vicidial.org

[richardroi]

Support,

Need some info about this logs and how to correct this.

Jul 22 22:12:08 ipbx kernel: [480626.488025] martian source xxx.xxx.xxx.xxx from 192.xxx.xxx.xxx, on dev eth0
Jul 22 22:12:08 ipbx kernel: [480626.488029] ll header: 00:30:48:d7:56:0e:00:e0:4d:a5:ff:1c:08:00
Jul 22 22:12:46 ipbx kernel: [480664.904060] martian source xxx.xxx.xxx.xxx from 192.xxx.xxx.xxx, on dev eth0
Jul 22 22:12:46 ipbx kernel: [480664.904065] ll header: 00:30:48:d7:56:0e:00:e0:4d:a5:ff:1c:08:00
Jul 22 23:37:25 ipbx kernel: [485744.000015] NOHZ: local_softirq_pending 100
Jul 23 13:46:28 ipbx kernel: [536686.742715] martian source 192.xxx.xxx.xxx from xxx.xxx.xxx.xxx, on dev eth1

I have the built-in firewall activated in my box.

Thank you.

[williamconley]

1) What log is this in?

2) Are you on a 192.x private network?

3) Is your vicidial server using two network cards to communicate (1 local 1 wide) and are the two networks somehow cross connected? (There should be no physical connection possible between local and internet networks, or bad things happen).

[richardroi]

It is on var/log/warn.
Yes Sir, I have 2 network cards, 1 is for local (no gateway) for agents to log on to the box, and 1public.
Don't know what you mean by "somehow cross connected"

Thank you for your time.

[richardroi]

Anyone? These logs started when I enabled the built in firewall, how can I stop this logging or erase it, can I just disable the "warn". I followed Sir Williams guide using "yast firewall"
Kindly advise... Thank you

[williamconley]

are you saying you are experiencing some sort of "error" situation or just that these log entries offend you?

have you identified the machines that belong to the ip addresses in the log entries?

[richardroi]

no error, just logs " /var/log/warn" just particular ip's. some of the ip's are not even turned on (computer is off).

Aug 9 20:49:23 ipbx kernel: [817616.370614] martian source xxx.xxx.xxx.xxx from 192.168.150.22, on dev eth0
Aug 9 20:49:23 ipbx kernel: [817616.370617] ll header: 00:30:48:d7:56:0e:00:0a:f4:2b:66:81:08:00
Aug 9 20:49:29 ipbx kernel: [817622.160912] martian source xxx.xxx.xxx.xxx from 192.168.150.54, on dev eth0
Aug 9 20:49:29 ipbx kernel: [817622.160917] ll header: 00:30:48:d7:56:0e:00:0a:f4:2b:66:81:08:00
Aug 9 20:49:29 ipbx kernel: [817622.348871] martian source xxx.xxx.xxx.xxx from 192.168.150.22, on dev eth0

eth 0 is my public ip. maybe there is something wrong with my configuration.
I need to correct this because yast firewall is a great feature, no hacker log since I enabled it.

[williamconley]

if eth0 is your local net ... is 19216815022 an ip address of one of your local computers?

[richardroi]

Sir eth1 is my local net, eth0 is my public, and yes 19216815022 is one ip address of my local computers.

[richardroi]

maybe i can just disable this warning? kindly guide me how?
Thank you.

[williamconley]

your local computer with 19216815022 is sending data to your eth1 ip address. fix that and the error will go away.

[Leckbush]

Hi, Im having the same thing. Its appearing in my console? but for its like this:

martian source (Server Local IP) from (Unknown Foreign IP), on dev eth0
ll header: 00:30:48:d7:56:0e:00:e0:4d:a5:ff:1c:08:00
martian source (Server Local IP) from (Unknown Foreign IP), on dev eth0
ll header: 00:30:48:d7:56:0e:00:e0:4d:a5:ff:1c:08:00
martian source (Server Local IP) from (Unknown Foreign IP), on dev eth0
ll header: 00:30:48:d7:56:0e:00:e0:4d:a5:ff:1c:08:00


Setup: 2 NICs - One is for LAN and Second is for WAN

1st eth0 NIC set as local IP with no gateway
2nd eth1 NIC set as static public IP with ISP Gateway

Firewall(Whitelist Lockdown NO DGG)
eth1 set to External Rules: No Allowed Services, and 3 authorized IP's
eth0 set to Internal Rules: Allowed Services

Temporary shutdown the server. That thing seems to be anonymous and concerning.

What should I do? Whats is that?

VICIBOX 8.1.2

[Leckbush]

Think I found the problem. The internal network has a router which is forwarding the previous server configuration thru the server. I think I made a hole in the firewall of my server? I disabled the port forward on the router in the internal network.

Should I Check the protect firewall from internal zone too, right?

[williamconley]

Think I found the problem. The internal network has a router which is forwarding the previous server configuration thru the server. I think I made a hole in the firewall of my server? I disabled the port forward on the router in the internal network.

Should I Check the protect firewall from internal zone too, right?

No. But that internal network shouldn't have any NONinternal traffic on it.

And turn off IPv6 on all networks.

[Leckbush]

What do you mean by NON Internal Traffic?

If I turn off IPV6 on yast2 I see a post mail transport agent failed on boot? is that okay?

[williamconley]

What do you mean by NON Internal Traffic?

If you have routed an externl/public network directly to your local network by accident, that would explain a martian source hacker. Alternately, your router should intercept and block any such traffic. There are hackers that find a way past the router, and that's why we like to lock down (whitelist) servers, so such traffic attempts will fail. But local networks shouldn't have hackers on them!

