Hallo,
ich habe eine Problem mit zugriffen auf meine Asterisk. Ich benutze fail2ban um IP´s zu blocken und laut iptables werden auch IP´s geblockt aber wenn ich dann im SIP-Log schaue, sehe ich immer noch zugriffe von diesen IP´s. Dann habe ich mal zum Spaß meine IP geblockt und versucht per SSH zuzugreifen, was nicht funktioniert hat. Wie schaffen es die Angreifer an meiner Firewall vorbei?
Was ich auch nicht verstehe, wieso steht im FROM und TO jeweils nach dem @ meine IP?
Meine iptables rules:
Chain f2b-ASTERISK (2 references)
target prot opt source destination
REJECT all -- 185.53.88.164 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 51.15.156.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.62.41.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.158 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.152 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 139.99.119.241 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-recidive (2 references)
target prot opt source destination
REJECT all -- 62.210.247.151 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 81.7.14.107 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.80 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.24 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 62.210.53.229 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 51.15.156.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.62.41.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 195.154.38.45 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.74 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.164 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.161 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.158 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.152 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.105 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 167.86.82.26 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 163.172.224.41 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 147.135.39.196 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Hier der Eintrag aus dem LOG von Asterisk:
Retransmitting #4 (NAT) to 62.210.247.151:49786:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 62.210.247.151:49786;branch=z9hG4bK1486429495;received=62.210.247.151;rport=49786
From: <sip:lissette@MEINEIP>;tag=1953932026
To: <sip:48413828015@MEINEIP>;tag=as0c611970
Call-ID: 1191492635-905746166-580971484
CSeq: 1 INVITE
Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="31e404fb"
Content-Length: 0
ich habe eine Problem mit zugriffen auf meine Asterisk. Ich benutze fail2ban um IP´s zu blocken und laut iptables werden auch IP´s geblockt aber wenn ich dann im SIP-Log schaue, sehe ich immer noch zugriffe von diesen IP´s. Dann habe ich mal zum Spaß meine IP geblockt und versucht per SSH zuzugreifen, was nicht funktioniert hat. Wie schaffen es die Angreifer an meiner Firewall vorbei?
Was ich auch nicht verstehe, wieso steht im FROM und TO jeweils nach dem @ meine IP?
Meine iptables rules:
Chain f2b-ASTERISK (2 references)
target prot opt source destination
REJECT all -- 185.53.88.164 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 51.15.156.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.62.41.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.158 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.152 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 139.99.119.241 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Chain f2b-recidive (2 references)
target prot opt source destination
REJECT all -- 62.210.247.151 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 81.7.14.107 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.80 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.56 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 77.247.109.24 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 62.210.53.229 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 51.15.156.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 5.62.41.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 195.154.38.45 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.74 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.164 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.161 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.158 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.152 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.14 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 185.53.88.105 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 167.86.82.26 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 163.172.224.41 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all -- 147.135.39.196 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all -- 0.0.0.0/0 0.0.0.0/0
Hier der Eintrag aus dem LOG von Asterisk:
Retransmitting #4 (NAT) to 62.210.247.151:49786:
SIP/2.0 401 Unauthorized
Via: SIP/2.0/UDP 62.210.247.151:49786;branch=z9hG4bK1486429495;received=62.210.247.151;rport=49786
From: <sip:lissette@MEINEIP>;tag=1953932026
To: <sip:48413828015@MEINEIP>;tag=as0c611970
Call-ID: 1191492635-905746166-580971484
CSeq: 1 INVITE
Server: Asterisk PBX 13.1.0~dfsg-1.1ubuntu4.1
Allow: INVITE, ACK, CANCEL, OPTIONS, BYE, REFER, SUBSCRIBE, NOTIFY, INFO, PUBLISH, MESSAGE
Supported: replaces, timer
WWW-Authenticate: Digest algorithm=MD5, realm="asterisk", nonce="31e404fb"
Content-Length: 0