SOLVED after reboot firewall is wide open

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Persistent robo-hack attempts from germany and the baltic states.

On reboot, isn't the iptables firewall supposed to automatically activate ?

Code:
[2016-09-01 19:42:05] NOTICE[9284] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:111@(ipbx server public ipv4 address)>' failed for '217.172.189.5:5104' (callid: b9c526e62df6564ad5fd6062b9f86d7e) - No matching endpoint found
[2016-09-01 19:42:05] NOTICE[9284] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:111@(ipbx server public ipv4 address)>' failed for '217.172.189.5:5104' (callid: b9c526e62df6564ad5fd6062b9f86d7e) - Failed to authenticate
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [011442032390179@from-sip-external:1] NoOp("SIP/(incrediblepbx ipv4)-00000055", "Received incoming SIP connection from unknown peer to 011442032390179") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [011442032390179@from-sip-external:2] Set("SIP/(incrediblepbx ipv4)-00000055", "DID=011442032390179") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [011442032390179@from-sip-external:3] Goto("SIP/(incrediblepbx ipv4)-00000055", "s,1") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx_builtins.c: Goto (from-sip-external,s,1)
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:1] GotoIf("SIP/(incrediblepbx ipv4)-00000055", "0?checklang:noanonymous") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx_builtins.c: Goto (from-sip-external,s,5)
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:5] Set("SIP/(incrediblepbx ipv4)-00000055", "TIMEOUT(absolute)=15") in new stack
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] func_timeout.c: Channel will hangup at 2016-09-01 19:49:12.726 EDT.
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:6] Log("SIP/(incrediblepbx ipv4)-00000055", "WARNING,"Rejecting unknown SIP connection from 178.238.230.63"") in new stack
[2016-09-01 19:48:57] WARNING[13578][C-00000074] Ext. s: "Rejecting unknown SIP connection from 178.238.230.63"
[2016-09-01 19:48:57] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:7] Answer("SIP/(incrediblepbx ipv4)-00000055", "") in new stack
[2016-09-01 19:48:58] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:8] Wait("SIP/(incrediblepbx ipv4)-00000055", "2") in new stack
[2016-09-01 19:49:00] VERBOSE[13578][C-00000074] file.c: <SIP/(incrediblepbx ipv4)-00000055> Playing 'ss-noservice.gsm' (language 'en')
[2016-09-01 19:49:05] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:10] PlayTones("SIP/(incrediblepbx ipv4)-00000055", "congestion") in new stack
[2016-09-01 19:49:05] VERBOSE[13578][C-00000074] pbx.c: Executing [s@from-sip-external:11] Congestion("SIP/(incrediblepbx ipv4)-00000055", "5") in new stack
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Spawn extension (from-sip-external, s, 11) exited non-zero on 'SIP/(incrediblepbx ipv4)-00000055'
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Executing [h@from-sip-external:1] Hangup("SIP/(incrediblepbx ipv4)-00000055", "") in new stack
[2016-09-01 19:49:10] VERBOSE[13578][C-00000074] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on 'SIP/(incrediblepbx ipv4)-00000055'
[2016-09-01 19:49:29] WARNING[18658] chan_sip.c: Retransmission timeout reached on transmission 87fbf9f2d5bcdb8c52185c8737d04112 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-09-01 19:53:01] NOTICE[10836] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:1001@(incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - No matching endpoint found
[2016-09-01 19:53:01] NOTICE[10836] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:1001@(incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - Failed to authenticate
[2016-09-01 19:53:01] NOTICE[8478] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1001" <sip:1001@(incrediblepbx ipv4)>' failed for '217.172.189.5:5082' (callid: ab6ff91911077c4520d0b8bbee7951c6) - Failed to authenticate
[2016-09-01 20:13:55] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:193@(incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:193@(incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="b7a54d87114b91c4f8064ffb048adc34",opaque="6c407cd52e80d68f",cnonce="30ca983a",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="ae98ebe86f49092e8d837ff8c1921b88",opaque="408377f4573e99fb",cnonce="c2afdbf2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359",uri="sip:(incrediblepbx ipv4)",response="0b7ec6d19554f0f33848e6211762a48d",opaque="2f066a46728dfed8",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359"
[2016-09-01 20:13:56] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:193@(incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:193@(incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="0c879a6ab7eacfab673328ce4141ec0c",opaque="4bbce2f02cb6d38e",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="9477c496da98b43480e3d1f5c1deec00",opaque="0cd89f765670d2a0",cnonce="2867ee16",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359",uri="sip:(incrediblepbx ipv4)",response="0b7ec6d19554f0f33848e6211762a48d",opaque="2f066a46728dfed8",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775235/e1ef77fe5be6f8ec1dc819d706545359"
[2016-09-01 20:13:57] WARNING[18658] chan_sip.c: Retransmission timeout reached on transmission 8c6edcf233b6ca114578f3fdc70a252b for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-09-01 20:13:58] ERROR[18610] pjproject:  sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:43602 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:(incrediblepbx ipv4) SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:43602;branch=z9hG4bKcf07e88f09458acd83820582f5701c7c41d8006eeb836bcc11ab783597a3c4
Call-id: eb6e6e5e675ea0de6d016974aa3a5635
Contact: 193 <sip:[email protected]:43602>
Expires: 1800
From: 193 <sip:193@(incrediblepbx ipv4)>;tag=75d3e5b785a0bb0fd0baf219edd6edba
Max-forwards: 70
To: 193 <sip:193@(incrediblepbx ipv4)>
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="0c879a6ab7eacfab673328ce4141ec0c",opaque="4bbce2f02cb6d38e",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775233/b4f6659e46453eb056669eb9c79659bf",uri="sip:(incrediblepbx ipv4)",response="e2e2d894b54726650fd127f5be7fb94e",opaque="7f04076728757215",cnonce="16a478b4",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="ae98ebe86f49092e8d837ff8c1921b88",opaque="408377f4573e99fb",cnonce="c2afdbf2",qop=auth,nc=00000001
Authorization: Digest username="193",realm="asterisk",nonce="1472775234/db2b75368fec70c83186d9ded12d22a8",uri="sip:(incrediblepbx ipv4)",response="31f3140264cccb2eb01d67b2d0596344",opaque="426f5c21222cf5f4",cnonce="f17e1fdb",qop=auth,nc=00000001
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Starting Skinny session from 213.202.233.58
[2016-09-01 20:22:12] WARNING[17339] chan_skinny.c: Skinny packet too large (542393675 bytes), max length(2000 bytes)
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Skinny Session returned: Success
[2016-09-01 20:22:12] NOTICE[17339] chan_skinny.c: Ending Skinny session from unknown at 213.202.233.58
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Which platform and what does /etc/init.d/rc.local look like? iptables-restart should be last in the boot sequence.
 

