- Telium

Participant

April 19, 2017 at 5:42 pm

Post count: 2

Quote:
I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@telium.io if you are concerned about making content public) and we can look there for further clues.

If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.

Your recommendation may have worked. Evidence follows…

/etc/xdg/telium/secast.conf
[asterisk] ;=================================================================


; Location of logfile containing security related messages. In versions of

; Asterisk prior to 10 this would normally be the primary messages file

; (/var/log/asterisk/messages), while in later versions of Asterisk this would

; be the security file (/var/log/asterisk/security)

securitylog=”/var/log/asterisk/messages”

;securitylog=/var/log/asterisk/security
; hostname or ip address of the Asterisk server.  Normally this should be set

; to “localhost” but can be any valid IP/hostname

hostname=”localhost”
; Port number to connect to Asterisk Management Interface (AMI).  This should

; match the port settings of the manager.conf file on the Asterisk server.

; This is normally set to 5038

port=5038
; Username used for authentication to the AMI.  This should match the section

; heading in the manager.conf file on the Asterisk server.  Normally this

; should be set to “secast”

username=”secast”
; Secret used for authentication to the AMI.  This should match the secret set

; in the section heading for the username above, in the manager.conf file on

; the Asterisk server.  This should not be left at the default of “secast”

secret=”MySecret”

Asterisk Console
pluto*CLI> [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe [Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe == Manager ‘secast’ logged off from 127.0.0.1 == Manager ‘secast’ logged on from 127.0.0.1 pluto*CLI>

/var/log/secast
root@pluto:/var/log# /usr/local/secast/secast secast version 1.4.7 started under PID 2502 secast switched to daemon under PID 2503 root@pluto:/var/log# cat /var/log/secast Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503 Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages. Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000 Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1 Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017 Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346 Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status] Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4] Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list] root@pluto:/var/log#

SecAst Console
pluto% telnet localhost 3000 Trying ::1… Trying 127.0.0.1… Connected to localhost. Escape character is ‘^]’. SecAst telnet interface on ‘Arno-PBX’ SecAst>status SecAst state: protecting Asterisk connection state: logged in Threat level: low IP banning enforcement: enforced Database status: disconnected Run Time: 31 seconds Intrusion attempts in window: 0 Total instrusion attempts: 0 IP’s Banned: 5 addresses IP’s Watched: 0 addresses Users Watched: 0 users SecAst>banip add 1.2.3.4 Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add SecAst>banip list 163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds 212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds 212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds 195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds 69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds 1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds SecAst>

iptables entries
root@pluto:~# iptables -nL|less Chain INPUT (policy DROP) target prot opt source destination SECAST all — 0.0.0.0/0 0.0.0.0/0 DROP all — 69.30.245.18 0.0.0.0/0 DROP all — 163.172.121.136 0.0.0.0/0 DROP all — 212.83.130.10 0.0.0.0/0 ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413 DROP all -f 0.0.0.0/0 0.0.0.0/0 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535 DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 in_mylan all — 0.0.0.0/0 0.0.0.0/0 in_internet all — 0.0.0.0/0 0.0.0.0/0 DROP all — 10.0.0.0/8 0.0.0.0/0 DROP all — 169.254.0.0/16 0.0.0.0/0 DROP all — 172.16.0.0/12 0.0.0.0/0 DROP all — 127.0.0.0/8 0.0.0.0/0 DROP all — 192.168.0.0/24 0.0.0.0/0 DROP all — 224.0.0.0/4 0.0.0.0/0 DROP all — 0.0.0.0/0 224.0.0.0/4 DROP all — 240.0.0.0/5 0.0.0.0/0 DROP all — 0.0.0.0/0 240.0.0.0/5 DROP all — 0.0.0.0/8 0.0.0.0/0 DROP all — 0.0.0.0/0 0.0.0.0/8 DROP all — 0.0.0.0/0 239.255.255.0/24 DROP all — 0.0.0.0/0 255.255.255.255 DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17 DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13 ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5 DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2 DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255 all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255 LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:” DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:” DROP all — 0.0.0.0/0 0.0.0.0/0


Chain FORWARD (policy DROP)

target     prot opt source               destination

DROP       all  —  0.0.0.0/0            0.0.0.0/0            state INVALID

DROP       all  —  0.0.0.0/0            0.0.0.0/0            recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255

all  —  0.0.0.0/0            0.0.0.0/0            recent: REMOVE name: portscan side: source mask: 255.255.255.255

LOG        tcp  —  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”

DROP       tcp  —  0.0.0.0/0            0.0.0.0/0            tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255

in_lan2internet  all  —  0.0.0.0/0            0.0.0.0/0

out_lan2internet  all  —  0.0.0.0/0            0.0.0.0/0

ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0            ctstate RELATED

LOG        all  —  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “PASS-unknown:”

DROP       all  —  0.0.0.0/0            0.0.0.0/0           
Chain OUTPUT (policy DROP)

target     prot opt source               destination

ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0

out_mylan  all  —  0.0.0.0/0            0.0.0.0/0

out_internet  all  —  0.0.0.0/0            0.0.0.0/0

DROP       all  —  0.0.0.0/0            0.0.0.0/0            state INVALID

ACCEPT     all  —  0.0.0.0/0            0.0.0.0/0            ctstate RELATED

LOG        all  —  0.0.0.0/0            0.0.0.0/0            limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “OUT-unknown:”

DROP       all  —  0.0.0.0/0            0.0.0.0/0           
Chain SECAST (1 references)

target     prot opt source               destination

DROP       all  —  1.2.3.4              0.0.0.0/0

DROP       all  —  69.30.245.18         0.0.0.0/0

DROP       all  —  195.154.38.22        0.0.0.0/0

DROP       all  —  212.83.130.10        0.0.0.0/0

DROP       all  —  212.83.134.244       0.0.0.0/0

DROP       all  —  163.172.121.136      0.0.0.0/0

RETURN     all  —  0.0.0.0/0            0.0.0.0/0           
  . . .

This is a home installation.

My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables?

I really like your phpBB installation, very effective!

Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳

Reply To: iptables+fireHOL not blocking IP’s