iptables+fireHOL not blocking IP's

Installing SecAst, prerequisites, basic configuration, and troubleshooting performance and technical issues. As well, upgrades to SecAst and any underlying software.
CraigA
Posts: 1
Joined: Wed Apr 19, 2017 7:22 am

iptables+fireHOL not blocking IP's

Postby CraigA » Wed Apr 19, 2017 7:56 am

Ubuntu 16.04 LTS x64
Asterisk 11.25.1 LTS
Secast-1.4.7-x86_64-ub16
FireHOL 2.0.3 Home Page: http://firehol.org

Problem 1:
"IP's manually banned aren't setting iptables entries"

from /var/log/secast

Code: Select all

Wed Apr 19 00:00:07 2017, 00000204, I, Telnet Server, Client 7: Executing command [banip add 195.154.38.22]
Wed Apr 19 00:00:07 2017, 00000608, S, Security Event Queue, Banning manual IP '195.154.38.22' as managed
Wed Apr 19 00:00:07 2017, 00000707, E, System Command, Failed to find rules for iptables chain.  Run result 0; exitcode 1
Wed Apr 19 00:00:07 2017, 00000710, E, System Command, Failed to add rule to iptables chain.  Run result 0; exitcode 1



Problem 2:
"attacks aren't being detected"

On the Asterisk console:

Code: Select all

[Apr 19 00:16:26] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from '"104"<sip:104@50.47.128.250>' failed for '163.172.121.136:1331' - Wrong password
[Apr 19 00:17:10] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from '"108"<sip:108@50.47.128.250>' failed for '163.172.121.136:1343' - Wrong password
[Apr 19 00:17:29] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from '"110"<sip:110@50.47.128.250>' failed for '163.172.121.136:1347' - Wrong password
[Apr 19 00:18:22] NOTICE[23258]: chan_sip.c:28390 handle_request_register: Registration from '"106"<sip:106@50.47.128.250>' failed for '163.172.121.136:1337' - Wrong password


in /var/log/asterisk/messages

Code: Select all

[Apr 19 00:16:26] NOTICE[23258] chan_sip.c: Registration from '"104"<sip:104@50.47.128.250>' failed for '163.172.121.136:1331' - Wrong password
[Apr 19 00:16:26] SECURITY[23243] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1492586186-906350",Severity="Error",Service="SIP",EventVersion="2",AccountID="104",SessionID="0x7fde68043828",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1331",Challenge="6635aaf4",ReceivedChallenge="6635aaf4",ReceivedHash="7e1c6cf66d26143aaf2fe34b13b2d7cf"
[Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1492586230-312224",Severity="Informational",Service="SIP",EventVersion="1",AccountID="108",SessionID="0x7fde68010ce8",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1343",Challenge="60b81fa1"
[Apr 19 00:17:10] NOTICE[23258] chan_sip.c: Registration from '"108"<sip:108@50.47.128.250>' failed for '163.172.121.136:1343' - Wrong password
[Apr 19 00:17:10] SECURITY[23243] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1492586230-463449",Severity="Error",Service="SIP",EventVersion="2",AccountID="108",SessionID="0x7fde68010ce8",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1343",Challenge="60b81fa1",ReceivedChallenge="60b81fa1",ReceivedHash="4dc53d20eaa6dd25c508ba7b79a4570a"
[Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1492586249-415321",Severity="Informational",Service="SIP",EventVersion="1",AccountID="110",SessionID="0x7fde68043828",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1347",Challenge="01bb4376"
[Apr 19 00:17:29] NOTICE[23258] chan_sip.c: Registration from '"110"<sip:110@50.47.128.250>' failed for '163.172.121.136:1347' - Wrong password
[Apr 19 00:17:29] SECURITY[23243] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1492586249-562681",Severity="Error",Service="SIP",EventVersion="2",AccountID="110",SessionID="0x7fde68043828",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1347",Challenge="01bb4376",ReceivedChallenge="01bb4376",ReceivedHash="54b8e6ac114d6bddaf083230e11a35fc"
[Apr 19 00:18:21] SECURITY[23243] res_security_log.c: SecurityEvent="ChallengeSent",EventTV="1492586301-854490",Severity="Informational",Service="SIP",EventVersion="1",AccountID="106",SessionID="0x7fde68010ce8",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1337",Challenge="7e9808a1"
[Apr 19 00:18:22] NOTICE[23258] chan_sip.c: Registration from '"106"<sip:106@50.47.128.250>' failed for '163.172.121.136:1337' - Wrong password
[Apr 19 00:18:22] SECURITY[23243] res_security_log.c: SecurityEvent="InvalidPassword",EventTV="1492586302-7541",Severity="Error",Service="SIP",EventVersion="2",AccountID="106",SessionID="0x7fde68010ce8",LocalAddress="IPV4/UDP/50.47.128.250/5060",RemoteAddress="IPV4/UDP/163.172.121.136/1337",Challenge="7e9808a1",ReceivedChallenge="7e9808a1",ReceivedHash="490071a90f52500759e89e1392e177f9"



