SOLVED after reboot firewall is wide open

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Persistent robo-hack attempts from germany and the baltic states.

On reboot, isn't the iptables firewall supposed to automatically activate ?

Code:
[2016-09-01 19:42:05] NOTICE[9284] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:[email protected](ipbx server public ipv4 address)>' failed for '217.172.189.5:5104' (callid: b9c526e62df6564ad5fd6062b9f86d7e) - No matching endpoint found
[2016-09-01 19:42:05] NOTICE[9284] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:[email protected](ipbx server public ipv4 address)>' failed for '217.172.189.5:5104' (callid: b9c526e62df6564ad5fd6062b9f86d7e) - Failed to authenticate
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:1] NoOp("SIP/(incrediblepbx ipv4)-00000055", "Received incoming SIP connection from unknown peer to 011442032390179") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:2] Set("SIP/(incrediblepbx ipv4)-00000055", "DID=011442032390179") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:3] Goto("SIP/(incrediblepbx ipv4)-00000055", "s,1") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx_builtins.c: Goto (from-sip-external,s,1)
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:1] GotoIf("SIP/(incrediblepbx ipv4)-00000055", "0?checklang:noanonymous") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx_builtins.c: Goto (from-sip-external,s,5)
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:5] Set("SIP/(incrediblepbx ipv4)-00000055", "TIMEOUT(absolute)=15") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] func_timeout.c: Channel will hangup at 2016-09-01 19:49:12.726 EDT.
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:6] Log("SIP/(incrediblepbx ipv4)-00000055", "WARNING,"Rejecting unknown SIP connection from 178.238.230.63"") in new stack
[2016-09-01 19:48:57] WARNING[13578][C-00000074] Ext. s: "Rejecting unknown SIP connection from 178.238.230.63"
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:7] Answer("SIP/(incrediblepbx ipv4)-00000055", "") in new stack
[2016-09-01 19:48:58] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:8] Wait("SIP/(incrediblepbx ipv4)-00000055", "2") in new stack
[2016-09-01 19:49:00] VERBOSE[13578][C-00000074] file.c: <SIP/(incrediblepbx ipv4)-00000055> Playing 'ss-noservice.gsm' (language 'en')
[2016-09-01 19:49:05] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:10] PlayTones("SIP/(incrediblepbx ipv4)-00000055", "congestion") in new stack
[2016-09-01 19:49:05] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:11] Congestion("SIP/(incrediblepbx ipv4)-00000055", "5") in new stack
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/(incrediblepbx ipv4)-00000055'
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Executing [[email protected]:1] Hangup("SIP/(incrediblepbx ipv4)-00000055", "") in new stack
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/(incrediblepbx ipv4)-00000055'
[2016-09-01 19:49:29] WARNING[18658] chan_sip.c: Retransmission timeout reached on transmission 87fbf9f2d5bcdb8c52185c8737d04112 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-09-01 19:53:01] NOTICE[10836] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:[email protected](incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - No matching endpoint found
[2016-09-01 19:53:01] NOTICE[10836] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:[email protected](incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - Failed to authenticate
[2016-09-01 19:53:01] NOTICE[8478] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:[email protected](incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - Failed to authenticate
[2016-09-01 20:13:55] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:[email protected](incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:[email protected](incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="b7a54d87114b91c4f8064ffb048adc34",opaque="6c407cd52e80d68f",cnonce="30ca983a",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="ae98ebe86f49092e8d837ff8c1921b88",opaque="408377f4573e99fb",cnonce="c2afdbf2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359",uri="sip:(incrediblepbx ipv4)",response="0b7ec6d19554f0f33848e6211762a48d",opaque="2f066a46728dfed8",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359"
[2016-09-01 20:13:56] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:[email protected](incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:[email protected](incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="0c879a6ab7eacfab673328ce4141ec0c",opaque="4bbce2f02cb6d38e",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="9477c496da98b43480e3d1f5c1deec00",opaque="0cd89f765670d2a0",cnonce="2867ee16",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359",uri="sip:(incrediblepbx ipv4)",response="0b7ec6d19554f0f33848e6211762a48d",opaque="2f066a46728dfed8",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359"
[2016-09-01 20:13:57] WARNING[18658] chan_sip.c: Retransmission timeout reached on transmission 8c6edcf233b6ca114578f3fdc70a252b for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-09-01 20:13:58] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:[email protected](incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:[email protected](incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="0c879a6ab7eacfab673328ce4141ec0c",opaque="4bbce2f02cb6d38e",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="e2e2d894b54726650fd127f5be7fb94e",opaque="7f04076728757215",cnonce="16a478b4",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="ae98ebe86f49092e8d837ff8c1921b88",opaque="408377f4573e99fb",cnonce="c2afdbf2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="31f3140264cccb2eb01d67b2d0596344",opaque="426f5c21222cf5f4",cnonce="f17e1fdb",qop=auth,nc=00000001
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Starting Skinny session from 213.202.233.58
[2016-09-01 20:22:12] WARNING[17339] chan_skinny.c: Skinny packet too large (542393675 bytes), max length(2000 bytes)
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Skinny Session returned: Success
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Ending Skinny session from unknown at 213.202.233.58
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
Which platform and what does /etc/init.d/rc.local look like? iptables-restart should be last in the boot sequence.
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
Should automatically activate, yes. Although it doesn't fix your problem at hand, it's just a force of habit for me to pull the ranges for countries that I would never have any intention of interfacing with (knowing that all my origination and termination IPs for my providers are stateside) and either block them at my hardware firewall level (in the case of a physical PBX deployment), or block the whole /8's in iptables for a cloud instance.

