<HTML dir=ltr><HEAD>
<STYLE id=eMClientCss>BLOCKQUOTE.cite {
PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px
}
BLOCKQUOTE.cite2 {
PADDING-TOP: 0px; PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; MARGIN-TOP: 3px; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px
}
.plain PRE {
FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal
}
.plain TT {
FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal
}
A IMG {
BORDER-TOP: 0px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px
}
#x359f4860ad4a48f0980a2b325f6d368f {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
#x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e #x3c92e379d0084714848c4b5aee4a0532 {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
#xd06b02c88e084ac5a4457487480c2858 {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain PRE {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
.plain TT {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
BODY {
FONT-SIZE: 12pt; FONT-FAMILY: Tahoma
}
</STYLE>
<STYLE>#x359f4860ad4a48f0980a2b325f6d368f BLOCKQUOTE.cite
{PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px}
#x359f4860ad4a48f0980a2b325f6d368f BLOCKQUOTE.cite2
{PADDING-TOP: 0px; PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; MARGIN-TOP: 3px; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px}
#x359f4860ad4a48f0980a2b325f6d368f .plain PRE, #x359f4860ad4a48f0980a2b325f6d368f .plain TT
{FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal}
#x359f4860ad4a48f0980a2b325f6d368f A IMG
{BORDER-TOP: 0px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px}
#x359f4860ad4a48f0980a2b325f6d368f #x3c92e379d0084714848c4b5aee4a0532, #x359f4860ad4a48f0980a2b325f6d368f .plain PRE, #x359f4860ad4a48f0980a2b325f6d368f .plain TT, #x359f4860ad4a48f0980a2b325f6d368f
{FONT-SIZE: 12pt; FONT-FAMILY: Tahoma}
#x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e BLOCKQUOTE.cite2
{PADDING-TOP: 0px; PADDING-LEFT: 10px; MARGIN-LEFT: 5px; BORDER-LEFT: #cccccc 1px solid; MARGIN-TOP: 3px; PADDING-RIGHT: 0px; MARGIN-RIGHT: 0px}
#x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e .plain PRE, #x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e .plain TT
{FONT-SIZE: 100%; FONT-FAMILY: monospace; FONT-WEIGHT: normal; FONT-STYLE: normal}
#x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e A IMG
{BORDER-TOP: 0px; BORDER-RIGHT: 0px; BORDER-BOTTOM: 0px; BORDER-LEFT: 0px}
#x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e, #x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e #x3c92e379d0084714848c4b5aee4a0532, #x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e .plain PRE, #x359f4860ad4a48f0980a2b325f6d368f #x80d334b291624df089839b0c6596e08e .plain TT
{FONT-SIZE: 12pt; FONT-FAMILY: Tahoma}
</STYLE>
<STYLE></STYLE>
<STYLE id=owaParaStyle type=text/css></STYLE>
</HEAD>
<BODY scroll=auto ocsi="0" fpstyle="1" class>
<DIV>thanks Julian. </DIV>
<DIV> </DIV>
<DIV>It's the ssh access that was hacked. I suddenly noticed an established ssh connection from Asia. since I disabled root login in ssh right after install, the hacker must somehow have got my login password. in a haste, I reverted the VM to a previous snapshot, so I can't analyze how hacking happened now.</DIV>
<DIV> </DIV>
<DIV>I read that sipwise article regarding security before. fail2ban was <SPAN id=xd06b02c88e084ac5a4457487480c2858>deployed</SPAN> yesterday, it'll provide some protection before I master iptables setup on spce. better than nothing at all.</DIV>
<DIV> </DIV>
<DIV>------ Original Message ------</DIV>
<DIV>From: "Julian Seifert" <<A href="mailto:js@dacor.de">js@dacor.de</A>></DIV>
