banning manual IP ‘195.154.38.22’ as managed
Wed Apr 19 00:00:07 2017, 00000707, E, System Command, Failed to find rules for iptables chain. Run result 0; exitcode 1
Wed Apr 19 00:00:07 2017, 00000710, E, System Command, Failed to add rule to iptables chain. Run result 0; exitcode 1Problem 2:
“attacks aren’t being detected”On the Asterisk console:
[Apr 19 00:16:26] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”104″‘ failed for ‘163.172.121.136:1331’ – Wrong password
[Apr 19 00:17:10] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”108″‘ failed for ‘163.172.121.136:1343’ – Wrong password
[Apr 19 00:17:29] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”110″‘ failed for ‘163.172.121.136:1347’ – Wrong password
[Apr 19 00:18:22] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from ‘”106″‘ failed for ‘163.172.121.136:1337’ – Wrong passwordin /var/log/asterisk/messages
[Apr 19 00:16:26] NOTICE[23258] chan_sip.c: Registration from ‘”104″‘ failed for ‘163.172.121.136:1331’ – Wrong password
[Apr 19 00:16:26] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586186-906350″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”104″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1331″,Challenge=”6635aaf4″,ReceivedChallenge=”6635aaf4″,ReceivedHash=”7e1c6cf66d26143aaf2fe34b13b2d7cf”
[Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586230-312224″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”108″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1343″,Challenge=”60b81fa1″
[Apr 19 00:17:10] NOTICE[23258] chan_sip.c: Registration from ‘”108″‘ failed for ‘163.172.121.136:1343’ – Wrong password
[Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586230-463449″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”108″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1343″,Challenge=”60b81fa1″,ReceivedChallenge=”60b81fa1″,ReceivedHash=”4dc53d20eaa6dd25c508ba7b79a4570a”
[Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586249-415321″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”110″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1347″,Challenge=”01bb4376″
[Apr 19 00:17:29] NOTICE[23258] chan_sip.c: Registration from ‘”110″‘ failed for ‘163.172.121.136:1347’ – Wrong password
[Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586249-562681″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”110″,SessionID=”0x7fde68043828″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1347″,Challenge=”01bb4376″,ReceivedChallenge=”01bb4376″,ReceivedHash=”54b8e6ac114d6bddaf083230e11a35fc”
[Apr 19 00:18:21] SECURITY[23243] res_security_log.c: SecurityEvent=”ChallengeSent”,EventTV=”1492586301-854490″,Severity=”Informational”,Service=”SIP”,EventVersion=”1″,AccountID=”106″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1337″,Challenge=”7e9808a1″
[Apr 19 00:18:22] NOTICE[23258] chan_sip.c: Registration from ‘”106″‘ failed for ‘163.172.121.136:1337’ – Wrong password
[Apr 19 00:18:22] SECURITY[23243] res_security_log.c: SecurityEvent=”InvalidPassword”,EventTV=”1492586302-7541″,Severity=”Error”,Service=”SIP”,EventVersion=”2″,AccountID=”106″,SessionID=”0x7fde68010ce8″,LocalAddress=”IPV4/UDP/50.47.128.250/5060″,RemoteAddress=”IPV4/UDP/163.172.121.136/1337″,Challenge=”7e9808a1″,ReceivedChallenge=”7e9808a1″,ReceivedHash=”490071a90f52500759e89e1392e177f9″Some relevant /etc/xdg/telium/secast.conf snippets
[banip] ;==================================================================
; This stanza refers to how SecAst will block/allow IP addresses, as well
; as how it tracks blocked IP addresses.; Flush any pre-existing IP’s found in fireall’s SecAst list on program
; start. Any pre-existing IP’s found will not be automatically removed
; after timeout period (they can be manually controlled only)
; Valid values: Yes/True/1 / No/False/0
flushonstart=0; Flush any pre-existing IP’s found in firewalls’ SecAst list on program
; exit
; Valid values: Yes/True/1 / No/False/0
flushonexit=0; Perform internal tracking as if an IP were banned by firewall, but do not
; actually add detected intrusion IP’s to firewall. Affecting messages will be
; prefixed with [TESTMODE] in the event log. This may cause some additional
; warnings to appear in the log file but they can be safely ignored.
