Forum Replies Created
- 
		AuthorPosts
- 
		
			
				
in reply to: iptables+fireHOL not blocking IP’s #6703Quote: 
 I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@telium.io if you are concerned about making content public) and we can look there for further clues.If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall. Your recommendation may have worked. Evidence follows… /etc/xdg/telium/secast.conf 
 
 
 [asterisk] ;=================================================================; Location of logfile containing security related messages. In versions of 
 ; Asterisk prior to 10 this would normally be the primary messages file
 ; (/var/log/asterisk/messages), while in later versions of Asterisk this would
 ; be the security file (/var/log/asterisk/security)
 securitylog=”/var/log/asterisk/messages”
 ;securitylog=/var/log/asterisk/security; hostname or ip address of the Asterisk server. Normally this should be set 
 ; to “localhost” but can be any valid IP/hostname
 hostname=”localhost”; Port number to connect to Asterisk Management Interface (AMI). This should 
 ; match the port settings of the manager.conf file on the Asterisk server.
 ; This is normally set to 5038
 port=5038; Username used for authentication to the AMI. This should match the section 
 ; heading in the manager.conf file on the Asterisk server. Normally this
 ; should be set to “secast”
 username=”secast”; Secret used for authentication to the AMI. This should match the secret set 
 ; in the section heading for the username above, in the manager.conf file on
 ; the Asterisk server. This should not be left at the default of “secast”
 secret=”MySecret”Asterisk Console 
 
 pluto*CLI>
 [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
 [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
 == Manager ‘secast’ logged off from 127.0.0.1
 == Manager ‘secast’ logged on from 127.0.0.1
 pluto*CLI>/var/log/secast 
 
 root@pluto:/var/log# /usr/local/secast/secast
 secast version 1.4.7 started under PID 2502
 secast switched to daemon under PID 2503
 root@pluto:/var/log# cat /var/log/secast
 Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
 Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition
 Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
 Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
 Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
 Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1
 Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
 Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017
 Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
 Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
 Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
 Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
 Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
 Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed
 Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed
 Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed
 Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed
 Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed
 Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
 Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
 Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
 Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
 Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
 Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
 Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed
 Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
 root@pluto:/var/log#SecAst Console 
 
 pluto% telnet localhost 3000
 Trying ::1…
 Trying 127.0.0.1…
 Connected to localhost.
 Escape character is ‘^]’.
 SecAst telnet interface on ‘Arno-PBX’
 SecAst>status
 SecAst state: protecting
 Asterisk connection state: logged in
 Threat level: low
 IP banning enforcement: enforced
 Database status: disconnected
 Run Time: 31 seconds
 Intrusion attempts in window: 0
 Total instrusion attempts: 0
 IP’s Banned: 5 addresses
 IP’s Watched: 0 addresses
 Users Watched: 0 users
 SecAst>banip add 1.2.3.4
 Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add
 SecAst>banip list
 163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds
 212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds
 212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds
 195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds
 69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds
 1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds
 SecAst>iptables entries 
 
 root@pluto:~# iptables -nL|less
 Chain INPUT (policy DROP)
 target prot opt source destination
 SECAST all — 0.0.0.0/0 0.0.0.0/0
 DROP all — 69.30.245.18 0.0.0.0/0
 DROP all — 163.172.121.136 0.0.0.0/0
 DROP all — 212.83.130.10 0.0.0.0/0
 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
 DROP all -f 0.0.0.0/0 0.0.0.0/0
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
 in_mylan all — 0.0.0.0/0 0.0.0.0/0
 in_internet all — 0.0.0.0/0 0.0.0.0/0
 DROP all — 10.0.0.0/8 0.0.0.0/0
 DROP all — 169.254.0.0/16 0.0.0.0/0
 DROP all — 172.16.0.0/12 0.0.0.0/0
 DROP all — 127.0.0.0/8 0.0.0.0/0
 DROP all — 192.168.0.0/24 0.0.0.0/0
 DROP all — 224.0.0.0/4 0.0.0.0/0
 DROP all — 0.0.0.0/0 224.0.0.0/4
 DROP all — 240.0.0.0/5 0.0.0.0/0
 DROP all — 0.0.0.0/0 240.0.0.0/5
 DROP all — 0.0.0.0/8 0.0.0.0/0
 DROP all — 0.0.0.0/0 0.0.0.0/8
 DROP all — 0.0.0.0/0 239.255.255.0/24
 DROP all — 0.0.0.0/0 255.255.255.255
 DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
 DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
 DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
 all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
 LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
 DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
 LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
 DROP all — 0.0.0.0/0 0.0.0.0/0Chain FORWARD (policy DROP) 
 target prot opt source destination
 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
 DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
 all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
 LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
 DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
 in_lan2internet all — 0.0.0.0/0 0.0.0.0/0
 out_lan2internet all — 0.0.0.0/0 0.0.0.0/0
 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
 LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”
 DROP all — 0.0.0.0/0 0.0.0.0/0Chain OUTPUT (policy DROP) 
 target prot opt source destination
 ACCEPT all — 0.0.0.0/0 0.0.0.0/0
 out_mylan all — 0.0.0.0/0 0.0.0.0/0
 out_internet all — 0.0.0.0/0 0.0.0.0/0
 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
 LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”
 DROP all — 0.0.0.0/0 0.0.0.0/0Chain SECAST (1 references) 
 target prot opt source destination
 DROP all — 1.2.3.4 0.0.0.0/0
 DROP all — 69.30.245.18 0.0.0.0/0
 DROP all — 195.154.38.22 0.0.0.0/0
 DROP all — 212.83.130.10 0.0.0.0/0
 DROP all — 212.83.134.244 0.0.0.0/0
 DROP all — 163.172.121.136 0.0.0.0/0
 RETURN all — 0.0.0.0/0 0.0.0.0/0. . . This is a home installation. My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables? I really like your phpBB installation, very effective! Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳 
- 
		AuthorPosts
 
											
				