<DIV>To: "Jonathan Yue" <<A href="mailto:jonathan.yue@turboitsolutions.com">jonathan.yue@turboitsolutions.com</A>>; "Raúl Alexis Betancor Santana" <<A href="mailto:rabs@dimension-virtual.com">rabs@dimension-virtual.com</A>>; "spce-user@lists.sipwise.com" <<A href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</A>></DIV>
<DIV>Sent: 2016-04-19 3:21:36 AM</DIV>
<DIV>Subject: AW: [Spce-user] iptables issue</DIV>
<DIV> </DIV>
<DIV id=x359f4860ad4a48f0980a2b325f6d368f>
<BLOCKQUOTE class=cite2 cite=07F41140D7F60847B76E3730B2ADCA69AFD9C8D7@exchange.suecdacor.local type="cite">
<DIV style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma; COLOR: #000000; DIRECTION: ltr">
<DIV>Hi,</DIV>
<DIV><BR></DIV>
<DIV>you shouldn't need to apply any firewalling for internal communication.</DIV>
<DIV>Apply your firewall rules to your WANside interfaces. (see -i in iptable rules)</DIV>
<DIV>Allow everything out & allow established connections to get replies.</DIV>
<DIV>Fail2ban is a good idea.</DIV>
<DIV><BR></DIV>
<DIV>You can implement fail2ban for sip-registrations (But I think there's already</DIV>
<DIV>something like that builtin. but maybe that's pro version only, if so there is a sipwise</DIV>
<DIV>blog entry regarding the implementation of fail2ban with regards to sip I think)</DIV>
<DIV>(this is the article I was thinking of: </DIV>
<DIV><A href="https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/">https://www.sipwise.org/news/technical/securing-your-ngcp-against-sip-attacks/</A> )</DIV>
<DIV><BR></DIV>
<DIV>If your server was hacked you should analyse how that happened. </DIV>
<DIV>There might be flaws in the services you are about to open in your firewall</DIV>
<DIV>or maybe your passwords are of poor choice etc. </DIV>
<DIV><BR></DIV>
<DIV>There is plenty of documentation regarding firewalling for linux-systems.</DIV>
<DIV>A starting point can be: <A href="https://help.ubuntu.com/community/IptablesHowTo">https://help.ubuntu.com/community/IptablesHowTo</A></DIV>
<DIV>But any other current documentation works as good as this one. </DIV>
<DIV><BR></DIV>
<DIV><BR>
<DIV style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma">kind regards,<BR><BR> Julian <BR>
<DIV style="FONT-SIZE: 13px; FONT-FAMILY: Tahoma"></DIV></DIV></DIV>
<DIV style="FONT-SIZE: 16px; FONT-FAMILY: Times New Roman; COLOR: #000000">
<DIV>
<HR tabIndex=-1>
</DIV>
<DIV id=divRpF649923 style="DIRECTION: ltr"><FONT color=#000000 size=2 face=Tahoma><B>Von:</B> Spce-user [<A href="mailto:spce-user-bounces@lists.sipwise.com">spce-user-bounces@lists.sipwise.com</A>]" im Auftrag von "Jonathan Yue [<A href="mailto:jonathan.yue@turboitsolutions.com">jonathan.yue@turboitsolutions.com</A>]<BR><B>Gesendet:</B> Dienstag, 19. April 2016 06:26<BR><B>An:</B> Raúl Alexis Betancor Santana; <A href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</A><BR><B>Betreff:</B> Re: [Spce-user] iptables issue<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV>
<DIV>be checking iptables log, i figured this out, adding "iptables -A INPUT -s 127.0.0.1 -d 127.0.0.1 -j ACCEPT" fixes the sip issue. </DIV>
<DIV> </DIV>
<DIV>regarding the slow output of "iptables -L", adding "iptables -A INPUT -p udp --sport 53 -j ACCEPT" fixes it. apparently iptables tries to resolve the fqdn of the ip addresses in the table, so DNS should be allowed.</DIV>
<DIV> </DIV>
<DIV>------ Original Message ------</DIV>
<DIV>From: "Raúl Alexis Betancor Santana" <<A href="mailto:rabs@dimension-virtual.com">rabs@dimension-virtual.com</A>></DIV>
<DIV>To: <A href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</A></DIV>
<DIV>Sent: 2016-04-18 2:28:57 PM</DIV>
<DIV>Subject: Re: [Spce-user] iptables issue</DIV>
<DIV> </DIV>
<DIV id=x80d334b291624df089839b0c6596e08e>
