Where am I wrong ... Is Frater somewhere out there ??
Yes... here I am;-)
cedriclille wrote:
My goals are :
- access asterisk outside from my Lan but only from France (I modified S95asiablock with "noAsia="fr")
I created worldblock for exactly this purpose. It will do the reverse of asiablock and it will whitelist countries and block the rest
cedriclille wrote:
- try to block bruteforce Asterisk hacks with limiting connections attempts to 3/mn.
I've created stophammer for this. It will even completely block those hammering clients entirely if they keep on hammering
cedriclille wrote:
This morning I had a brute force attack from UK [213.174.xxx.xxx] ...
This will not happen then.
If you use the 'stophammer' script a few things will happen. Both the INPUT & FORWARD chain will get their tcp connections protected by syn_flood. You can manually add some other protocols/ports in rc_firewall.
A cronjob will check your log every 20 minutes and it will add IP's that persist into the syn_flood chain. These IP's will then get their packets dropped without making an entry in the log if they enter the syn_flood chain.
You can check the firewalls a they all get a symbolic link in /tmp/etc/config/
Try this:
Code:
service stophammer on
service stophammer start
service worldblock on
service worldblock start
service asiablock on
service asiablock start
Your app (asterisk, ssh or other service) still needs to drop the connection so the hacker needs to create a new connection. If your app keeps the connection open and lets it hack away, these connection limit rules will work.
You will probably have more questions, but please implement this ruleset first....
Don't forget to change the country in worldblock to 'fr' _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
I wasn't ablse to answer the last few days but I saw that I still have hack attempts and I want to find a good solution.
@Eko :
I can't go further because even after reinstalling Optware the Right way, I don't have any "worldblock" service when I run the commande "service".
Moreover, I thought that Asterisk must be restarted after applying iptables rules with this command :
/opt/etc/init.d/S90asterisk restart.
This command was put on top of the iptables commands and saved into "FIREWALL STARTUP".
Is this the right place ? What's the difference between "Firewall startup" and [normal]"startup" '(are you allowed to store in FIREWALL STATUP" other things that iptables commands)???
Thanks for your answers, you're doing a good job !!
I can't go further because even after reinstalling Optware the Right way, I don't have any "worldblock" service when I run the commande "service".!!
I retested the install procedure by doing a virgin install on my WDS-bridge.
It seems there was a flaw in detecting the version of your DD-WRT.
I have corrected it and now it should be alright
I guess that's why no-one is giving feedback on my stophammer, fixtables and worldblock scripts..... _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Sun Nov 21, 2010 20:51 Post subject:
frater wrote:
cedriclille wrote:
I can't go further because even after reinstalling Optware the Right way, I don't have any "worldblock" service when I run the commande "service".!!
I retested the install procedure by doing a virgin install on my WDS-bridge.
It seems there was a flaw in detecting the version of your DD-WRT.
I have corrected it and now it should be alright
I guess that's why no-one is giving feedback on my stophammer, fixtables and worldblock scripts.....
Worldblock is impractical for the U.S users, unless you are using it for one protocol only.
Stophammer works great, but sometimes it just floods the logs with garbage.
Your new fixtables script with the INVALID state at the beginning of the INPUT chain still has me confused.. _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
Your new fixtables script with the INVALID state at the beginning of the INPUT chain still has me confused..
Before traffic enters the INPUT or FORWARD chain it will have a state.
When traffic enters the INPUT chain all RELATED and ESTABLISHED connections are accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This leaves us with NEW and INVALID connections.
INVALID connections are connections of which netfilter couldn't establish its state (RELATED,ESTABLISHED or NEW). We drop all of those INVALID connections
-A INPUT -m state --state INVALID -j logdrop
Which leaves us with the connections that are NEW and we don't know yet what we would should do with them.
These are the rest of the rules.....
If none of the excplicit rules are matched it will go to the last line and get DROPped with a LOG.
-A INPUT -j logdrop _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Mon Nov 22, 2010 0:53 Post subject:
frater wrote:
Masterman wrote:
Your new fixtables script with the INVALID state at the beginning of the INPUT chain still has me confused..
Before traffic enters the INPUT or FORWARD chain it will have a state.
When traffic enters the INPUT chain all RELATED and ESTABLISHED connections are accepted.
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
This leaves us with NEW and INVALID connections.
INVALID connections are connections of which netfilter couldn't establish its state (RELATED,ESTABLISHED or NEW). We drop all of those INVALID connections
-A INPUT -m state --state INVALID -j logdrop
Which leaves us with the connections that are NEW and we don't know yet what we would should do with them.
These are the rest of the rules.....