; Valid values: Yes/True/1 No/False/0
testmode=false; Number of hours for which an IP will be banned. Minimum is 1 hour,
; maximum is 168 hours (i.e. 1 week). Warning: if you firewall is slowing
; down network traffic because the SecAst list is too large, reduce the
; duration.
; Valid range: 1 to 168 hours (i.e. 1 hour to 7 days)
duration=72; Should IP addresses already found blocked in firewall’s SecAst list be
; treated as managed (i.e. automatically delete after duration)
; Valid values include Yes/True/1 / No/False/0
manageexisting=true; Should IP addresses manually added be treated as managed
; (i.e. automatically delete after duration)
; Valid values include Yes/True/1 / No/False/0
managemanual=true; Should firewall actions use iptables. If set to false, then SecAst will
; rely only on the external program listed below. If the externalprogam is blank,
; then no ip firewalling will take place
; Valid values include Yes/True/1 / No/False/0
useiptables=true; Whether or not to save banip data to the SQL database.
; Valid values include Yes/True/1 / No/False/0
; If left blank will default to false
savetodb=; Number of days of banip data to retain. Data beyond this number
; of days will be purged on a daily basis. This value is measured in days. If
; set to 0 then data will be retained indefinately (i.e. never purge).
; Valid range: 0, 1 to 1095 (i.e. indefinite, or 1 day to 3 years)
; If left blank will default to 30
dbretentiondays=20[network] ;==================================================================
;Address to listen on for management interface
; LocalHostIPv4 The IPv4 localhost address. Equivalent to
; QHostAddress(“127.0.0.1”).
; LocalHostIPv6 The IPv6 localhost address. Equivalent to
; QHostAddress(“::1”).
; AnyIPv4 The IPv4 any-address. Equivalent to
; QHostAddress(“0.0.0.0”). A socket bound with this
; address will listen only on IPv4 interaces.
; AnyIPv6 The IPv6 any-address. Equivalent to QHostAddress(“::”).
; A socket bound with this address will listen only on
; IPv6 interaces.
; Any The dual stack any-address. A socket bound with this
; address will listen on both IPv4 and IPv6 interfaces.
; 1.2.3.4 The specific IPv4 address
; 1111:2222:3333:4444:5555:6666:7777:8888 The specific IPv6 address
managementaddress=anyipv4;Port to listen on for management interface.
; Set to 0 to use a random port
managementport=3000; Subnets considered trusted. If more than one network is required then
; seperate them with pipes (|). Networks must be in the form: X.X.X.X/B
; For example, 1.2.3.4/24 means subnet 1.2.3.4 with 24 bit mask, also known
; as 255.255.255.0 bitmask
trustednetworks=10.0.0.0/24 | 192.168.90.0/24[credentials] ;=================================================================
; This stanza refers to detection attempts to gain access to the Asterisk system
; resources using invalid credentials; Maximum number of seconds between intrusion attempts (use of resources with
; invalid credentials), to be considered part of a single attack window. (If
; intrusions are spaced beyond this interval, then they are considered to be in
; seperate attack windows). Extend this number if you find attackers are
; spreading their attempts over hours or days.
; Valid range: 1-604800 (i.e. 1 second to 1 week)
; Default: 60
maxintrusioninterval=3500; Maximum number of intrusion attempts within a single attack window before banning
; the source IP. Set this number as low as possible without frustrating valid
; users.