Some relevant /etc/xdg/telium/secast.conf snippets

Code: Select all

[banip]  ;==================================================================
; This stanza refers to how SecAst will block/allow IP addresses, as well
; as how it tracks blocked IP addresses.

; Flush any pre-existing  IP's found in fireall's SecAst list on program
; start.  Any pre-existing IP's found will not be automatically removed
; after timeout period (they can be manually controlled only)
; Valid values: Yes/True/1 / No/False/0
flushonstart=0

; Flush any pre-existing  IP's found in firewalls' SecAst list on program
; exit
; Valid values: Yes/True/1 / No/False/0
flushonexit=0

; Perform internal tracking as if an IP were banned by firewall, but do not
; actually add detected intrusion IP's to firewall.  Affecting messages will be
; prefixed with [TESTMODE] in the event log.  This may cause some additional
; warnings to appear in the log file but they can be safely ignored.
; Valid values: Yes/True/1 No/False/0
testmode=false

; Number of hours for which an IP will be banned.  Minimum is 1 hour,
; maximum is 168 hours (i.e. 1 week).  Warning: if you firewall is slowing
; down network traffic because the SecAst list is too large, reduce the
; duration.
; Valid range: 1 to 168 hours (i.e. 1 hour to 7 days)
duration=72

; Should IP addresses already found blocked in firewall's SecAst list be
; treated as managed (i.e. automatically delete after duration)
;   Valid values include Yes/True/1 / No/False/0
manageexisting=true

; Should IP addresses manually added be treated as managed
; (i.e. automatically delete after duration)
;   Valid values include Yes/True/1 / No/False/0
managemanual=true

; Should firewall actions use iptables.  If set to false, then SecAst will
; rely only on the external program listed below.  If the externalprogam is blank,
; then no ip firewalling will take place
;   Valid values include Yes/True/1 / No/False/0
useiptables=true

; Whether or not to save banip data to the SQL database.
;   Valid values include Yes/True/1 / No/False/0
;   If left blank will default to false
savetodb=   

; Number of days of banip data to retain.  Data beyond this number
; of days will be purged on a daily basis.  This value is measured in days.  If
; set to 0 then data will be retained indefinately (i.e. never purge).         
;   Valid range: 0, 1 to 1095 (i.e. indefinite, or 1 day to 3 years)
;   If left blank will default to 30
dbretentiondays=20


[network]  ;==================================================================

;Address to listen on for management interface
;  LocalHostIPv4        The IPv4 localhost address. Equivalent to
;                       QHostAddress("127.0.0.1").
;  LocalHostIPv6        The IPv6 localhost address. Equivalent to
;                       QHostAddress("::1").
;  AnyIPv4              The IPv4 any-address. Equivalent to
;                       QHostAddress("0.0.0.0"). A socket bound with this
;                       address will listen only on IPv4 interaces.
;  AnyIPv6              The IPv6 any-address. Equivalent to QHostAddress("::").
;                       A socket bound with this address will listen only on
;                       IPv6 interaces.
;  Any                  The dual stack any-address. A socket bound with this
;                       address will listen on both IPv4 and IPv6 interfaces.
;  1.2.3.4              The specific IPv4 address
;  1111:2222:3333:4444:5555:6666:7777:8888      The specific IPv6 address
managementaddress=anyipv4