simplydrew

Member
Joined
Feb 19, 2012
Messages
92
Reaction score
4
Should automatically activate, yes. Although it doesn't fix your problem at hand, it's just a force of habit for me to pull the ranges for countries that I would never have any intention of interfacing with (knowing that all my origination and termination IPs for my providers are stateside) and either block them at my hardware firewall level (in the case of a physical PBX deployment), or block the whole /8's in iptables for a cloud instance.

Might be something you want to look into, if you don't have out of country connection needs.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
CentOS 7
Code:
$ cat /etc/rc.d/rc.local
#!/bin/bash
# THIS FILE IS ADDED FOR COMPATIBILITY PURPOSES
#
# It is highly advisable to create own systemd services or udev rules
# to run scripts during boot instead of using this file.
#
# In contrast to previous versions due to parallel execution during boot
# this script will NOT be run after all other services.
#
# that this script will be executed during boot.

touch /var/lock/subsys/local
sleep 5
/usr/local/sbin/gui-fix
sleep 5
/usr/local/sbin/iptables-restart
/usr/sbin/faxgetty -D ttyIAX0
/usr/sbin/faxgetty -D ttyIAX1
/usr/sbin/faxgetty -D ttyIAX2
/usr/sbin/faxgetty -D ttyIAX3
exit 0

EDIT: Confirmed bug.
Upon reboot, persistent attacks continue, from hst-188-214-128-126.balticservers.eu of Lithuania, owned by Cherry Servers of London UK.
Firewall is obviously down.