; Valid range: 1 to 100
; Default: 3
maxintrusions=1Secast Console:
All banned IP’s enetered manually with “banip add nnn.nnn.nnn.nnn”
SecAst>status
SecAst state: protecting
Asterisk connection state: logged in
Threat level: low
IP banning enforcement: enforced
Database status: disconnected
Run Time: 2 hours, 36 minutes, 11 seconds
Intrusion attempts in window: 0
Total instrusion attempts: 0
IP’s Banned: 4 addresses
IP’s Watched: 0 addresses
Users Watched: 0 users
SecAst>banip list
163.172.121.136 2 days, 23 hours, 11 minutes, 58 seconds
212.83.134.244 2 days, 23 hours, 14 minutes, 8 seconds
212.83.130.10 2 days, 23 hours, 20 minutes, 42 seconds
195.154.38.22 2 days, 23 hours, 21 minutes, 6 secondsiptables content
In case it’s relevant to Secast operation
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
in_mylan all — 0.0.0.0/0 0.0.0.0/0
in_internet all — 0.0.0.0/0 0.0.0.0/0
DROP all — 10.0.0.0/8 0.0.0.0/0
DROP all — 169.254.0.0/16 0.0.0.0/0
DROP all — 172.16.0.0/12 0.0.0.0/0
DROP all — 127.0.0.0/8 0.0.0.0/0
DROP all — 192.168.0.0/24 0.0.0.0/0
DROP all — 224.0.0.0/4 0.0.0.0/0
DROP all — 0.0.0.0/0 224.0.0.0/4
DROP all — 240.0.0.0/5 0.0.0.0/0
DROP all — 0.0.0.0/0 240.0.0.0/5
DROP all — 0.0.0.0/8 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/8
DROP all — 0.0.0.0/0 239.255.255.0/24
DROP all — 0.0.0.0/0 255.255.255.255
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy DROP)
target prot opt source destination
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
out_mylan all — 0.0.0.0/0 0.0.0.0/0
out_internet all — 0.0.0.0/0 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain in_internet (1 references)
target prot opt source destination
pr_internet_fragments all -f 0.0.0.0/0 0.0.0.0/0
pr_internet_nosyn tcp — 0.0.0.0/0 0.0.0.0/0 ctstate NEW tcp flags:!0x17/0x02
pr_internet_icmpflood icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8
pr_internet_synflood tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x17/0x02
pr_internet_malxmas tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x3F
pr_internet_malnull tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x00
pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x03/0x03
pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x06/0x06
pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x37
pr_internet_malbad tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x3F/0x29
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
DROP all — 0.0.0.0/0 0.0.0.0/0 ctstate INVALID
pr_internet_allflood all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW
in_internet_ping_s1 all — 0.0.0.0/0 0.0.0.0/0
in_internet_dns_s2 all — 0.0.0.0/0 0.0.0.0/0
in_internet_sip_s3 all — 0.0.0.0/0 0.0.0.0/0
in_internet_rtp_s4 all — 0.0.0.0/0 0.0.0.0/0
in_internet_smtp_s5 all — 0.0.0.0/0 0.0.0.0/0
in_internet_imaps_s6 all — 0.0.0.0/0 0.0.0.0/0
in_internet_pop3s_s7 all — 0.0.0.0/0 0.0.0.0/0
in_internet_http_s8 all — 0.0.0.0/0 0.0.0.0/0
in_internet_https_s9 all — 0.0.0.0/0 0.0.0.0/0
in_internet_ssh_s10 all — 0.0.0.0/0 0.0.0.0/0
in_internet_ident_s11 all — 0.0.0.0/0 0.0.0.0/0
in_internet_all_c12 all — 0.0.0.0/0 0.0.0.0/0
in_internet_ftp_c13 all — 0.0.0.0/0 0.0.0.0/0
in_internet_irc_c14 all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-internet:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain in_internet_all_c12 (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHEDChain in_internet_dns_s2 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ctstate NEW,ESTABLISHED
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:53 ctstate NEW,ESTABLISHEDChain in_internet_ftp_c13 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:32768:60999 ctstate ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”Chain in_internet_http_s8 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:80 ctstate NEW,ESTABLISHEDChain in_internet_https_s9 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:443 ctstate NEW,ESTABLISHEDChain in_internet_ident_s11 (1 references)
target prot opt source destination
REJECT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:113 ctstate NEW,ESTABLISHED reject-with tcp-resetChain in_internet_imaps_s6 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:993 ctstate NEW,ESTABLISHEDChain in_internet_irc_c14 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:32768:60999 ctstate ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”Chain in_internet_ping_s1 (1 references)
target prot opt source destination