;Port to listen on for management interface. 
;   Set to 0 to use a random port
managementport=3000

; Subnets considered trusted.  If more than one network is required then
; seperate them with pipes (|).  Networks must be in the form: X.X.X.X/B
; For example, 1.2.3.4/24 means subnet 1.2.3.4 with 24 bit mask, also known
; as 255.255.255.0 bitmask
trustednetworks=10.0.0.0/24 | 192.168.90.0/24

[credentials]  ;=================================================================
; This stanza refers to detection attempts to gain access to the Asterisk system
; resources using invalid credentials

; Maximum number of seconds between intrusion attempts (use of resources with
; invalid credentials), to be considered part of a single attack window.  (If
; intrusions are spaced beyond this interval, then they are considered to be in
; seperate attack windows).  Extend this number if you find attackers are
; spreading their attempts over hours or days.
;   Valid range: 1-604800 (i.e. 1 second to 1 week)
;   Default: 60
maxintrusioninterval=3500

; Maximum number of intrusion attempts within a single attack window before banning
; the source IP.  Set this number as low as possible without frustrating valid
; users.
;   Valid range: 1 to 100
;   Default: 3
maxintrusions=1



Secast Console:
All banned IP's enetered manually with "banip add nnn.nnn.nnn.nnn"

Code: Select all

SecAst>status
  SecAst state: protecting
  Asterisk connection state: logged in
  Threat level: low
  IP banning enforcement: enforced
  Database status: disconnected
  Run Time: 2 hours, 36 minutes, 11 seconds
  Intrusion attempts in window: 0
  Total instrusion attempts: 0
  IP's Banned: 4 addresses
  IP's Watched: 0 addresses
  Users Watched: 0 users
SecAst>banip list
  163.172.121.136                                   2 days, 23 hours, 11 minutes, 58 seconds
  212.83.134.244                                    2 days, 23 hours, 14 minutes, 8 seconds
  212.83.130.10                                     2 days, 23 hours, 20 minutes, 42 seconds
  195.154.38.22                                     2 days, 23 hours, 21 minutes, 6 seconds



iptables content
In case it's relevant to Secast operation

Code: Select all

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:51413
DROP       all  -f  0.0.0.0/0            0.0.0.0/0           
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1024
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipcli" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sip-scan" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "iWar" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipvicious" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipsak" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sundayddr" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "VaxSIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "friendly-scanner" ALGO name bm TO 65535
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
in_mylan   all  --  0.0.0.0/0            0.0.0.0/0           
in_internet  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  10.0.0.0/8           0.0.0.0/0           
DROP       all  --  169.254.0.0/16       0.0.0.0/0           
DROP       all  --  172.16.0.0/12        0.0.0.0/0           
DROP       all  --  127.0.0.0/8          0.0.0.0/0           
DROP       all  --  192.168.0.0/24       0.0.0.0/0           
DROP       all  --  224.0.0.0/4          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/4         
DROP       all  --  240.0.0.0/5          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            240.0.0.0/5         
DROP       all  --  0.0.0.0/8            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/8           
DROP       all  --  0.0.0.0/0            239.255.255.0/24   
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 17
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 13
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x04/0x04 limit: avg 2/sec burst 2
DROP       all  --  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix "portscan:"
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix "portscan:"
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
in_lan2internet  all  --  0.0.0.0/0            0.0.0.0/0           
out_lan2internet  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
out_mylan  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain in_internet (1 references)
target     prot opt source               destination         
pr_internet_fragments  all  -f  0.0.0.0/0            0.0.0.0/0           
pr_internet_nosyn  tcp  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW tcp flags:!0x17/0x02
pr_internet_icmpflood  icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8
pr_internet_synflood  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x17/0x02
pr_internet_malxmas  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x3F
pr_internet_malnull  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x00
pr_internet_malbad  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x03/0x03
pr_internet_malbad  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x06/0x06
pr_internet_malbad  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x37
pr_internet_malbad  tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x3F/0x29
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            ctstate INVALID
pr_internet_allflood  all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW
in_internet_ping_s1  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_dns_s2  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_sip_s3  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_rtp_s4  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_smtp_s5  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_imaps_s6  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_pop3s_s7  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_http_s8  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_https_s9  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_ssh_s10  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_ident_s11  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_all_c12  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_ftp_c13  all  --  0.0.0.0/0            0.0.0.0/0           
in_internet_irc_c14  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-internet:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain in_internet_all_c12 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED

