Firewall error causes system to be unreachable at 00:01 intermittently on VPS

VitalPBX Community Support General Discussion Firewall error causes system to be unreachable at 00:01 intermittently on VPS

Up
0
Down
  • Post
    • February 13, 2020 at 6:18 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Version 2.4.0-5 and Version 2.4.0-3 

    I am occasionally seeing VPS servers become unreachable just after midnight. After a restart thru the VPS provider console the problem goes away. In the logs I see this just before it becomes unreachable. 

    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type ‘beyond-scope’ is not supported by the kernel for ipv6.
    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: beyond-scope: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type ‘failed-policy’ is not supported by the kernel for ipv6.
    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: failed-policy: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: ICMP type ‘reject-route’ is not supported by the kernel for ipv6.
    Feb 13 00:01:00 ubsv1 firewalld[475]: WARNING: reject-route: INVALID_ICMPTYPE: No supported ICMP type., ignoring for run-time.
    Feb 13 00:01:01 ubsv1 systemd: Started Session 8122 of user root.
    Feb 13 00:01:01 ubsv1 systemd: Starting Session 8122 of user root.
    Feb 13 00:01:01 ubsv1 systemd: Started Session 8123 of user root.
    Feb 13 00:01:01 ubsv1 systemd: Starting Session 8123 of user root.
    Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: ‘/usr/sbin/ip6tables-restore –wait=2 -n’ failed:
    Feb 13 00:01:01 ubsv1 firewalld[475]: ERROR: ‘/usr/sbin/iptables-restore –wait=2 -n’ failed:
    Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: COMMAND_FAILED
    Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: ‘/usr/sbin/ip6tables-restore –wait=2 -n’ failed:
    Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: ‘/usr/sbin/iptables-restore –wait=2 -n’ failed:
    Feb 13 00:01:01 ubsv1 firewalld[475]: WARNING: ‘/usr/sbin/ebtables-restore –noflush’ failed:
    Feb 13 00:01:01 ubsv1 firewalld[475]: ERROR: COMMAND_FAILED
    Feb 13 00:01:05 ubsv1 asterisk: [2020-02-13 00:01:05] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f21741039a0 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted
    Feb 13 00:01:05 ubsv1 asterisk: [2020-02-13 00:01:05] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f2174060500 (len 523) to XXXXXXX.30:5060 returned -1: Operation not permitted
    Feb 13 00:01:06 ubsv1 asterisk: [2020-02-13 00:01:06] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f21741039a0 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted
    Feb 13 00:01:06 ubsv1 asterisk: [2020-02-13 00:01:06] #033[1;31mWARNING#033[0m[3232]: #033[1;37mchan_sip.c#033[0m:#033[1;37m3832#033[0m #033[1;37m__sip_xmit#033[0m: sip_xmit of 0x7f2174060500 (len 523) to XXXXXXX:5060 returned -1: Operation not permitted

    0
Viewing 9 replies - 1 through 9 (of 9 total)
  • Replies
    • February 15, 2020 at 1:31 am
    Up
    0
    Down
    Jose Miguel Rivera
    Keymaster
    NI

    Did you try to perform a full update? and then, restart?

    0
    • February 15, 2020 at 8:30 am
    Up
    0
    Down
    giovanni.v
    Participant
    Posted by: @ing-joserivera26

    Did you try to perform a full update?

    I also seen the local firewall caused some troubles on system updates.

    Yum update from console run and retrieve all packages going to be updated but then when downloading packages stops on large files, like kernel and so on because throughput drops down to zero afre a few seconds. System logs reports something seen as SIP packet flooding.

    Disabling firewall from config ui doesn’t solve the problem because doesn’r really disable the firewall. Stopping the firewalld daemon from console let the update transaction to terminate successfully.

    Tested on 3 different fresh installs, 2 real and 1 virtual hardware, latest iso.

    0
    • February 18, 2020 at 5:23 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Not sure what you are referring to as a Full Update, this server is on the latest version

    This appears to be caused when this script runs /usr/share/ombutel/scripts/build_firewall_blacklists

    Since the server becomes unreachable from anywhere but the vps console, If you do a restart it from the console it seems to solve the issue, at least for a reasonably long time.

    0
    • February 18, 2020 at 5:31 pm
    Up
    0
    Down
    Jose Miguel Rivera
    Keymaster
    NI

    @dannylarsen

    We’re improving this, we will release a patch to fix this behavior. This script you mentioned is to update the database of common VoIP attackers, in this way, your PBX is protected from those bad guys.

    0
    • February 18, 2020 at 9:49 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Thank you very much !

    0
    • April 6, 2020 at 2:50 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Can you tell me if this has been solved in the new release 2.4.1-3

    0
    • April 7, 2020 at 3:54 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Anyone?

    0
    • April 7, 2020 at 4:17 pm
    Up
    0
    Down
    Jose Miguel Rivera
    Keymaster
    NI

    The script for updating firewall has been improve on latest versions of VitalPBX. You should try!

    0
    • April 7, 2020 at 4:40 pm
    Up
    0
    Down
    DannyLarsen
    Participant
    none

    Thank you!

    0
Viewing 9 replies - 1 through 9 (of 9 total)
  • You must be logged in to reply to this topic.