<BLOCKQUOTE class=cite2 type="cite">
<DIV style="FONT-SIZE: 12pt; FONT-FAMILY: arial,helvetica,sans-serif; COLOR: #000000">
<DIV>The proper way to setup the firewalling it's to know what you are doing.<BR></DIV>
<DIV><BR></DIV>
<DIV>First, doing a -J DROP it's a non-sense ... better to change the policy of the INPUT chain.<BR></DIV>
<DIV><BR></DIV>
<DIV>iptables -P INPUT DROP<BR></DIV>
<DIV><BR></DIV>
<DIV>Second ... you MUST know what services are working on the system, so you let them go in and out and flow to the interfaces needed<BR></DIV>
<DIV><BR></DIV>
<DIV>DNS<BR></DIV>
<DIV>SIP<BR></DIV>
<DIV>SIPs<BR></DIV>
<DIV>SIP over TCP<BR></DIV>
<DIV>XMPP<BR></DIV>
<DIV>RTPEngine ports<BR></DIV>
<DIV>Web<BR></DIV>
<DIV>WebServices<BR></DIV>
<DIV>MySQL<BR></DIV>
<DIV>...<BR></DIV>
<DIV><BR></DIV>
<DIV>By default, the services are setup to only reply local, so there is no need to been digging with the iptables to protect the system ... no more than a few rules when you want to HARD-DROP scammers.<BR></DIV>
<DIV><BR></DIV>
<DIV><BR></DIV>
<DIV>
<DIV>
<HR id=zwchr>
</DIV></DIV>
<DIV>
<BLOCKQUOTE style="FONT-SIZE: 12pt; TEXT-DECORATION: none; FONT-FAMILY: Helvetica,Arial,sans-serif; FONT-WEIGHT: normal; COLOR: #000; FONT-STYLE: normal; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid"><B>De: </B>"Jonathan Yue" <<A href="mailto:jonathan.yue@turboitsolutions.com">jonathan.yue@turboitsolutions.com</A>><BR><B>Para: </B><A href="mailto:spce-user@lists.sipwise.com">spce-user@lists.sipwise.com</A><BR><B>Enviados: </B>Lunes, 18 de Abril 2016 22:31:59<BR><B>Asunto: </B>[Spce-user] iptables issue<BR></BLOCKQUOTE></DIV>
<DIV>
<BLOCKQUOTE style="FONT-SIZE: 12pt; TEXT-DECORATION: none; FONT-FAMILY: Helvetica,Arial,sans-serif; FONT-WEIGHT: normal; COLOR: #000; FONT-STYLE: normal; PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #1010ff 2px solid">
<DIV>Hi, all,</DIV>
<DIV> </DIV>
<DIV>I customized iptables by allowing some ip addresses in INPUT chain, and put "iptables -A INPUT -j DROP" at the bottom. Aftert that, the execution of "iptables -L" is extremely slow; more importantly phones can't register. packet captures ( i can still ssh to server) show that spce doesn't respond to sip registration. I read handbook, which mentions RTPENGINE, however it's there, untouched. </DIV>
<DIV> sudo iptables -L</DIV>
<DIV>Chain INPUT (policy ACCEPT)<BR>target prot opt source destination<BR>ACCEPT all -- 77.72.169.0/24 anywhere<BR>ACCEPT all -- 46.19.208.0/22 anywhere<BR>............ ( a few line omitted )<BR>rtpengine all -- anywhere anywhere<BR>DROP all -- anywhere anywhere<BR>LOG all -- anywhere anywhere LOG level warning</DIV>
<DIV> </DIV>
<DIV>Chain FORWARD (policy ACCEPT)<BR>target prot opt source destination</DIV>
<DIV> </DIV>
<DIV>Chain OUTPUT (policy ACCEPT)<BR>target prot opt source destination</DIV>
<DIV> </DIV>
<DIV>Chain rtpengine (1 references)<BR>target prot opt source destination<BR>RTPENGINE udp -- anywhere anywhere RTPENGINE id:0<BR></DIV>
<DIV> </DIV>
<DIV>After command <SPAN id=x3c92e379d0084714848c4b5aee4a0532>"iptables -D INPUT -j DROP", issue is gone right away. I wonder what's the proper way to configure iptables on spce?</SPAN></DIV>
<DIV><SPAN></SPAN> </DIV>
<DIV><SPAN>thanks,</SPAN></DIV>
<DIV><SPAN></SPAN> </DIV>
<DIV><SPAN>J.</SPAN></DIV><BR>_______________________________________________<BR>Spce-user mailing list<BR><A href="mailto:Spce-user@lists.sipwise.com">Spce-user@lists.sipwise.com</A><BR><A href="https://lists.sipwise.com/listinfo/spce-user">https://lists.sipwise.com/listinfo/spce-user</A><BR></BLOCKQUOTE></DIV></DIV></BLOCKQUOTE></DIV></DIV></DIV></DIV></BLOCKQUOTE></DIV></BODY></HTML>