Chain in_internet_dns_s2 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:53 ctstate NEW,ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:53 ctstate NEW,ESTABLISHED

Chain in_internet_ftp_c13 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:32768:60999 ctstate ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "ftp"

Chain in_internet_http_s8 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:80 ctstate NEW,ESTABLISHED

Chain in_internet_https_s9 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:443 ctstate NEW,ESTABLISHED

Chain in_internet_ident_s11 (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:113 ctstate NEW,ESTABLISHED reject-with tcp-reset

Chain in_internet_imaps_s6 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:993 ctstate NEW,ESTABLISHED

Chain in_internet_irc_c14 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:6667 dpts:32768:60999 ctstate ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "irc"

Chain in_internet_ping_s1 (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,ESTABLISHED icmptype 8

Chain in_internet_pop3s_s7 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:995 ctstate NEW,ESTABLISHED

Chain in_internet_rtp_s4 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp dpts:10000:20000 ctstate NEW,ESTABLISHED

Chain in_internet_sip_s3 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:5060 dpt:5060 ctstate NEW,ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:1024:65535 dpt:5060 ctstate NEW,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "sip"

Chain in_internet_smtp_s5 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:25 ctstate NEW,ESTABLISHED

Chain in_internet_ssh_s10 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:22 ctstate NEW,ESTABLISHED

Chain in_lan2internet (1 references)
target     prot opt source               destination         
in_lan2internet_all_s1  all  --  0.0.0.0/0            0.0.0.0/0           
in_lan2internet_ftp_s2  all  --  0.0.0.0/0            0.0.0.0/0           
in_lan2internet_irc_s3  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-lan2internet:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain in_lan2internet_all_s1 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,ESTABLISHED

Chain in_lan2internet_ftp_s2 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:21 ctstate NEW,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "ftp"

Chain in_lan2internet_irc_s3 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:1024:65535 dpt:6667 ctstate NEW,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "irc"

Chain in_mylan (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain out_internet (1 references)
target     prot opt source               destination         
out_internet_ping_s1  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_dns_s2  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_sip_s3  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_rtp_s4  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_smtp_s5  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_imaps_s6  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_pop3s_s7  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_http_s8  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_https_s9  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_ssh_s10  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_ident_s11  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_all_c12  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_ftp_c13  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet_irc_c14  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-internet:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain out_internet_all_c12 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate NEW,ESTABLISHED

Chain out_internet_dns_s2 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:53 ctstate ESTABLISHED
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:53 ctstate ESTABLISHED

Chain out_internet_ftp_c13 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:32768:60999 dpt:21 ctstate NEW,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "ftp"

Chain out_internet_http_s8 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:80 dpts:1024:65535 ctstate ESTABLISHED

Chain out_internet_https_s9 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:443 dpts:1024:65535 ctstate ESTABLISHED

Chain out_internet_ident_s11 (1 references)
target     prot opt source               destination         
REJECT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:113 dpts:1024:65535 ctstate ESTABLISHED reject-with tcp-reset

Chain out_internet_imaps_s6 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:993 dpts:1024:65535 ctstate ESTABLISHED

Chain out_internet_irc_c14 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spts:32768:60999 dpt:6667 ctstate NEW,ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "irc"

Chain out_internet_ping_s1 (1 references)
target     prot opt source               destination         
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED icmptype 0

