teliumcustomer19

Quote:
I suggest you stop SecAst, delete the secast log file, and restart Secast, then manually ban 1 IP. Either post the secast log (or send to support@telium.io if you are concerned about making content public) and we can look there for further clues.

If this is a commercial environment keep in mind that we recommend blocking attackers at the network edge (firewall) – letting SecAst add rules to your firewall.

Your recommendation may have worked. Evidence follows…

/etc/xdg/telium/secast.conf


[asterisk] ;=================================================================

Asterisk Console

pluto*CLI>
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
[Apr 19 09:40:59] ERROR[13625]: utils.c:1446 ast_careful_fwrite: fwrite() returned error: Broken pipe
== Manager ‘secast’ logged off from 127.0.0.1
== Manager ‘secast’ logged on from 127.0.0.1
pluto*CLI>

/var/log/secast

root@pluto:/var/log# /usr/local/secast/secast
secast version 1.4.7 started under PID 2502
secast switched to daemon under PID 2503
root@pluto:/var/log# cat /var/log/secast
Wed Apr 19 09:44:13 2017, 00000100, I, General, SecAst version 1.4.1103 starting as daemon under process ID 2503
Wed Apr 19 09:44:13 2017, 00001011, W, License, License file not found. Switching to Free Edition
Wed Apr 19 09:44:13 2017, 00000122, I, General, Settings contained 0 information; 0 warning; and 0 error messages.
Wed Apr 19 09:44:13 2017, 00000300, I, Controller, Telnet server listening on 0.0.0.0:3000
Wed Apr 19 09:44:13 2017, 00001600, I, Controller, Pipe server listening on /run/secast.sock
Wed Apr 19 09:44:13 2017, 00000702, E, System Command, Failed to determine if iptables chain exists. Run result 0; exitcode 1
Wed Apr 19 09:44:13 2017, 00001302, I, Geo IP, Opened GeoIP database
Wed Apr 19 09:44:13 2017, 00002837, I, Controller, Restoring recovering state from file created by host ‘Arno-PBX’ at Wed Apr 19 09:41:05 2017
Wed Apr 19 09:44:13 2017, 00002831, I, Controller, Recovery state will be saved every 60 seconds
Wed Apr 19 09:44:13 2017, 00001258, I, Asterisk Controller, Starting
Wed Apr 19 09:44:18 2017, 00000801, E, Alert, Failed to send email: SecAst Starting
Wed Apr 19 09:44:18 2017, 00000107, I, General, SecAst state changing to not protecting
Wed Apr 19 09:44:23 2017, 00000801, E, Alert, Failed to send email: Entering Non-Protecting State
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘163.172.121.136’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.134.244’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘212.83.130.10’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘195.154.38.22’ as managed
Wed Apr 19 09:44:23 2017, 00000608, S, Security Event Queue, Banning recovery IP ‘69.30.245.18’ as managed
Wed Apr 19 09:44:23 2017, 00001201, I, Asterisk Controller, Connection established to AMI
Wed Apr 19 09:44:23 2017, 00000108, I, General, SecAst state changing to protecting
Wed Apr 19 09:44:28 2017, 00000801, E, Alert, Failed to send email: Entering Protecting State
Wed Apr 19 09:44:31 2017, 00000202, I, Telnet Server, Client 1: Connecting from 127.0.0.1:47346
Wed Apr 19 09:44:45 2017, 00000204, I, Telnet Server, Client 1: Executing command [status]
Wed Apr 19 09:45:18 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip add 1.2.3.4]
Wed Apr 19 09:45:18 2017, 00000608, S, Security Event Queue, Banning manual IP ‘1.2.3.4’ as managed
Wed Apr 19 09:45:29 2017, 00000204, I, Telnet Server, Client 1: Executing command [banip list]
root@pluto:/var/log#