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHED icmptype 8Chain in_internet_pop3s_s7 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:995 ctstate NEW,ESTABLISHEDChain in_internet_rtp_s4 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000 ctstate NEW,ESTABLISHEDChain in_internet_sip_s3 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpt:5060 ctstate NEW,ESTABLISHED
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spts:1024:65535 dpt:5060 ctstate NEW,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “sip”Chain in_internet_smtp_s5 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:25 ctstate NEW,ESTABLISHEDChain in_internet_ssh_s10 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:22 ctstate NEW,ESTABLISHEDChain in_lan2internet (1 references)
target prot opt source destination
in_lan2internet_all_s1 all — 0.0.0.0/0 0.0.0.0/0
in_lan2internet_ftp_s2 all — 0.0.0.0/0 0.0.0.0/0
in_lan2internet_irc_s3 all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-lan2internet:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain in_lan2internet_all_s1 (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHEDChain in_lan2internet_ftp_s2 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:21 ctstate NEW,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”Chain in_lan2internet_irc_s3 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:1024:65535 dpt:6667 ctstate NEW,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”Chain in_mylan (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0Chain out_internet (1 references)
target prot opt source destination
out_internet_ping_s1 all — 0.0.0.0/0 0.0.0.0/0
out_internet_dns_s2 all — 0.0.0.0/0 0.0.0.0/0
out_internet_sip_s3 all — 0.0.0.0/0 0.0.0.0/0
out_internet_rtp_s4 all — 0.0.0.0/0 0.0.0.0/0
out_internet_smtp_s5 all — 0.0.0.0/0 0.0.0.0/0
out_internet_imaps_s6 all — 0.0.0.0/0 0.0.0.0/0
out_internet_pop3s_s7 all — 0.0.0.0/0 0.0.0.0/0
out_internet_http_s8 all — 0.0.0.0/0 0.0.0.0/0
out_internet_https_s9 all — 0.0.0.0/0 0.0.0.0/0
out_internet_ssh_s10 all — 0.0.0.0/0 0.0.0.0/0
out_internet_ident_s11 all — 0.0.0.0/0 0.0.0.0/0
out_internet_all_c12 all — 0.0.0.0/0 0.0.0.0/0
out_internet_ftp_c13 all — 0.0.0.0/0 0.0.0.0/0
out_internet_irc_c14 all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-internet:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain out_internet_all_c12 (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate NEW,ESTABLISHEDChain out_internet_dns_s2 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:53 ctstate ESTABLISHED
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:53 ctstate ESTABLISHEDChain out_internet_ftp_c13 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:60999 dpt:21 ctstate NEW,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”Chain out_internet_http_s8 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:80 dpts:1024:65535 ctstate ESTABLISHEDChain out_internet_https_s9 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:443 dpts:1024:65535 ctstate ESTABLISHEDChain out_internet_ident_s11 (1 references)
target prot opt source destination
REJECT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:113 dpts:1024:65535 ctstate ESTABLISHED reject-with tcp-resetChain out_internet_imaps_s6 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:993 dpts:1024:65535 ctstate ESTABLISHEDChain out_internet_irc_c14 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spts:32768:60999 dpt:6667 ctstate NEW,ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”Chain out_internet_ping_s1 (1 references)
target prot opt source destination
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED icmptype 0Chain out_internet_pop3s_s7 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:995 dpts:1024:65535 ctstate ESTABLISHEDChain out_internet_rtp_s4 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spts:10000:20000 ctstate ESTABLISHEDChain out_internet_sip_s3 (1 references)
target prot opt source destination
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpt:5060 ctstate ESTABLISHED
ACCEPT udp — 0.0.0.0/0 0.0.0.0/0 udp spt:5060 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “sip”Chain out_internet_smtp_s5 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:25 dpts:1024:65535 ctstate ESTABLISHEDChain out_internet_ssh_s10 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:22 dpts:1024:65535 ctstate ESTABLISHEDChain out_lan2internet (1 references)