Chain out_internet_pop3s_s7 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:995 dpts:1024:65535 ctstate ESTABLISHED

Chain out_internet_rtp_s4 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spts:10000:20000 ctstate ESTABLISHED

Chain out_internet_sip_s3 (1 references)
target     prot opt source               destination         
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:5060 dpt:5060 ctstate ESTABLISHED
ACCEPT     udp  --  0.0.0.0/0            0.0.0.0/0            udp spt:5060 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "sip"

Chain out_internet_smtp_s5 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:25 dpts:1024:65535 ctstate ESTABLISHED

Chain out_internet_ssh_s10 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:22 dpts:1024:65535 ctstate ESTABLISHED

Chain out_lan2internet (1 references)
target     prot opt source               destination         
out_lan2internet_all_s1  all  --  0.0.0.0/0            0.0.0.0/0           
out_lan2internet_ftp_s2  all  --  0.0.0.0/0            0.0.0.0/0           
out_lan2internet_irc_s3  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-lan2internet:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain out_lan2internet_all_s1 (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate ESTABLISHED

Chain out_lan2internet_ftp_s2 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:21 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "ftp"

Chain out_lan2internet_irc_s3 (1 references)
target     prot opt source               destination         
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp spt:6667 dpts:1024:65535 ctstate ESTABLISHED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED,ESTABLISHED helper match "irc"

Chain out_mylan (1 references)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_allflood (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 60/sec burst 10
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "ALL_FLOOD:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_fragments (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PACKET_FRAGMENTS:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_icmpflood (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 50
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "ICMP_FLOOD:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_malbad (4 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED_BAD:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_malnull (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED_NULL:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_malxmas (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "MALFORMED_XMAS:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_nosyn (1 references)
target     prot opt source               destination         
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "NEW_TCP_w/o_SYN:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain pr_internet_synflood (1 references)
target     prot opt source               destination         
RETURN     all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 100/sec burst 50
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "SYN_FLOOD:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0 
User avatar
Telium Support
Posts: 162
Joined: Sun Nov 27, 2016 3:27 pm

Re: iptables+fireHOL not blocking IP's

Postby Telium Support » Wed Apr 19, 2017 2:38 pm

Problem 1: iptables rules not being created

When SecAst starts it creates a SECAST chain linked into your iptables' INPUT chain like this:

Code: Select all

Chain INPUT (policy ACCEPT)
target     prot opt source               destination         
SECAST     all  --  anywhere             anywhere 


And the SECAST chain is where dropping of attackers' IP's occurs. I see from your iptables list that the above rule is missing - and that's why you are not able to block attacker IP's. So the question is why is the SECAST chain rule being refused/lost. Are you updating/flushing your iptables rules (eg: regenerating using FireHOL) after SecAst starts? Is there an error in the SecAst log upon service start indicating any iptables related errors?

Problem 2: Attackers not detected

You did not include the [asterisk] stanza of your secast.conf, so ensure the securityevents key is blank (use the AMI), or points to a valid /var/log/asterisk/messages file. That's usually the cause.

I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@telium.ca if you are concerned about making content public) and we can look there for further clues.

If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) - letting SecAst add rules to your firewall.
CraigA
Posts: 1
Joined: Wed Apr 19, 2017 7:22 am

Re:iptables+fireHOL not blocking IP's

Postby CraigA » Wed Apr 19, 2017 5:42 pm

I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@telium.ca if you are concerned about making content public) and we can look there for further clues.

If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) - letting SecAst add rules to your firewall.


Your recommendation may have worked. Evidence follows...