If I turn off IPV6 on yast2 I see a post mail transport agent failed on boot? is that okay?

Don't know, never had that error pop up for us. Does it stop anything from working? Does "VM to eMail" still work?

But if you don't yet have IPv6 from your ISP you have no reason to enable IPv6 at all, and there's NO need to use it on the local subnet at all.

[Leckbush]

I think the router didnt block because I forgot to turn off the Port Forward from the LAN IP of the vicibox there. But I turn it off right now. You think every thing is good now?

[williamconley]

how would i know. lol. you're the one looking at the martian source errors. if they stay gone, you may have solved that problem. but i certainly am not capable of saying anything about the rest of your network based only on the fact that you used to have martian sources but no longer do.

yes, i'm a smart ass. that being said: we recommend two things:

1) All Vicidial servers should have their own public IP and NOT depend on an external firewall or router. They should have direct access to the internet and be whitelisted so the ONLY internet they have access to is the internet you've specified, nobody else.

2) Agents or other local office personnel should not be using the same IP and preferably not even the same internet service provider as the Vicidial systems to avoid a conflict (someone bing on Netflix at the same time someone else decides to quickly show a funny youtube video to their manager should not be able to choke the internet available to your Vicidial servers for telephone calls. Get a cheap internet service provider for that and keep those guys OFF your PBX network.

_______

Even if you don't go that far (#2), and you share bandwidth instead, removing the Vicidial server from the router which the agents use means you CAN unplug that router when there's a disturbance in your network, and Vicidial will continue to transmit calls. Agent will still be connected to the local network, and that means their agent web sessions in Vicidial and their phone calls (which all go through Vicidial) will remain uninterrupted. But that netflix/youtube/hacker crap will just suddenly lose internet because you unplugged the router. No downside.

IMHO.

[Leckbush]

Okay thank you William. However where do I find the firewall log on these new vicibox? I try /var/log/(firewall) and /var/log/(messages) couldnt find any directory or file

[williamconley]

journalctl |grep kernel

[rameez.amjad4]

Hey Leckbush, I am getting same error on my vicibox 8.1.2 installation and when i turn off the firewall then this error is gone and when firewall is turned on the same martin source error on eth1 almost same error.

My eht0 is connected to local network with a static ip 192.168.0.200 and eth1 is connected to router for internet connection using for dialing.

Please update if you have any solution to this problem?

Thanks.

[Leckbush]

eth0 is connected to lan? ( is this lan have router?, like this is where the agents is right?)
is your eth1 connected to gateway of your isp with a public address? Im confused because you said it was connected to the router, unless this router is the gateway of your ISP

My problem was cause of my previous setup on vicibox, old setup has only 1 NIC Port, so this is LAN(Internal)/Wan(External) which is port forwarded in a router with the LAN clients. When I migrate to newer vicibox and dual port setup which separate the lan from wan connected on my server, this happen. I figured that I left open the port forward on the router of my LAN now (which is where the wan of the previous setup is going thru) this port forward is directing its traffic to the local static of my IP.

So why did this happen? by default open suse firewall setting is not set securely on dual nic port setup (LAN and WAN) You see if you have two dual port, One is connected to the LAN side, and the Other is WAN (Which has Static public IP by your ISP) In the firewall of Opensuse there is external and internal rules. so by default the external rule block all the inbound connections on your server except the whitelisted and allowed service on the external firewall rules. In the internal side of the firewall, by default this was turn off. So meaning to say the firewall doesnt care on your internal side of firewall. I see mine as all services(SSH, WEB, SMTP, etc..) is allowed and no restrictions. For me thats the hole/martian source is coming from, the left open port forward on lan which redirect it to server static LAN where the firewall setting for LAN is off.

Whats the solution?

But before you do this, where\s the martian source is hitting? your LAN? or your WAN?

[Leckbush]

Im recieving this martian packet again.
Is this normal? Seems to be its a broadcast from other block of ip.

Server IP/subnet is 192.168.1.112/24

Both block of network is secured on router. and sharing the same switch for routing.

May 14 12:24:42 vicibox81 kernel: IPv4: martian source 255.255.255.255 from 192.168.2.45, on dev eth0
May 14 12:24:42 vicibox81 kernel: ll header: 00000000: ff ff ff ff ff ff 04 d1 3a 6c 46 44 08 00 ........:lFD..

[williamconley]

if you put two networks on the same switch, they can have interference and/or hackers who try to jump from one to the other. if one of them is public (or there is public on that switch in any way) it should never be mixed with a private network. get another switch.

[Leckbush]

Well they're both private network(LAN)

1st: 192.168.2.0/24 - Router (Pfsense)
2nd 192.168.1.0/24 - Router (Branded) Where the server is.

Firewall on 1st network is secured and no inbound connection is allowed. Also sites are restricted.

Firewall on 2nd network router is secured (No port foward there)

Im checking where is this 192.168.2.45 machine is now.......

[Leckbush]

Find the bastard. It was my phone, which connected to the router wifi of 2nd network omg HAHAHAHA

However how does my phone have 192.168.2.0 iprange when it is connected to the 192.168.1.0 iprange, Interference?

[williamconley]

Find the bastard. It was my phone, which connected to the router wifi of 2nd network omg HAHAHAHA

However how does my phone have 192.168.2.0 iprange when it is connected to the 192.168.1.0 iprange, Interference?

excellent postback!