Code:
[2016-09-02 12:20:26] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"205" <sip:205@incrediblepbx ip>' failed for '188.214.128.126:42266' (callid: 40cb997db24806754ad0079c36bda8f1) - Failed to authenticate
[2016-09-02 12:20:26] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"205" <sip:205@incrediblepbx ip>' failed for '188.214.128.126:42266' (callid: 40cb997db24806754ad0079c36bda8f1) - Failed to authenticate
[2016-09-02 12:20:26] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:205@incrediblepbx ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:205@incrediblepbx ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7",uri="sip:incrediblepbx ip",response="448c0aa942ec121bc16539e9caf9d09a",opaque="75346791753efcec",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7"
[2016-09-02 12:20:27] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:205@incrediblepbx ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:205@incrediblepbx ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7",uri="sip:incrediblepbx ip",response="448c0aa942ec121bc16539e9caf9d09a",opaque="75346791753efcec",cnonce="64c19cb2",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833226/44ccbda33cdb01cf79202dbe8c2639a7"
[2016-09-02 12:20:29] ERROR[2873] pjproject:    sip_transport. Error processing 4000 bytes packet from UDP 188.214.128.126:42266 : PJSIP syntax error exception when parsing 'C' header on line 25 col 2:
REGISTER sip:incrediblepbx ip SIP/2.0
Via: SIP/2.0/UDP 188.214.128.126:42266;branch=z9hG4bK67079cb0ab19304dd62c6d5ad45915c1f0a6b469ee0c1ce5bf92da4f9cb6d0
Call-id: 40cb997db24806754ad0079c36bda8f1
Contact: 205 <sip:[email protected]:42266>
Expires: 1800
From: 205 <sip:205@incrediblepbx ip>;tag=093096423d25fc755b72e7a8c2a4b62e
Max-forwards: 70
To: 205 <sip:205@incrediblepbx ip>
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="cf6bc95609c3603161a8101dbd49e67f",opaque="0dd6a07c205895a9",cnonce="47dddf50",qop=auth,nc=00000001
Authorization: Digest username="205",realm="asterisk",nonce="1472833224/ba110f3061f3d7a597f779ec04785637",uri="sip:incrediblepbx ip",response="9db1e0144c3e3095a5e38c7e39321b28",opaque="0d725b4070fa004d",cnonce="30ca983a",qop=auth,nc=00000001
[2016-09-02 12:25:20] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"301" <sip:301@incrediblepbx ip>' failed for '217.172.189.5:5099' (callid: cb441b3d97f06521375fb5afb5bd5ca5) - No matching endpoint found
[2016-09-02 12:25:20] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"301" <sip:301@incrediblepbx ip>' failed for '217.172.189.5:5099' (callid: cb441b3d97f06521375fb5afb5bd5ca5) - Failed to authenticate
[2016-09-02 12:25:50] NOTICE[2874] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"1014" <sip:1014@incrediblepbx ip>' failed for '217.172.189.5:5091' (callid: e4fb3dc54f00b9c270627b0b7cf89b7d) - No matching endpoint found
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
@chris_c_: What do you see if you run iptables-restart manually? What does iptables -nL show after running it? Is this your CentOS 7, 32-bit server??
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy
CentOS 7 32bit.