target prot opt source destination
out_lan2internet_all_s1 all — 0.0.0.0/0 0.0.0.0/0
out_lan2internet_ftp_s2 all — 0.0.0.0/0 0.0.0.0/0
out_lan2internet_irc_s3 all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-lan2internet:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain out_lan2internet_all_s1 (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHEDChain out_lan2internet_ftp_s2 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:21 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “ftp”Chain out_lan2internet_irc_s3 (1 references)
target prot opt source destination
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp spt:6667 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED,ESTABLISHED helper match “irc”Chain out_mylan (1 references)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
ACCEPT all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_allflood (1 references)
target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 60/sec burst 10
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “ALL_FLOOD:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_fragments (1 references)
target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PACKET_FRAGMENTS:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_icmpflood (1 references)
target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “ICMP_FLOOD:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_malbad (4 references)
target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_BAD:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_malnull (1 references)
target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_NULL:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_malxmas (1 references)
target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “MALFORMED_XMAS:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_nosyn (1 references)
target prot opt source destination
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “NEW_TCP_w/o_SYN:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain pr_internet_synflood (1 references)
target prot opt source destination
RETURN all — 0.0.0.0/0 0.0.0.0/0 limit: avg 100/sec burst 50
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “SYN_FLOOD:”
DROP all — 0.0.0.0/0 0.0.0.0/0Problem 1: iptables rules not being created
When SecAst starts it creates a SECAST chain linked into your iptables’ INPUT chain like this:
Chain INPUT (policy ACCEPT)
target prot opt source destination
SECAST all — anywhere anywhereAnd the SECAST chain is where dropping of attackers’ IP’s occurs. I see from your iptables list that the above rule is missing – and that’s why you are not able to block attacker IP’s. So the question is why is the SECAST chain rule being refused/lost. Are you updating/flushing your iptables rules (eg: regenerating using FireHOL) after SecAst starts? Is there an error in the SecAst log upon service start indicating any iptables related errors?
Problem 2: Attackers not detected
You did not include the [asterisk] stanza of your secast.conf, so ensure the securityevents key is blank (use the AMI), or points to a valid /var/log/asterisk/messages file. That’s usually the cause.
I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@autocommander.aws2.ocg.ca if you are concerned about making content public) and we can look there for further clues.
If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.
Quote:
I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@autocommander.aws2.ocg.ca if you are concerned about making content public) and we can look there for further clues.If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.
Your recommendation may have worked. Evidence follows…
/etc/xdg/telium/secast.conf
[asterisk] ;=================================================================; Location of logfile containing security related messages. In versions of
; Asterisk prior to 10 this would normally be the primary messages file
; (/var/log/asterisk/messages), while in later versions of Asterisk this would
; be the security file (/var/log/asterisk/security)
securitylog=”/var/log/asterisk/messages”
;securitylog=/var/log/asterisk/security; hostname or ip address of the Asterisk server. Normally this should be set
; to “localhost” but can be any valid IP/hostname
hostname=”localhost”; Port number to connect to Asterisk Management Interface (AMI). This should
; match the port settings of the manager.conf file on the Asterisk server.
