Hello, since I’m new here tx for a great product.
I’m not sure where the problem lies so I have posted this in the various forums. I recently changed my SIP trunk provider, from a very secure locked down one to a less secure one. I say this because one locked out other countries while the new one allows registration from other countries.
It may be an asterisk setting, iptables issue or even fail2ban setting so please bear with me. My questions are these…(see the logs after)
- It appears someone is attempting to access my system, is this true?
- If so, I am behind a public dynamic IP. Rebooting my router has no effect, how does he find me everytime?
- How does he get past the iptables? Did I set them wrong?
- Is there an Asterisk setting I could use to stop this?
- Is there a FreePBX setting to stop this?
- Could this be a virus / malware on the exchange doing this?
- I thought my iptables DROP all first would fix this, is fail2ban allowing him through (see last)?
Product in use:
Asterisk 11.18.0
FreePBX 12.0.76 - fail2ban installed, iptables installed
Raspbx on a raspberrypi
Iptables settings:
# Generated by iptables-save v1.4.21 on Sun Sep 13 05:50:38 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -s 0.0.0.0/32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
[0:0] -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state$
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PS$
[0:0] -A INPUT -s 105.233.8.144/32 -j DROP
[0:0] -A INPUT -s 91.236.75.157/32 -j DROP
[0:0] -A INPUT -s 192.168.1.0/24 -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -j DROP
[0:0] -A INPUT -s 41.183.0.0/24 -j ACCEPT
[0:0] -A INPUT -s 199.102.239.170/32 -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 127.0.0.1/32 -j ACCEPT
[0:0] -A INPUT -s 192.168.1.0/24 -j ACCEPT
Asterisk log I’m concerned about:
[2015-09-13 16:35:52] NOTICE[1460] chan_sip.c: Registration from '"710" <sip:710@105.233.8.144:5060>' failed for '91.236.75.157:5085' - Wrong password
[2015-09-13 16:36:02] NOTICE[1460] chan_sip.c: Registration from '"8300" <sip:8300@105.233.8.144:5060>' failed for '91.236.75.157:5076' - Wrong password
[2015-09-13 16:36:37] NOTICE[1460] chan_sip.c: Registration from '"4300" <sip:4300@105.233.8.144:5060>' failed for '91.236.75.157:5081' - Wrong password
chan_sip.c:4086 retrans_pkt: Timeout on 3b4ed86543a1d9c8519a9f8c82259629 on non-critical invite transaction.
Iptables -L
[code]Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-asterisk tcp – anywhere anywhere tcp dpt:sip
fail2ban-asterisk udp – anywhere anywhere udp dpt:sip
fail2ban-asterisk tcp – anywhere anywhere tcp dpt:sip-tls
fail2ban-ssh tcp – anywhere anywhere multiport dports ssh
DROP all – default anywhere
DROP tcp – anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP tcp – anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP tcp – anywhere anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP all – 105.233.8.144 anywhere
ACCEPT all – 192.168.1.0/24 anywhere
DROP all – anywhere anywhere state INVALID
DROP tcp – anywhere anywhere tcp dpt:mysql
ACCEPT all – 41.183.0.0/24 anywhere
ACCEPT all – 199.102.239.170 anywhere
DROP all – anywhere anywhere state INVALID
ACCEPT all – anywhere anywhere
ACCEPT all – localhost anywhere
ACCEPT all – 192.168.1.0/24 anywhere
ACCEPT all – 41.183.0.0/24 anywhere
ACCEPT all – 199.102.239.170 anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain fail2ban-asterisk (3 references)
target prot opt source destination
DROP all – 91.236.75.157 anywhere
RETURN all – anywhere anywhere
Chain fail2ban-ssh (1 references)
target prot opt source destination
RETURN all – anywhere anywhere
[/code]
Any help on this would be great. Tx 