When you run iptables-restart manually, the persistent attacks are blocked and stop.
Code:
~$ iptables-restart
Redirecting to /bin/systemctl restart  iptables.service
Redirecting to /bin/systemctl restart  iptables.service
No IPtables problems found.
IPtables now running.
Redirecting to /bin/systemctl restart  fail2ban.service

NOTE the installer has placed 2 DIFFERENT copies of iptables-restart on the system.
Code:
/root/iptables-restart
/usr/local/sbin/iptables-restart
The one in /usr/local/sbin contains additional lines of code.

iptables -nL is nearly empty, until you manually run iptables-restart, then it's full of rules allowing some sip providers.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
It looks like the one you just ran is in /usr/local/sbin which would be the one that's run by rc.local. I think I would increase the sleep 5 numbers in rc.local to 30 just to see if that fixes the problem. Then watch the CLI during a reboot. Sounds like your network is not yet on line when iptables-restart is run.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy The one in /usr/local/sbin already does a sleep 10
Code:
~# cat /usr/local/sbin/iptables-restart
#!/bin/bash
TEST=`service iptables restart | grep fail`
if [[ -z $TEST ]]; then
service iptables restart
echo "No IPtables problems found."
echo "IPtables now running."
else
iptables-restore /etc/iptables/rules.v4 2>/tmp/errorfile
TEST=`cat /tmp/errorfile`
while [[ "$TEST" == *Error* ]]; do
LINENUM=`cat /tmp/errorfile | cut -f 2 -d ":" | tail -2 | head -n 1 | tr -d ' '`
FQDN=`cat /tmp/errorfile | cut -f 1 -d "'" | head -n 1 | cut -f 4 -d " "`
echo " "
echo "******** 10-SECOND WARNING ALERT ***********"
echo "IPtables FQDN problem on line: $LINENUM"
echo "The unresolvable FQDN is $FQDN."
echo "This rule will be temporarily disabled to allow IPtables to start."
echo "Check and correct line $LINENUM in /etc/iptables/rules.v4."
echo "******** 10-SECOND WARNING ALERT ***********"
echo " "
sed -i "$LINENUM s:^:#***:" /etc/iptables/rules.v4
sleep 10
iptables-restore /etc/iptables/rules.v4 2>/tmp/errorfile
TEST=`cat /tmp/errorfile`
done
service iptables restart
sed -i 's|#\*\*\*||' /etc/iptables/rules.v4
echo "IPtables problems noted above were temporarily fixed."
echo "Fix the problems identified in /etc/iptables/rules.v4"
echo "IPtables now running without the offending rules(s)."
fi
service fail2ban restart
It's a kvm vps which gets a static IP via DHCP, a common setup.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy
Even 30 seconds fails to activate iptables. The iptables service is running but the sip provider rules are not loaded.
See below for some log items.
Robo attack from server loft9484.serverprofi24.com managed by PlusServer.SE AS of Sweden, located at hosteurope.de in frankfurt germany.
Code:
[2016-09-02 14:40:19] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"admin" <sip:admin@incrediblepbx ip4>' failed for '217.172.189.5:5076' (callid: 853d31e57c0ef0fc437d4a7ca8a2971d) - Failed to authenticate
[2016-09-02 14:40:46] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:111@incrediblepbx ip4>' failed for '217.172.189.5:5093' (callid: d564e2ec462f194f8ef1e2ac0da959f0) - No matching endpoint found
 
Last edited:

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
Sorry. I was referring to the rc.local file. That's the one where you need to adjust the timing, not the iptables-restart file.

As I told you before, you're using an unsupported OS on a KVM. In the past year, yours is the first reported IPtables problem. And this problem would show up on everyone's status dashboard.

By the way, do you have FQDNs in your IPtables WhiteList??
 
Last edited:

hecatae

resident hecatae
Joined
Feb 7, 2014
Messages
760
Reaction score
199
@chris_c_ please name the hosted provider, I had the same issue with cloud@cost's base centos7 vm
 

jerrm

Guru
Joined
Sep 23, 2015
Messages
838
Reaction score
405
@wardmundy
Even 30 seconds fails to activate iptables. The iptables service is running but the sip provider rules are not loaded.
See below for some log items.
Robo attack from server loft9484.serverprofi24.com managed by PlusServer.SE AS of Sweden, located at hosteurope.de in frankfurt germany.
Code:
[2016-09-02 14:40:19] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"admin" <sip:admin@incrediblepbx ip4>' failed for '217.172.189.5:5076' (callid: 853d31e57c0ef0fc437d4a7ca8a2971d) - Failed to authenticate
[2016-09-02 14:40:46] NOTICE[2853] res_pjsip/pjsip_distributor.c: Request 'INVITE' from '"111" <sip:111@incrediblepbx ip4>' failed for '217.172.189.5:5093' (callid: d564e2ec462f194f8ef1e2ac0da959f0) - No matching endpoint found
Is rc.local enabled? It is not by default on CentOS7 and I don't see it being enabled in the main install script.

