I have been investigating a few instances recently where SIP UDP traffic has been somehow evading the ruleset defined in iptables leading me to suspect that there is a hole in our rules so i'm looking for advice on how to bolster defences on the local system. We have a firewall ahead of this server which could be improved however it seems important that this issue is understood before we look into additional measures, as such this question is directly regarding local server defences - specifically iptables.
The SIP packets are starting to include SQL injection attempts and I am concerned that without being directly addressed the application may eventually be compromised. At present the "caller" manages to establish a call which simply plays our no service announcement so they are getting a SIP conversation started with the local server - not ideal!
I've copied details below with a consistent redaction scheme however if additional information is required please comment below and i'll put it up.
Appreciate any advice, thanks for taking a look!
ORIGIN IP: 185.107.83.35 SIP SERVER IP:200.200.114.207
I'll start with an example of the offensive SIP packet:
INVITE sip:00*31203697460@200.200.114.207:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 185.107.83.35:5060;branch=z9hG4bK-524287-1---i9aif7pifkudxkd8
Max-Forwards: 70
Contact: <sip:...hi'or...x...='x';@185.107.83.35:5060;transport=UDP>
To: <sip:00*31203697460@200.200.114.207;transport=UDP>
From: <sip:...hi'or...x...='x';@200.200.114.207;transport=UDP>;tag=gj0njz16
Call-ID: LztInRxh5KJSOAGxCOGB0T..
CSeq: 1 INVITE
Content-Type: application/sdp
User-Agent: Avaya one-X Deskphone
Allow-Events: presence, kpml, talk
Content-Length: 515
v=0
o=Avaya 0 0 IN IP4 185.107.83.35
s=Avaya
c=IN IP4 185.107.83.35
t=0 0
m=audio 8000 RTP/AVP 18 3 110 8 0 97 101
a=rtpmap:0 PCMU/8000
a=rtpmap:8 PCMA/8000
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:97 iLBC/8000
a=rtpmap:3 GSM/8000
a=rtpmap:98 AMR/8000
a=rtpmap:9 G722/8000
a=rtpmap:100 SPEEX/8000
a=rtpmap:99 AMR-WB/16000
a=rtpmap:102 SPEEX/16000
a=rtpmap:121 G7221/16000
a=fmtp:121 bitrate=24000
a=rtpmap:105 opus/48000
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv
IP configuration on host:
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:11:22:33:44:7d brd ff:ff:ff:ff:ff:ff
inet 192.168.20.20/24 brd 255.255.255.255 scope global em1
inet6 aaaa::aaaa:aaaa:aaaa:aaaa/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether 00:11:22:33:44:7f brd ff:ff:ff:ff:ff:ff
inet 200.200.114.207/26 brd 200.200.114.255 scope global em2
inet6 aaaa::aaaa:aaaa:aaaa:aaaa/64 scope link
valid_lft forever preferred_lft forever
4: em3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:11:22:33:44:81 brd ff:ff:ff:ff:ff:ff
5: em4: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether 00:11:22:33:44:83 brd ff:ff:ff:ff:ff:ff
Here is the output from iptables -v -n --list
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
4769K 538M ACCEPT icmp -- * * 0.0.0.0/0 0.0.0.0/0 /* 000 accept all icmp */
645M 276G ACCEPT all -- lo * 0.0.0.0/0 0.0.0.0/0 /* 001 accept all to lo interface */
11G 2946G ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 002 accept related established rules */ state RELATED,ESTABLISHED
4036K 238M ACCEPT tcp -- em1 * 0.0.0.0/0 0.0.0.0/0 multiport ports 22 /* 101 accept SSH from internal interface */
36907 2036K ACCEPT all -- em1 * 192.168.4.0/24 0.0.0.0/0 /* 102 accept all traffic from site 1 LAN */
160K 6397K ACCEPT all -- em1 * 192.168.5.0/24 0.0.0.0/0 /* 103 accept all traffic from site 1 LAN */
8651K 527M ACCEPT all -- em1 * 192.168.20.0/24 0.0.0.0/0 /* 105 accept all traffic from site 2 LAN */
0 0 ACCEPT tcp -- em2 * 190.190.89.10 0.0.0.0/0 multiport ports 22 /* 106 accept SSH from WAN */
0 0 ACCEPT tcp -- em1 * 0.0.0.0/0 0.0.0.0/0 multiport ports 2812 /* 107 accept monit from LAN */
41878 19M ACCEPT udp -- em2 * 190.190.89.0/26 0.0.0.0/0 multiport ports 5060 /* 150 accept SIP from WAN */
144K 55M ACCEPT udp -- em2 * 200.200.114.192/26 0.0.0.0/0 multiport ports 5060 /* 152 accept SIP from WAN */
0 0 ACCEPT udp -- em2 * 180.180.63.32/27 0.0.0.0/0 multiport ports 5060 /* 201 accept SIP from carrier */
0 0 ACCEPT udp -- em2 * 180.180.63.32/27 0.0.0.0/0 multiport ports 8000:60000 /* 202 accept RTP from carrier */
0 0 ACCEPT udp -- em2 * 170.170.67.2 0.0.0.0/0 multiport ports 5060 /* 210 accept SIP from carrier */
0 0 ACCEPT udp -- em2 * 170.170.67.2 0.0.0.0/0 multiport ports 8000:60000 /* 211 accept RTP from carrier */
55M 8576M ACCEPT udp -- em2 * 0.0.0.0/0 0.0.0.0/0 multiport ports 16384:32768 /* 300 accept all RTP */
489K 219M REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 999 reject all other requests */ reject-with icmp-host-prohibited
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 REJECT all -- * * 0.0.0.0/0 0.0.0.0/0 /* 998 reject all FORWARD */ reject-with icmp-host-prohibited
Chain OUTPUT (policy ACCEPT 12G packets, 3230G bytes)
pkts bytes target prot opt in out source destination