Hi,
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
Regards
Jennifer Botten
ETECH
On 09/26/2011 07:02 AM, Jennifer Botten wrote:
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
This needs to be:
-A OUTPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
...if you want to drop packets initiated from your system to that ip...which doesn't make any sense if you're dropping all the incoming connection from that ip.
On why are you still getting packets from that ip... perhaps there's also TCP traffic? If you want to completely drop packets from that ip simply remove the protocol argument like this:
-A INPUT -i eth0 -s 209.61.231.42 -j DROP
HTH, Jorge
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jorge Fábregas Sent: 26 September 2011 01:09 PM To: centos@centos.org Subject: Re: [CentOS] Hacking Issue
On 09/26/2011 07:02 AM, Jennifer Botten wrote:
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
This needs to be:
-A OUTPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
...if you want to drop packets initiated from your system to that ip...which doesn't make any sense if you're dropping all the incoming connection from that ip.
On why are you still getting packets from that ip... perhaps there's also TCP traffic? If you want to completely drop packets from that ip simply remove the protocol argument like this:
-A INPUT -i eth0 -s 209.61.231.42 -j DROP
HTH, Jorge _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi Jorge,
I am blocking UDP and TCP from that IP. I also have an OUTPUT rule however mine has the -o eth0 as the -i eth0 does not work.
Regards Jennifer
On 09/26/2011 07:45 AM, Jennifer Botten wrote:
I am blocking UDP and TCP from that IP. I also have an OUTPUT rule however mine has the -o eth0 as the -i eth0 does not work.
Yes, I had it wrong. For the OUTPUT chain you use the -o ethX. Perhaps you have an ALLOW rule for udp or some other criteria BEFORE the actual DROP? How do you determine that it is not working?
Also, please follow the common rules when posting :)
1) don't use html 2) quote properly (look at how I am replying)
Regards, Jorge
On Mon, 26 Sep 2011, Jennifer Botten wrote:
To: centos@centos.org From: Jennifer Botten jennifer@etech.co.za Subject: [CentOS] Hacking Issue
Hi,
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
You might find it helps to analyse this traffic with a network analyser, like Wireshark. That would allow you to see in almost real time what is happening on the line.
Kind Regards,
Keith Roberts
----------------------------------------------------------------- Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net] -----------------------------------------------------------------
I would use an '-I' instead of '-A' if its a case of blocking an intruder.
You can use tcpdump and 'ss -l' as well.
Check out the application logs, try to see what's the intruder is up to!
On Mon, Sep 26, 2011 at 7:14 AM, Keith Roberts keith@karsites.net wrote:
On Mon, 26 Sep 2011, Jennifer Botten wrote:
To: centos@centos.org From: Jennifer Botten jennifer@etech.co.za Subject: [CentOS] Hacking Issue
Hi,
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
You might find it helps to analyse this traffic with a network analyser, like Wireshark. That would allow you to see in almost real time what is happening on the line.
Kind Regards,
Keith Roberts
Websites: http://www.karsites.net http://www.php-debuggers.net http://www.raised-from-the-dead.org.uk
All email addresses are challenge-response protected with TMDA [http://tmda.net]
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On 09/26/2011 01:02 PM, Jennifer Botten wrote:
Hi,
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
If your SIP server needs to be accessed from any IP address, consider to use fail2ban. Easy to setup and it will block access to your SIP server after so many false attempts. I started using fail2ban to prevent the logs (Asterisk) from cluttering failed logons.
Theo
Theo Band wrote:
On 09/26/2011 01:02 PM, Jennifer Botten wrote:
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
If your SIP server needs to be accessed from any IP address, consider to use fail2ban. Easy to setup and it will block access to your SIP server after so many false attempts. I started using fail2ban to prevent the logs (Asterisk) from cluttering failed logons.
Let me chime in: *yes* to fail2ban. We use it here at work, and it works, and is very good. Not too hard to configure for basic usage, either, but very extensible.
mark
On Mon, Sep 26, 2011 at 10:10 AM, m.roth@5-cent.us wrote:
Theo Band wrote:
On 09/26/2011 01:02 PM, Jennifer Botten wrote:
I am having an issue with someone accessing our server via a SIP/VOIP connection. I have changed my iptables rules to drop all UDP traffic from and too this IP address, but this traffic seems to still run through my server. These are the iptables rules that I current have on the server.
-A INPUT -i eth0 -s 209.61.231.42 -p udp -j DROP
-A INPUT -i eth0 -d 209.61.231.42 -p udp -j DROP
If your SIP server needs to be accessed from any IP address, consider to use fail2ban. Easy to setup and it will block access to your SIP server after so many false attempts. I started using fail2ban to prevent the logs (Asterisk) from cluttering failed logons.
Let me chime in: *yes* to fail2ban. We use it here at work, and it works, and is very good. Not too hard to configure for basic usage, either, but very extensible.
mark
I use CSF and LFD. Like every other firewall, the backend is always iptables but CSF is so powerful and has a lot of irreplaceable power and functionality. It can be a bit of difficult to configure it for the first time but when you do, you will never look back ;)
-Micky.
-
Jennifer Botten -
Jorge Fábregas -
Keith Roberts -
m.roth@5-cent.us -
Micky L Martin -
Theo Band