/etc/xdg/telium/secast.conf

Code: Select all

[asterisk]  ;=================================================================

; Location of logfile containing security related messages. In versions of
; Asterisk prior to 10 this would normally be the primary messages file
; (/var/log/asterisk/messages), while in later versions of Asterisk this would
; be the security file (/var/log/asterisk/security)
securitylog="/var/log/asterisk/messages"
;securitylog=/var/log/asterisk/security

; hostname or ip address of the Asterisk server.  Normally this should be set
; to "localhost" but can be any valid IP/hostname
hostname="localhost"

; Port number to connect to Asterisk Management Interface (AMI).  This should
; match the port settings of the manager.conf file on the Asterisk server.
; This is normally set to 5038
port=5038

; Username used for authentication to the AMI.  This should match the section
; heading in the manager.conf file on the Asterisk server.  Normally this
; should be set to "secast"
username="secast"

; Secret used for authentication to the AMI.  This should match the secret set
; in the section heading for the username above, in the manager.conf file on
; the Asterisk server.  This should not be left at the default of "secast"
secret="MySecret"


Asterisk Console

Code: Select all

pluto*CLI>
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
  == Manager 'secast' logged off from 127.0.0.1
  == Manager 'secast' logged on from 127.0.0.1
pluto*CLI>


/var/log/secast

Code: Select all

root@pluto:/var/log# /usr/local/secast/secast     
secast version 1.4.7 started under PID 2502
secast switched to daemon under PID 2503
root@pluto:/var/log# cat /var/log/secast
Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found.  Switching to Free Edition
Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists.  Run result 0; exitcode 1
Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host 'Arno-PBX' at Wed Apr 19 09:41:05 2017
Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP '163.172.121.136' as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP '212.83.134.244' as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP '212.83.130.10' as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP '195.154.38.22' as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP '69.30.245.18' as managed
Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP '1.2.3.4' as managed
Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
root@pluto:/var/log#


SecAst Console

Code: Select all

pluto% telnet localhost 3000
Trying ::1...
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SecAst telnet interface on 'Arno-PBX'
SecAst>status
  SecAst state: protecting
  Asterisk connection state: logged in
  Threat level: low
  IP banning enforcement: enforced
  Database status: disconnected
  Run Time: 31 seconds
  Intrusion attempts in window: 0
  Total instrusion attempts: 0
  IP's Banned: 5 addresses
  IP's Watched: 0 addresses
  Users Watched: 0 users
SecAst>banip add 1.2.3.4
  Issued request to add IP 1.2.3.4.  Check event log for errors, or use 'banip list' to confirm add
SecAst>banip list
  163.172.121.136                                   2 days, 23 hours, 58 minutes, 43 seconds
  212.83.134.244                                    2 days, 23 hours, 58 minutes, 43 seconds
  212.83.130.10                                     2 days, 23 hours, 58 minutes, 43 seconds
  195.154.38.22                                     2 days, 23 hours, 58 minutes, 43 seconds
  69.30.245.18                                      2 days, 23 hours, 58 minutes, 43 seconds
  1.2.3.4                                           2 days, 23 hours, 59 minutes, 49 seconds
SecAst>