Might be something you want to look into, if you don't have out of country connection needs.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
CentOS 7
Code:
$ cat /etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# that this script will be executed during boot.

touch /var/lock/subsys/local
sleep 5
/usr/local/sbin/gui-fix
sleep 5
/usr/local/sbin/iptables-restart
/usr/sbin/faxgetty -D ttyIAX0
/usr/sbin/faxgetty -D ttyIAX1
/usr/sbin/faxgetty -D ttyIAX2
/usr/sbin/faxgetty -D ttyIAX3
exit 0
EDIT: Confirmed bug.
Upon reboot, persistent attacks continue, from hst-188-214-128-126.balticservers.eu of Lithuania, owned by Cherry Servers of London UK.
Firewall is obviously down.

Code:
[2016-09-02 12:20:26] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"205" <sip:[email protected] ip>' failed for '188.214.128.126:42266' (callid: 40cb997db24806754ad0079c36bda8f1) - Failed to authenticate
[2016-09-02 12:20:26] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"205" <sip:[email protected] ip>' failed for '188.214.128.126:42266' (callid: 40cb997db24806754ad0079c36bda8f1) - Failed to authenticate
[2016-09-02 12:20:26] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:[email protected] ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:[email protected] ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7",uri="sip:incrediblepbx ip",response="448c0aa942ec121bc16539e9caf9d09a",opaque="75346791753efcec",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7"
[2016-09-02 12:20:27] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:[email protected] ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:[email protected] ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7",uri="sip:incrediblepbx ip",response="448c0aa942ec121bc16539e9caf9d09a",opaque="75346791753efcec",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7"
[2016-09-02 12:20:29] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:[email protected] ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:[email protected] ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="9db1e0144c3e3095a5e38c7e39321b28",opaque="0d725b4070fa004d",cnonce="30ca983a",qop=auth,nc=00000001
[2016-09-02 12:25:20] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"301" <sip:[email protected] ip>' failed for '217.172.189.5:5099' (callid: cb441b3d97f06521375fb5afb5bd5ca5) - No matching endpoint found
[2016-09-02 12:25:20] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"301" <sip:[email protected] ip>' failed for '217.172.189.5:5099' (callid: cb441b3d97f06521375fb5afb5bd5ca5) - Failed to authenticate
[2016-09-02 12:25:50] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1014" <sip:[email protected] ip>' failed for '217.172.189.5:5091' (callid: e4fb3dc54f00b9c270627b0b7cf89b7d) - No matching endpoint found
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
@chris_c_: What do you see if you run iptables-restart manually? What does iptables -nL show after running it? Is this your CentOS 7, 32-bit server??
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy
CentOS 7 32bit.

When you run iptables-restart manually, the persistent attacks are blocked and stop.
Code:
~$ iptables-restart
Redirecting to /bin/systemctl restart  iptables.service
Redirecting to /bin/systemctl restart  iptables.service
No IPtables problems found.
IPtables now running.
Redirecting to /bin/systemctl restart  fail2ban.service
NOTE the installer has placed 2 DIFFERENT copies of iptables-restart on the system.
Code:
/root/iptables-restart
/usr/local/sbin/iptables-restart
The one in /usr/local/sbin contains additional lines of code.

