Forum Replies Created

Viewing 1 post (of 1 total)
  • Author
    Posts
  • teliumcustomer19
    Member
    Post count: 2

    Quote:
    I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@autocommander.aws2.ocg.ca if you are concerned about making content public) and we can look there for further clues.

    If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.

    Your recommendation may have worked. Evidence follows…

    /etc/xdg/telium/secast.conf


    [asterisk] ;=================================================================

    ; Location of logfile containing security related messages. In versions of
    ; Asterisk prior to 10 this would normally be the primary messages file
    ; (/var/log/asterisk/messages), while in later versions of Asterisk this would
    ; be the security file (/var/log/asterisk/security)
    securitylog=”/var/log/asterisk/messages”
    ;securitylog=/var/log/asterisk/security

    ; hostname or ip address of the Asterisk server. Normally this should be set
    ; to “localhost” but can be any valid IP/hostname
    hostname=”localhost”

    ; Port number to connect to Asterisk Management Interface (AMI). This should
    ; match the port settings of the manager.conf file on the Asterisk server.
    ; This is normally set to 5038
    port=5038

    ; Username used for authentication to the AMI. This should match the section
    ; heading in the manager.conf file on the Asterisk server. Normally this
    ; should be set to “secast”
    username=”secast”

    ; Secret used for authentication to the AMI. This should match the secret set
    ; in the section heading for the username above, in the manager.conf file on
    ; the Asterisk server. This should not be left at the default of “secast”
    secret=”MySecret”

    Asterisk Console

    pluto*CLI>
    [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
    [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
    == Manager ‘secast’ logged off from 127.0.0.1
    == Manager ‘secast’ logged on from 127.0.0.1
    pluto*CLI>

    /var/log/secast

    root@pluto:/var/log# /usr/local/secast/secast
    secast version 1.4.7 started under PID 2502
    secast switched to daemon under PID 2503
    root@pluto:/var/log# cat /var/log/secast
    Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
    Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition
    Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
    Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
    Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
    Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1
    Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
    Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017
    Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
    Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
    Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
    Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
    Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed
    Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed
    Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
    Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
    Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
    Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
    Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
    Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
    Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed
    Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
    root@pluto:/var/log#

    SecAst Console

    pluto% telnet localhost 3000
    Trying ::1…
    Trying 127.0.0.1…
    Connected to localhost.
    Escape character is ‘^]’.
    SecAst telnet interface on ‘Arno-PBX’
    SecAst>status
    SecAst state: protecting
    Asterisk connection state: logged in
    Threat level: low
    IP banning enforcement: enforced
    Database status: disconnected
    Run Time: 31 seconds
    Intrusion attempts in window: 0
    Total instrusion attempts: 0
    IP’s Banned: 5 addresses
    IP’s Watched: 0 addresses
    Users Watched: 0 users
    SecAst>banip add 1.2.3.4
    Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add
    SecAst>banip list
    163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds
    212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds
    212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds
    195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds
    69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds
    1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds
    SecAst>

    iptables entries

    root@pluto:~# iptables -nL|less
    Chain INPUT (policy DROP)
    target prot opt source destination
    SECAST all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 69.30.245.18 0.0.0.0/0
    DROP all — 163.172.121.136 0.0.0.0/0
    DROP all — 212.83.130.10 0.0.0.0/0
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
    DROP all -f 0.0.0.0/0 0.0.0.0/0
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
    DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    in_mylan all — 0.0.0.0/0 0.0.0.0/0
    in_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 10.0.0.0/8 0.0.0.0/0
    DROP all — 169.254.0.0/16 0.0.0.0/0
    DROP all — 172.16.0.0/12 0.0.0.0/0
    DROP all — 127.0.0.0/8 0.0.0.0/0
    DROP all — 192.168.0.0/24 0.0.0.0/0
    DROP all — 224.0.0.0/4 0.0.0.0/0
    DROP all — 0.0.0.0/0 224.0.0.0/4
    DROP all — 240.0.0.0/5 0.0.0.0/0
    DROP all — 0.0.0.0/0 240.0.0.0/5
    DROP all — 0.0.0.0/8 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/8
    DROP all — 0.0.0.0/0 239.255.255.0/24
    DROP all — 0.0.0.0/0 255.255.255.255
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
    DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
    ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain FORWARD (policy DROP)
    target prot opt source destination
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
    all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
    LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
    DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
    in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain OUTPUT (policy DROP)
    target prot opt source destination
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0
    out_mylan all — 0.0.0.0/0 0.0.0.0/0
    out_internet all — 0.0.0.0/0 0.0.0.0/0
    DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
    ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
    LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
    DROP all — 0.0.0.0/0 0.0.0.0/0

    Chain SECAST (1 references)
    target prot opt source destination
    DROP all — 1.2.3.4 0.0.0.0/0
    DROP all — 69.30.245.18 0.0.0.0/0
    DROP all — 195.154.38.22 0.0.0.0/0
    DROP all — 212.83.130.10 0.0.0.0/0
    DROP all — 212.83.134.244 0.0.0.0/0
    DROP all — 163.172.121.136 0.0.0.0/0
    RETURN all — 0.0.0.0/0 0.0.0.0/0

    . . .

    This is a home installation.

    My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables?

    I really like your phpBB installation, very effective!

    Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳

Viewing 1 post (of 1 total)