iptables entries

Code: Select all

root@pluto:~# iptables -nL|less
Chain INPUT (policy DROP)
target     prot opt source               destination         
SECAST     all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  69.30.245.18         0.0.0.0/0           
DROP       all  --  163.172.121.136      0.0.0.0/0           
DROP       all  --  212.83.130.10        0.0.0.0/0           
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:51413
DROP       all  -f  0.0.0.0/0            0.0.0.0/0           
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:1024
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipcli" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sip-scan" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "iWar" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipvicious" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sipsak" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "sundayddr" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "VaxSIPUserAgent" ALGO name bm TO 65535
DROP       udp  --  0.0.0.0/0            0.0.0.0/0            udp dpt:5060 STRING match  "friendly-scanner" ALGO name bm TO 65535
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
in_mylan   all  --  0.0.0.0/0            0.0.0.0/0           
in_internet  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  10.0.0.0/8           0.0.0.0/0           
DROP       all  --  169.254.0.0/16       0.0.0.0/0           
DROP       all  --  172.16.0.0/12        0.0.0.0/0           
DROP       all  --  127.0.0.0/8          0.0.0.0/0           
DROP       all  --  192.168.0.0/24       0.0.0.0/0           
DROP       all  --  224.0.0.0/4          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            224.0.0.0/4         
DROP       all  --  240.0.0.0/5          0.0.0.0/0           
DROP       all  --  0.0.0.0/0            240.0.0.0/5         
DROP       all  --  0.0.0.0/8            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/8           
DROP       all  --  0.0.0.0/0            239.255.255.0/24   
DROP       all  --  0.0.0.0/0            255.255.255.255     
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 17
DROP       icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 13
ACCEPT     icmp --  0.0.0.0/0            0.0.0.0/0            icmptype 8 limit: avg 1/sec burst 5
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     tcp  --  0.0.0.0/0            0.0.0.0/0            tcp flags:0x04/0x04 limit: avg 2/sec burst 2
DROP       all  --  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix "portscan:"
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "IN-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain FORWARD (policy DROP)
target     prot opt source               destination         
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
DROP       all  --  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
           all  --  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG        tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix "portscan:"
DROP       tcp  --  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
in_lan2internet  all  --  0.0.0.0/0            0.0.0.0/0           
out_lan2internet  all  --  0.0.0.0/0            0.0.0.0/0           
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "PASS-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0           
out_mylan  all  --  0.0.0.0/0            0.0.0.0/0           
out_internet  all  --  0.0.0.0/0            0.0.0.0/0           
DROP       all  --  0.0.0.0/0            0.0.0.0/0            state INVALID
ACCEPT     all  --  0.0.0.0/0            0.0.0.0/0            ctstate RELATED
LOG        all  --  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix "OUT-unknown:"
DROP       all  --  0.0.0.0/0            0.0.0.0/0           

Chain SECAST (1 references)
target     prot opt source               destination         
DROP       all  --  1.2.3.4              0.0.0.0/0           
DROP       all  --  69.30.245.18         0.0.0.0/0           
DROP       all  --  195.154.38.22        0.0.0.0/0           
DROP       all  --  212.83.130.10        0.0.0.0/0           
DROP       all  --  212.83.134.244       0.0.0.0/0           
DROP       all  --  163.172.121.136      0.0.0.0/0           
RETURN     all  --  0.0.0.0/0            0.0.0.0/0           

  . . .



This is a home installation.

My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I'd really like a way to allow SecAst to "self heal" even if it is semi-automatic/manual. I could envision a command such as "SecAst> iptables init" with others such as "SecAst> iptables list" to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new "detected" attack), have SecAst verify it's installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it's installation in iptables?

I really like your phpBB installation, very effective!

Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. :oops:
User avatar
Telium Support
Posts: 162
Joined: Sun Nov 27, 2016 3:27 pm

Re: iptables+fireHOL not blocking IP's

Postby Telium Support » Thu Apr 20, 2017 3:11 pm

Glad you are up and running. If you need SecAst to recreate its iptables rules just restart the SecAst service (it will restore all banned IP since it keeps those in a recovery file). We'll have to think about how/if SecAst should monitor the iptables. It's unusual for the iptables rules to be lost (so SecAst shouldn't have to check that) - but it's on our discussion list.

In regards to downloading, what error exactly are you experiencing? (Corrupt download, or download won't start, etc). Downloading by browser is often unreliable for large files, but FTP normally works perfectly. We just tried FTP (pull) and the file downloaded perfectly (no corruption, etc). We also tried downloading with Firefox version 53 (32 bit) and browser download worked fine 2 of 3 times (one time download was corrupt so it would not untar). Similarly downloading by Chrome worked 3 of 4 times. You can see why we offer FTP...browsers aren't great for this kind of thing. (Since this is a different topic feel free to email support@telium.ca if you have more details on file transfer issue)
User avatar
Telium Support
Posts: 162
Joined: Sun Nov 27, 2016 3:27 pm

Re: iptables+fireHOL not blocking IP's

Postby Telium Support » Wed Feb 28, 2018 2:48 am

Although this topic is a year old, it continues to get a lot of traffic. So, I would like to reiterate a key point mentioned above (in case you missed it):

You should not block IP's at the PBX. (Unless this is test/home system). Commercial environments should block attackers at the firewall. SecAst has the ability to add IP's to ACL's/lists on your router / firewall. You really should use this feature!