iptables -nL is nearly empty, until you manually run iptables-restart, then it's full of rules allowing some sip providers.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
It looks like the one you just ran is in /usr/local/sbin which would be the one that's run by rc.local. I think I would increase the sleep 5 numbers in rc.local to 30 just to see if that fixes the problem. Then watch the CLI during a reboot. Sounds like your network is not yet on line when iptables-restart is run.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy The one in /usr/local/sbin already does a sleep 10
Code:
~# cat /usr/local/sbin/iptables-restart
#!/bin/bash
TEST=`service iptables restart | grep fail`
if [[ -z $TEST ]]; then
service iptables restart
echo "No IPtables problems found."
echo "IPtables now running."
else
iptables-restore /etc/iptables/rules.v4 2>/tmp/errorfile
TEST=`cat /tmp/errorfile`
while [[ "$TEST" == *Error* ]]; do
LINENUM=`cat /tmp/errorfile | cut -f 2 -d ":" | tail -2 | head -n 1 | tr -d ' '`
FQDN=`cat /tmp/errorfile | cut -f 1 -d "'" | head -n 1 | cut -f 4 -d " "`
echo " "
echo "******** 10-SECOND WARNING ALERT ***********"
echo "IPtables FQDN problem on line: $LINENUM"
echo "The unresolvable FQDN is $FQDN."
echo "This rule will be temporarily disabled to allow IPtables to start."
echo "Check and correct line $LINENUM in /etc/iptables/rules.v4."
echo "******** 10-SECOND WARNING ALERT ***********"
echo " "
sed -i "$LINENUM s:^:#***:" /etc/iptables/rules.v4
sleep 10
iptables-restore /etc/iptables/rules.v4 2>/tmp/errorfile
TEST=`cat /tmp/errorfile`
done
service iptables restart
sed -i 's|#\*\*\*||' /etc/iptables/rules.v4
echo "IPtables problems noted above were temporarily fixed."
echo "Fix the problems identified in /etc/iptables/rules.v4"
echo "IPtables now running without the offending rules(s)."
fi
service fail2ban restart
It's a kvm vps which gets a static IP via DHCP, a common setup.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy
Even 30 seconds fails to activate iptables. The iptables service is running but the sip provider rules are not loaded.
See below for some log items.
Robo attack from server loft9484.serverprofi24.com managed by PlusServer.SE AS of Sweden, located at hosteurope.de in frankfurt germany.
Code:
[2016-09-02 14:40:19] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"admin" <sip:[email protected] ip4>' failed for '217.172.189.5:5076' (callid: 853d31e57c0ef0fc437d4a7ca8a2971d) - Failed to authenticate
[2016-09-02 14:40:46] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:[email protected] ip4>' failed for '217.172.189.5:5093' (callid: d564e2ec462f194f8ef1e2ac0da959f0) - No matching endpoint found
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
Sorry. I was referring to the rc.local file. That's the one where you need to adjust the timing, not the iptables-restart file.

As I told you before, you're using an unsupported OS on a KVM. In the past year, yours is the first reported IPtables problem. And this problem would show up on everyone's status dashboard.

By the way, do you have FQDNs in your IPtables WhiteList??
 
Last edited:

jerrm

Guru
Joined
Sep 23, 2015
Messages
536
Reaction score
225
@wardmundy
Even 30 seconds fails to activate iptables. The iptables service is running but the sip provider rules are not loaded.
See below for some log items.
Robo attack from server loft9484.serverprofi24.com managed by PlusServer.SE AS of Sweden, located at hosteurope.de in frankfurt germany.
Code:
[2016-09-02 14:40:19] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"admin" <sip:[email protected] ip4>' failed for '217.172.189.5:5076' (callid: 853d31e57c0ef0fc437d4a7ca8a2971d) - Failed to authenticate
[2016-09-02 14:40:46] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:[email protected] ip4>' failed for '217.172.189.5:5093' (callid: d564e2ec462f194f8ef1e2ac0da959f0) - No matching endpoint found
Is rc.local enabled? It is not by default on CentOS7 and I don't see it being enabled in the main install script.

Even if rc.local is not enabled, rules should load before rc.local would normally process (and before the interfaces are brought up), but is there is an error in the rules file they won't load at all.