Even if rc.local is not enabled, rules should load before rc.local would normally process (and before the interfaces are brought up), but is there is an error in the rules file they won't load at all.

Post /etc/sysconfig/iptables with as little sanitization as possible.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
To restate my previous question, what does the CLI show during the boot process? I think we've already established that IPtables works fine if you manually run iptables-restart.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
@wardmundy The craziest part is, why on earth isn't fail2ban auto-blocking the robo-hack IP address?? After 1000 failed login attempts in 2 hours from the same hacker server in lithuania, it really should just block that IP.
 

wardmundy

Nerd Uno
Joined
Oct 12, 2007
Messages
19,168
Reaction score
5,199
iptables-restart starts both IPtables and Fail2Ban.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Post /etc/sysconfig/iptables with as little sanitization as possible.

Part 1 of 2.
Code:
~$ cat /etc/sysconfig/iptables
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*nat
:PREROUTING ACCEPT [7:608]
:POSTROUTING ACCEPT [36:2319]
:OUTPUT ACCEPT [36:2319]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.4.7 on Fri Mar  2 10:36:08 2012
*mangle
:PREROUTING ACCEPT [1103:1400664]
:INPUT ACCEPT [1102:1400632]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [656:59330]
:POSTROUTING ACCEPT [656:59330]
COMMIT
# Completed on Fri Mar  2 10:36:08 2012
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014
*filter
:INPUT DROP [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -p tcp -m tcp --tcp-flags ACK ACK -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -m state --state RELATED -j ACCEPT
-A INPUT -p udp -m udp --sport 53 --dport 9999:65535 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 0 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 3 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 4 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 11 -j ACCEPT
-A INPUT -p icmp -m icmp --icmp-type 12 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 113 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT
-A INPUT -p udp -m udp --dport 4569 -j ACCEPT
-A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 32976 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 4445 -j ACCEPT
-A INPUT -p udp -m udp --dport 123 -j ACCEPT
-A INPUT -p udp -m udp --dport 69 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 9022 -j ACCEPT
-A INPUT -p udp -m udp --dport 5353 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 21 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 83 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 5038 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9001 -j ACCEPT
#-A INPUT -p tcp -m tcp --dport 9080 -j ACCEPT
# Opening up unlimited SIP access can be very dangerous
# Commented next entry locks SIP down to Trusted Providers
#-A INPUT -p udp -m udp --dport 5050:5082 -j ACCEPT
# Here's the Incredible PBX list of SIP Trusted Providers
-A INPUT -s 64.2.142.215/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.216/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.9/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.17/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.18/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.29/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.87/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.106/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.107/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.109/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.111/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.187/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.188/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.189/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.190/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.214/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.2.142.26/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 199.101.184.146/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.34.146.162/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 173.208.83.50/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 74.54.54.178/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 209.62.1.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.215.241.250/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 74.63.41.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 69.147.236.82/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 68.233.226.97/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.205.74.184/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 67.205.74.187/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.137.63.206/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 174.137.63.202/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 5.77.36.136/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 204.11.192.32/30 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 204.155.28.10/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.136.174.24/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 64.34.181.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 69.90.174.98/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 85.17.186.7/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 81.23.228.129/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 67.228.182.2/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069 -j ACCEPT
-A INPUT -s 64.251.23.244/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 85.17.148.32/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 63.211.239.14/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 63.247.78.218/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.3.252.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.14.120.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 8.17.37.23/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 66.54.140.46/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
-A INPUT -s 66.54.140.47/32 -p udp -m multiport --dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569 -j ACCEPT
# and a few more...
-A INPUT -s 64.62.236.143/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 24.211.64.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 199.30.56.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 209.216.15.70/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 209.216.2.211/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 184.154.97.11/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 81.23.228.150/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 81.23.228.150/32 -p tcp -m tcp --dport 5060:5069 -j ACCEPT
-A INPUT -s 65.254.44.194/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 74.81.71.18/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 50.22.101.14/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 67.212.84.21/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 176.9.39.206/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 72.9.149.25/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 50.22.102.242/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 178.63.143.236/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 98.254.157.185/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
-A INPUT -s 64.2.142.26/32 -p udp -m udp --dport 5060:5069 -j ACCEPT
# End of Trusted Provider Section
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Part 2 of 2.
Code:
# // New entry for (myfqdn)-ssh.iptables
-A INPUT -s (myfqdn) -j ACCEPT
# // End entry for (myfqdn)-ssh.iptables
# // New entry for (myfqdn).iptables
-A INPUT -p tcp -m tcp -s (myfqdn) --dport 9001 -j ACCEPT
# // End entry for (myfqdn).iptables
# Kitchen Sink entries below give full access to all server ports
-A INPUT -s 10.0.0.0/8 -j ACCEPT
-A INPUT -s 127.0.0.0/8 -j ACCEPT
# The 172 subnet leaves a security hole on Amazon EC2 so it's disabled
#-A INPUT -s 172.16.0.0/12 -j ACCEPT
-A INPUT -s 192.168.0.0/16 -j ACCEPT
# next 3 entries are your server, user, and public IP addresses
# this is a snapshot of where you were when you installed Incredible PBX
# It assures that you can log back in from there once we lock down IPtables
# NO RESTRICTIONS are placed on these 3 addresses or private LAN subnets!
# The IP addresses are your server, user, and public addresses respectively
-A INPUT -s (myserveripv4) -j ACCEPT
-A INPUT -s (myclientipv4) -j ACCEPT
-A INPUT -s (myserveripv4) -j ACCEPT
# your own additions go above here
COMMIT
# Generated by iptables-save v1.3.5 on Tue Apr  1 11:35:49 2014

