Firewall Blacklist/Whitelist

[jroper]

Hi

I would be happy to run a timed shell script on my public PBX's to report hacks.

Joe

 

[jroper]

Re, GEO-IP, this recent how to looks like it could work.

http://morganjones.org/blog/?p=198

Joe

 

[wardmundy]

The problem is that almost a third of the hack attempts on our servers have been from within the U.S. These presumably are bots running on compromised Windows machines... of which there seem to be millions.

 

[blanchae]

Wouldn't it make sense to just allow only the IP address/networks of the phones and trunks that are registered with PiaF? Reject everything else.

 

[wardmundy]

If you don't want SIP URI support, absolutely!

 

[blanchae]

I was thinking of a whitelist as opposed to a blacklist.

 

[blanchae]

If you don't want SIP URI support, absolutely!

I remember discussing a while back about security for SIP URLs and wasn't the train of thought along the line that if the SIP user/extension was not an Asterisk extension then it would be banned or dropped?

 

[jroper]

The problem is that almost a third of the hack attempts on our servers have been from within the U.S. These presumably are bots running on compromised Windows machines... of which there seem to be millions.

So restricting access to the USA would reduce attacks by two thirds, and presumably by a greater proportion in other countries. Seems like a good result to me, and if the instructions posted earlier work, a quick win.

Joe

 

[mbellot]

I was thinking of a whitelist as opposed to a blacklist.

Why not both?

A (small, manually created) whitelist for your providers and any known remote extensions plus a larger (centralized?) blacklist to lock out the hackers.

Any IPs that show up in the whitelist would override those in the blacklist, at least partially eliminating the DOS possibility.

 

[jrglass]

I am having trouble geting the script to run I saved the script with email changes to a file called attack.sh..I run bash hack.sh and get the following
hack.sh: line 2: /failed / { print 1010; exit }: No such file or directory
hack.sh: line: [: =: unary operator expected

Any suggestions>

Thanks,

Jeff

 

[AsteriskORbust]

jrglass, try quoting $failed like so. That happen if there aren't any failed attempts I believe, making the value empty.

#!/bin/bash
found=`awk '/failed / { print 1010; exit }' /var/log/asterisk/full`
if [ "$found" = "1010" ]; then
grep "failed " /var/log/asterisk/full | mail -s PBX Failures logged [email protected]
fi

 

[jrglass]

Thanks, That got rid of the errors except for

hack.sh: line 2: /failed / { print 1010; exit }: No such file or directory

r
Jeff

 

[vcallaway]

One of the issues I've been trying to wrap my head around is why?

The only reason I can see to poke holes in the firewall for sip traffic is from remote extensions. Limiting access has already been addressed.

For SIP urls and enum access I use a third party. In my case I moved to sip2sip. You can do aliases for your account number. Enum lookup for my main number returns the sip/[email protected] url. There is no direct access from outside.

So why ? Is there something I'm not getting?

 

[phonebuff]

JR,

Try this code, but I don't understand what you are looking for as /failed / will appear in the log for many reasons, such as

"TRUNK Dial failed due to CHANUNAVAIL (hangupcause: 0)

#!/bin/bash
cd /var/log/asterisk
 
found = `cat full | awk '/failed / {print "1010"; exit}'`
 
if [ "$found" = "1010" ]; then
grep "failed " full | mail -s "PBX Failures logged"  [EMAIL="[email protected]"][email protected][/EMAIL]
fi

Phonebuff

 

[jroper]

The only reason I can see to poke holes in the firewall for sip traffic is from remote extensions. Limiting access has already been addressed.

...

So why ? Is there something I'm not getting?

Hi,

As the phrase goes, "there is more than one way to skin a cat", and this is another innovative way to do it.

Not everyone has the luxury of doing what you are doing, or indeed finds it desirable.

My preference is to have the server intrinsically secure rather than simply rely on external firewalls, and I applaud the efforts made here.

I do have concerns about the execution at the moment that I am sure will be addressed - e.g. one of the netblocks took out 16382 IP addresses, which included my IP The IP belonging to this forum got caught as well in another large netblock, so get the source data less broad-brush and more granular, and we have the beginnings of a very good solution.

Joe

 

[wardmundy]

JR,

Try this code, but I don't understand what you are looking for as /failed / will appear in the log for many reasons, such as

"TRUNK Dial failed due to CHANUNAVAIL (hangupcause: 0)

#!/bin/bash
cd /var/log/asterisk
 
found = `cat full | awk '/failed / {print "1010"; exit}'`
 
if [ "$found" = "1010" ]; then
grep "failed " full | mail -s "PBX Failures logged"  [EMAIL="[email protected]"][email protected][/EMAIL]
fi

Phonebuff

It admittedly picks up some other (non-threatening) failures, but those are easy to pick out, and this runs almost instantly.

 

[wardmundy]

Fix Typo

The example code above will fail because of the space after found. Try this one:

#!/bin/bash
cd /var/log/asterisk

found=`cat full | awk '/failed / {print "1010"; exit}'`

if [ "$found" = "1010" ]; then
grep "failed " full | mail -s HackAttempts [email protected]
fi

 

[vcallaway]

Don't forget to put a # in front of !/bin/bash

 

[wardmundy]

A number of new updates were posted today.

Running /root/firewall-check.php will bring you current.

 

[blanchae]

One of my concerns is if this blacklist gets abused and someone intentionally blacklists sites that shouldn't be blacklisted. This could result in a denial of service non-attack...