Post /etc/sysconfig/iptables with as little sanitization as possible.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
To restate my previous question, what does the CLI show during the boot process? I think we've already established that IPtables works fine if you manually run iptables-restart.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy The craziest part is, why on earth isn't fail2ban auto-blocking the robo-hack IP address?? After 1000 failed login attempts in 2 hours from the same hacker server in lithuania, it really should just block that IP.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
15,246
Reaction score
2,670
iptables-restart starts both IPtables and Fail2Ban.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Post /etc/sysconfig/iptables with as little sanitization as possible.
Part 1 of 2.
Code:
~$ cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*nat
:PREROUTING ACCEPT [7:608]
:POSTROUTING ACCEPT [36:2319]
:OUTPUT ACCEPT [36:2319]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*mangle
:PREROUTING ACCEPT [1103:1400664]
:INPUT ACCEPT [1102:1400632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [656:59330]
:POSTROUTING ACCEPT [656:59330]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 9999:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
# Opening up unlimited SIP access can be very dangerous
# Commented next entry locks SIP down to Trusted Providers
#-A INPUT -p udp -m udp --dport 5050:5082 -j ACCEPT
# Here's the Incredible PBX list of SIP Trusted Providers
-A INPUT -s 64.2.142.215/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.216/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.9/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.17/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.18/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.29/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.87/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.106/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.107/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.109/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.111/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.187/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.188/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.189/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.190/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.214/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.26/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 199.101.184.146/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.34.146.162/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 173.208.83.50/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 74.54.54.178/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 209.62.1.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.215.241.250/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 74.63.41.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 69.147.236.82/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 68.233.226.97/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.205.74.184/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.205.74.187/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.137.63.206/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.137.63.202/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 5.77.36.136/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 204.11.192.32/30 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 204.155.28.10/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.34.181.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 69.90.174.98/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 85.17.186.7/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 81.23.228.129/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 67.228.182.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 64.251.23.244/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 85.17.148.32/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 63.211.239.14/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 63.247.78.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.3.252.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.14.120.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.17.37.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 66.54.140.46/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 66.54.140.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
# and a few more...
-A INPUT -s 64.62.236.143/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 24.211.64.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 199.30.56.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 209.216.15.70/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 209.216.2.211/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 184.154.97.11/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 81.23.228.150/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 81.23.228.150/32 -p tcp -m tcp --dport 5060:5069 -j ACCEPT
-A INPUT -s 65.254.44.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 74.81.71.18/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 50.22.101.14/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 67.212.84.21/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 176.9.39.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 72.9.149.25/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 50.22.102.242/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 178.63.143.236/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 64.2.142.26/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
# End of Trusted Provider Section
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Part 2 of 2.
Code:
# // New entry for (myfqdn)-ssh.iptables
-A INPUT -s (myfqdn) -j ACCEPT
# // End entry for (myfqdn)-ssh.iptables
# // New entry for (myfqdn).iptables
-A INPUT -p tcp -m tcp -s (myfqdn) --dport 9001 -j ACCEPT
# // End entry for (myfqdn).iptables
# Kitchen Sink entries below give full access to all server ports
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
# The 172 subnet leaves a security hole on Amazon EC2 so it's disabled
#-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
# next 3 entries are your server, user, and public IP addresses
# this is a snapshot of where you were when you installed Incredible PBX
# It assures that you can log back in from there once we lock down IPtables
# NO RESTRICTIONS are placed on these 3 addresses or private LAN subnets!
# The IP addresses are your server, user, and public addresses respectively
-A INPUT -s (myserveripv4) -j ACCEPT
-A INPUT -s (myclientipv4) -j ACCEPT
-A INPUT -s (myserveripv4) -j ACCEPT
# your own additions go above here
COMMIT
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
Side Note: "(myfqdn)" is the fqdn from the machine this install was backed up from. That should cause no problem because the fqdn hostname is still valid but it's NOT the hostname of this vps server. Probably a bug however that needs fixing in the incrediblebackup and restore, it should be sed'ed and replaced with the currently detected fqdn hostname.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
668
Reaction score
248
@chris_c_

There is NEVER (EVER !!!) a good reason to rely on DHCP to be authoritative of your PBX' ip address, ALWAYS (I MEAN ALWAYS) use a static IP, within your underlying network, ALWAYS use a hardwired DNS server, probably 127.0.0.1 if you have dnsmasq running and properly configured, add 8.8.8.8 as a backup, if you do it that way, then asterisk and your network will recover as soon as your up-line network also recovers.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Even if rc.local is not enabled, rules should load before rc.local would normally process (and before the interfaces are brought up), but is there is an error in the rules file they won't load at all.
I agree. IPTables is a service. It's meant to start up all by itself, and load the rules from /etc/sysconfig/iptables all by itself, with zero dependence on further scripting commands from rc.local
 

Members online

PIAF 5 - Powered by 3CX

Forum statistics

Threads
22,455
Messages
138,070
Members
14,620
Latest member
Brads#Bell