SecAst Console

pluto% telnet localhost 3000
Trying ::1…
Trying 127.0.0.1…
Connected to localhost.
Escape character is ‘^]’.
SecAst telnet interface on ‘Arno-PBX’
SecAst>status
SecAst state: protecting
Asterisk connection state: logged in
Threat level: low
IP banning enforcement: enforced
Database status: disconnected
Run Time: 31 seconds
Intrusion attempts in window: 0
Total instrusion attempts: 0
IP’s Banned: 5 addresses
IP’s Watched: 0 addresses
Users Watched: 0 users
SecAst>banip add 1.2.3.4
Issued request to add IP 1.2.3.4. Check event log for errors, or use ‘banip list’ to confirm add
SecAst>banip list
163.172.121.136 2 days, 23 hours, 58 minutes, 43 seconds
212.83.134.244 2 days, 23 hours, 58 minutes, 43 seconds
212.83.130.10 2 days, 23 hours, 58 minutes, 43 seconds
195.154.38.22 2 days, 23 hours, 58 minutes, 43 seconds
69.30.245.18 2 days, 23 hours, 58 minutes, 43 seconds
1.2.3.4 2 days, 23 hours, 59 minutes, 49 seconds
SecAst>

iptables entries

root@pluto:~# iptables -nL|less
Chain INPUT (policy DROP)
target prot opt source destination
SECAST all — 0.0.0.0/0 0.0.0.0/0
DROP all — 69.30.245.18 0.0.0.0/0
DROP all — 163.172.121.136 0.0.0.0/0
DROP all — 212.83.130.10 0.0.0.0/0
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:51413
DROP all -f 0.0.0.0/0 0.0.0.0/0
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:1024
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipcli” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sip-scan” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “iWar” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipvicious” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sipsak” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “sundayddr” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “VaxSIPUserAgent” ALGO name bm TO 65535
DROP udp — 0.0.0.0/0 0.0.0.0/0 udp dpt:5060 STRING match “friendly-scanner” ALGO name bm TO 65535
ACCEPT all — 0.0.0.0/0 0.0.0.0/0
in_mylan all — 0.0.0.0/0 0.0.0.0/0
in_internet all — 0.0.0.0/0 0.0.0.0/0
DROP all — 10.0.0.0/8 0.0.0.0/0
DROP all — 169.254.0.0/16 0.0.0.0/0
DROP all — 172.16.0.0/12 0.0.0.0/0
DROP all — 127.0.0.0/8 0.0.0.0/0
DROP all — 192.168.0.0/24 0.0.0.0/0
DROP all — 224.0.0.0/4 0.0.0.0/0
DROP all — 0.0.0.0/0 224.0.0.0/4
DROP all — 240.0.0.0/5 0.0.0.0/0
DROP all — 0.0.0.0/0 240.0.0.0/5
DROP all — 0.0.0.0/8 0.0.0.0/0
DROP all — 0.0.0.0/0 0.0.0.0/8
DROP all — 0.0.0.0/0 239.255.255.0/24
DROP all — 0.0.0.0/0 255.255.255.255
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 17
DROP icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 13
ACCEPT icmp — 0.0.0.0/0 0.0.0.0/0 icmptype 8 limit: avg 1/sec burst 5
DROP all — 0.0.0.0/0 0.0.0.0/0 state INVALID
ACCEPT tcp — 0.0.0.0/0 0.0.0.0/0 tcp flags:0x04/0x04 limit: avg 2/sec burst 2
DROP all — 0.0.0.0/0 0.0.0.0/0 recent: CHECK seconds: 86400 name: portscan side: source mask: 255.255.255.255
all — 0.0.0.0/0 0.0.0.0/0 recent: REMOVE name: portscan side: source mask: 255.255.255.255
LOG tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255 LOG flags 0 level 4 prefix “portscan:”
DROP tcp — 0.0.0.0/0 0.0.0.0/0 tcp dpt:139 recent: SET name: portscan side: source mask: 255.255.255.255
ACCEPT all — 0.0.0.0/0 0.0.0.0/0 ctstate RELATED
LOG all — 0.0.0.0/0 0.0.0.0/0 limit: avg 1/sec burst 5 LOG flags 0 level 4 prefix “IN-unknown:”
DROP all — 0.0.0.0/0 0.0.0.0/0

This is a home installation.

My intent is to let SecAst modify the firewall as necessary. I am concerned about interactions between SecAst and FireHOL. I have a lot more interaction with FireHOL than SecAst, so I’d really like a way to allow SecAst to “self heal” even if it is semi-automatic/manual. I could envision a command such as “SecAst> iptables init” with others such as “SecAst> iptables list” to show/verify what SecAst added to iptables. Or every N number of minutes (or with each new “detected” attack), have SecAst verify it’s installation in iptables and restore iptables as necessary from the BanIP list. Or even better, is there something I can add to FireHOL config /etc/firehol/firehol.conf which will call SecAst to re-add/verify it’s installation in iptables?

I really like your phpBB installation, very effective!

Thank you for your help. I suspect SecAst is now running properly until I accidentally break it again with FireHOL. 😳