I went out of town and came back to complaints that phone quality was bad. Turns out fail2ban-server was using 100%+ of the CPU. Further investigation shows that I'm getting SSH login attempts from Pakistan, etc., and tests from remote hosts indicates my ports are open. (Fortunately, I have very strong passwords, and there's no indication they've gotten in so far.)
I am looking through iptables and cannot figure out why I'm open to the public. I'm continuing to scramble and work through the issue now but figured I'd post here for some quick help in case anyone else is a pro at this and can immediately spot what I'm missing:
Any help is appreciated. The tun+ interface is because I'm running OpenVPN.
The IP trying to log in is 116.31.116.15.
I am looking through iptables and cannot figure out why I'm open to the public. I'm continuing to scramble and work through the issue now but figured I'd post here for some quick help in case anyone else is a pro at this and can immediately spot what I'm missing:
Code:
root@ord:/var/log $ iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 fail2ban-BadBots tcp -- * * 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
2 144 fail2ban-SSH tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:22
2 100 ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0
7 678 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp flags:0x10/0x10
261 35222 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state ESTABLISHED
1 71 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 state RELATED
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp spt:53 dpts:9999:65535
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 0
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 3
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 4
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 11
0 0 ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 icmp type 12
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:113
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:1723
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:4569
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpts:10000:20000
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:32976
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:4445
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:123
1 70 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:69
0 0 ACCEPT tcp -- * * 0.0.0.0/0 0.0.0.0/0 tcp dpt:9022
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 udp dpt:5353
0 0 ACCEPT udp -- * * 64.2.142.215 0.0.0.0/0 multiport dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569
0 0 ACCEPT udp -- * * 64.2.142.216 0.0.0.0/0 multiport dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569
0 0 ACCEPT udp -- * * 64.2.142.9 0.0.0.0/0 multiport dports 5060,5061,5062,5063,5064,5065,5066,5067,5068,5069,4569
[contents omitted due to 10000-character limit on PIAF forums, but it's mostly the stock secure-iptables stuff for VoIP providers and a few of the IPs that I've manually added via ./add-fqdn or ./add-ip]
0 0 ACCEPT udp -- * * 184.72.223.118 0.0.0.0/0 udp dpts:5060:5069
0 0 ACCEPT tcp -- * * 184.72.223.118 0.0.0.0/0 tcp dpts:5060:5069
0 0 ACCEPT udp -- * * 162.243.57.52 0.0.0.0/0 udp dpts:5060:5069
0 0 ACCEPT tcp -- * * 162.243.57.52 0.0.0.0/0 tcp dpts:5060:5069
0 0 ACCEPT all -- * * 107.77.209.52 0.0.0.0/0
0 0 ACCEPT all -- * * 107.77.217.65 0.0.0.0/0
0 0 ACCEPT all -- * * 70.195.86.221 0.0.0.0/0
0 0 ACCEPT all -- * * 206.174.28.123 0.0.0.0/0
0 0 ACCEPT all -- * * 47.214.21.226 0.0.0.0/0
0 0 ACCEPT udp -- * * 85.17.87.148 0.0.0.0/0 udp dpts:5060:5069
0 0 ACCEPT tcp -- * * 85.17.87.148 0.0.0.0/0 tcp dpts:5060:5069
0 0 ACCEPT all -- * * 10.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 127.0.0.0/8 0.0.0.0/0
0 0 ACCEPT all -- * * 192.168.0.0/16 0.0.0.0/0
0 0 ACCEPT all -- * * 67.202.98.137 0.0.0.0/0
0 0 ACCEPT all -- * * 47.214.21.226 0.0.0.0/0
0 0 ACCEPT all -- * * 67.202.98.137 0.0.0.0/0
0 0 ACCEPT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0 state NEW tcp dpt:1194
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- tun+ * 0.0.0.0/0 0.0.0.0/0
0 0 ACCEPT all -- tun+ eth0 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
0 0 ACCEPT all -- eth0 tun+ 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy ACCEPT 88 packets, 5406 bytes)
pkts bytes target prot opt in out source destination
Chain fail2ban-BadBots (1 references)
pkts bytes target prot opt in out source destination
0 0 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Chain fail2ban-SSH (1 references)
pkts bytes target prot opt in out source destination
2 144 RETURN all -- * * 0.0.0.0/0 0.0.0.0/0
Any help is appreciated. The tun+ interface is because I'm running OpenVPN.
The IP trying to log in is 116.31.116.15.