Side Note: "(myfqdn)" is the fqdn from the machine this install was backed up from. That should cause no problem because the fqdn hostname is still valid but it's NOT the hostname of this vps server. Probably a bug however that needs fixing in the incrediblebackup and restore, it should be sed'ed and replaced with the currently detected fqdn hostname.
 

dicko

Still learning but earning
Joined
Oct 30, 2015
Messages
1,607
Reaction score
826
@chris_c_

There is NEVER (EVER !!!) a good reason to rely on DHCP to be authoritative of your PBX' ip address, ALWAYS (I MEAN ALWAYS) use a static IP, within your underlying network, ALWAYS use a hardwired DNS server, probably 127.0.0.1 if you have dnsmasq running and properly configured, add 8.8.8.8 as a backup, if you do it that way, then asterisk and your network will recover as soon as your up-line network also recovers.
 

chris_c_

Active Member
Joined
Aug 19, 2010
Messages
509
Reaction score
67
Even if rc.local is not enabled, rules should load before rc.local would normally process (and before the interfaces are brought up), but is there is an error in the rules file they won't load at all.
I agree. IPTables is a service. It's meant to start up all by itself, and load the rules from /etc/sysconfig/iptables all by itself, with zero dependence on further scripting commands from rc.local
 

Members online

No members online now.

Forum statistics

Threads
25,778
Messages
167,504
Members
19,198
Latest member
serhii
Get 3CX - Absolutely Free!

Link up your team and customers Phone System Live Chat Video Conferencing

Hosted or Self-managed. Up to 10 users free forever. No credit card. Try risk free.

3CX
A 3CX Account with that email already exists. You will be redirected to the Customer Portal to sign in or reset your password if you've forgotten it.
Top