If none of the excplicit rules are matched it will go to the last line and get DROPped with a LOG.
-A INPUT -j logdrop
I now understand. Was wondering why my logs where "new" ;)
_________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
@frater : Thank you, after reinstalling Optware, I now have S95worldblock.
So I put in S95worldblock :
ISO_spam=""
ISO_ham="fr"
And in S95asiablcok :
ISO_spam="af cn in pk my kh li vn kr ph"
ISO_ham="fr"
I don't really understand the difference between worldblock & asiablock. Why should I whitelist "fr" twice ???
@eko : I don't see asterisk reboot command anymore ? Do we need it or not ?
I like to whitelist one (or some) IP from Fring which allows us to use our 3G phone with asterisk (GSM providers block normal SIP protocol).
when I use the netstat (netstat -ena) command while call in progress I don't see any extenal address ...
Is there a way to see this remote IP address (Of course I did turn off all asiablock, wordblock and so one and the call was established for my test;) )...
And last question (for now) : where to whitelist this address, once I got the right ip.
I don't really understand the difference between worldblock & asiablock. Why should I whitelist "fr" twice ???
You don't
The worldblock is the opposite of asiablock.
With asiablock you can accept the world, but block specific countries / regions.
With worldblock you block the world and whitelist specific countries.
But there's more to asiablock than this simple explanation. Because blocking all these Asian countries would make a list of at least 3000 rules I needed some optimization.
I'm taking several huge /8 /7 and even /6 networkblocks and I block these. Only the Chinese, Indian... so on IP's that are not in this subnet will get a special rule.
This way I'm able to bring down the amount of rules to a bit more than 300.
To make sure that at least your own country is not in these blocked IP's you should put them in hamISO.
This approach has one big downside and that's our dear old Australian and New Zealand friends. These countries were given IP-blocks within these Asian countries. A shame really, because if you whitelist these countries the amount of rules will go up sky high....
I didn't take time to optimize this.
so you will have 2 chains you can use at will.
If you drive traffic down the 'asia' chain it will only come back if the IP is not coming from Asia.
If you drive traffice down the 'world' chain it will only come back if it's from France (in your case).
In /opt/etc/asia.spam you can add some extra IP's that otherwise would not be blocked.
In /opt/etc/asia.ham you can add some extra IP's that otherwise would be blocked.
The same goes for /opt/etc/world.ham and /opt/etc/world.spam.
So you probably don't need to add France as a whitelisted country in asiablock, but you need to run the script to see this. I know that there are some US IP's within those Asian-subnets.
BTW.... The approach I took is an original idea of mine. I took this as a base of that idea http://www.cyberciti.biz/faq/block-entier-country-using-iptables/, but there's more to it. It's bringing down the amount of rules which makes it usable. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Joined: 24 Aug 2009 Posts: 2070 Location: South Florida
Posted: Mon Nov 22, 2010 19:56 Post subject:
frater, check your PM's. I think fixtables may have a problem with my current rc_firewall. I can't reach you via Skype for some reason either.. _________________ Optware, the Right Way
Asus RT-AC68U
Asus RT-N66U
Asus RT-N10
Asus RT-N12
Asus RT-N16 x5
Asus WL520gU
Engenious ECB350
Linksys WRT600Nv1.1
Linksys WRT610Nv1
Linksys E2000
Netgear WNDR3300
SonicWall NSA220W
SonicWall TZ215W
SonicWall TZ205W
SonicWall TZ105W
You didn't answer : Do we still have to reload Asterisk after applying the rc_firewall rules?
No _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
Posted: Sat Dec 04, 2010 11:03 Post subject: Re: mobile phones
tong123 wrote:
[网址能源橡胶手镯[/网址]
所以这是非常受欢迎的,因为它是引入用户。
So you installed asiablock and none of your websites work? _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge
i am not sure but does asiablock/worldblock also work for network devices other than dd-wrt??
my setup is as follows:
internet <-> dd-wrt router <-> dns323 nas
i am currently running a ftp/ssh service on the nas with port forwarding from dd-wrt.
i want to block the world from using/abusing the ftp/ssh.
is this possible? do i need to install worldblock to the nas device as well (as to add iptable configuration, ..)?
does worldblock usually only work on the system where it is installed?
If you translate ports like 2222 to 22, you still need to use 22 in that line. 'dport' means 'destination port' and the destination is your LAN-device. _________________ Asus RT16N + OTRW
Kingston 4GB USB-disk 128 MB swap + 1.4GB ext3 on /opt + 2 GB ext3 on /mnt
Copperjet 1616 modem in ZipB-config
Asterisk, pixelserv & Pound running on router
Another Asus RT16N as WDS-bridge