Hi,
new here and a newbie, when it comes to using firewalld. After setting up my first firewalld system yesterday, I came across the first issue today.
The system act as an asterisk host, based on openSUSE 15.0, using firewalld-0.5.4 (for now).
Since the provider doesn't support SIPS, and I was bitten already from SIP misuse before, and given, that Asterisks security mechanics aren't that shiny (with chan_sip at least), I established a couple of measures to reduce the risk to be misused: * SIP port is relocated to a non standard port * complex sip extensions and passwords
The box sits behind a router, that is dealing with other VoIP accounts already. Therefore, RTP port range is relocated as well. The firewalld setup on this box is looking like this:
$ firewall-cmd --get-active-zones public interfaces: eth0
$ firewall-cmd --zone=public --list-all public (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client ports: 15060/udp 20000-20999/udp 4559/tcp protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:
Now, I noticed a "war dialer" from Moscow yesterday, who systematically scanned for weak sip accounts from extension 10 to 10000.
$ geoiplookup 46.29.160.140 GeoIP Country Edition: RU, Russian Federation GeoIP City Edition, Rev 1: RU, 48, Moscow City, Moscow, 101752, 55.752201, 37.615601, 0, 0 GeoIP ASNum Edition: AS51659 LLC Baxet
Since I knew, my setup was safe, I tried to stop that guy with firewalld, using:
$ firewall-cmd --zone=public --add-rich-rule="rule family='ipv4' source address='46.29.160.140' drop"
but this hadn't any effect. Guess, because port 15060/udp was allowed before. Is there any way to order the firewalld rules somehow?
This might be interesting to be used within a fail2ban procedure later on.
While at it, what is the best practice to limit access to such a port like 15060/udp to a couple of sources?
Thanks in advance, Pete