; This is normally set to 5038
port=5038; Username used for authentication to the AMI. This should match the section
; heading in the manager.conf file on the Asterisk server. Normally this
; should be set to “secast”
username=”secast”; Secret used for authentication to the AMI. This should match the secret set
; in the section heading for the username above, in the manager.conf file on
; the Asterisk server. This should not be left at the default of “secast”
secret=”MySecret”Asterisk Console
pluto*CLI>
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
== Manager ‘secast’ logged off from 127.0.0.1
== Manager ‘secast’ logged on from 127.0.0.1
pluto*CLI>/var/log/secast
root@pluto:/var/log# /usr/local/secast/secast
secast version 1.4.7 started under PID 2502
secast switched to daemon under PID 2503
root@pluto:/var/log# cat /var/log/secast
Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition
Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1
Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017
Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed
Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed
Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
root@pluto:/var/log#SecAst Console
pluto% telnet localhost 3000
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SecAst telnet interface on ‘Arno-PBX’
SecAst>status
SecAst state: protecting
Asterisk connection state: logged in
Threat level: low
IP banning enforcement: enforced
Database status: disconnected
Run Time: 31 seconds
Intrusion attempts in window: 0
Total instrusion attempts: 0
IP’s Banned: 5 addresses
IP’s Watched: 0 addresses
Users Watched: 0 users
SecAst>banip add 1.2.3.4
Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add
SecAst>banip list
163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds
212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds
212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds
195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds
69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds
1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds
SecAst>iptables entries
root@pluto:~# iptables -nL|less
Chain INPUT (policy DROP)
target prot opt source destination
SECAST all — 0.0.0.0/0 0.0.0.0/0
DROP all — 69.30.245.18 0.0.0.0/0
DROP all — 163.172.121.136 0.0.0.0/0
DROP all — 212.83.130.10 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
in_mylan all — 0.0.0.0/0 0.0.0.0/0
in_internet all — 0.0.0.0/0 0.0.0.0/0
DROP all — 10.0.0.0/8 0.0.0.0/0
DROP all — 169.254.0.0/16 0.0.0.0/0
DROP all — 172.16.0.0/12 0.0.0.0/0
DROP all — 127.0.0.0/8 0.0.0.0/0
DROP all — 192.168.0.0/24 0.0.0.0/0
DROP all — 224.0.0.0/4 0.0.0.0/0
DROP all — 0.0.0.0/0 224.0.0.0/4
DROP all — 240.0.0.0/5 0.0.0.0/0
DROP all — 0.0.0.0/0 240.0.0.0/5
DROP all — 0.0.0.0/8 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/8
DROP all — 0.0.0.0/0 239.255.255.0/24
DROP all — 0.0.0.0/0 255.255.255.255
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy DROP)
target prot opt source destination
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy DROP)
target prot opt source destination
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
out_mylan all — 0.0.0.0/0 0.0.0.0/0
out_internet all — 0.0.0.0/0 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0Chain SECAST (1 references)
target prot opt source destination
DROP all — 1.2.3.4 0.0.0.0/0
DROP all — 69.30.245.18 0.0.0.0/0
DROP all — 195.154.38.22 0.0.0.0/0
DROP all — 212.83.130.10 0.0.0.0/0
DROP all — 212.83.134.244 0.0.0.0/0
DROP all — 163.172.121.136 0.0.0.0/0
RETURN all — 0.0.0.0/0 0.0.0.0/0. . .
This is a home installation.
My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables?
I really like your phpBB installation, very effective!
Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳
Glad you are up and running. If you need SecAst to recreate its iptables rules just restart the SecAst service (it will restore all banned IP since it keeps those in a recovery file). We’ll have to think about how/if SecAst should monitor the iptables. It’s unusual for the iptables rules to be lost (so SecAst shouldn’t have to check that) – but it’s on our discussion list.
In regards to downloading, what error exactly are you experiencing? (Corrupt download, or download won’t start, etc). Downloading by browser is often unreliable for large files, but FTP normally works perfectly. We just tried FTP (pull) and the file downloaded perfectly (no corruption, etc). We also tried downloading with Firefox version 53 (32 bit) and browser download worked fine 2 of 3 times (one time download was corrupt so it would not untar). Similarly downloading by Chrome worked 3 of 4 times. You can see why we offer FTP…browsers aren’t great for this kind of thing. (Since this is a different topic feel free to email support@autocommander.aws2.ocg.ca if you have more details on file transfer issue)
Although this topic is a year old, it continues to get a lot of traffic. So, I would like to reiterate a key point mentioned above (in case you missed it):
You should not block IP’s at the PBX. (Unless this is test/home system). Commercial environments should block attackers at the firewall. SecAst has the ability to add IP’s to ACL’s/lists on your router / firewall. You really should use this feature!
-
AuthorPosts
- You must be logged in to reply to this topic.