Securing FreePBX from attacks

wirestyle22

@eddiejennings said in Securing FreePBX from attacks:

@wirestyle22 Not explicitly. I assumed that was setup when you say "yes" to the Responsive Firewall setup within the FreePBX installer.

Ask @JaredBusch. It may just protect you from people attempting to directly login to the server itself. Unsure.

EddieJennings

@wirestyle22 said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

@wirestyle22 Not explicitly. I assumed that was setup when you say "yes" to the Responsive Firewall setup within the FreePBX installer.

Ask Jared. It may just protect you from people attempting to directly login to the server itself. Unsure.

Yeah. The goal of this thread is to see what others do in general to protect their FreePBX systems. And there are logs available for Fail2Ban, so I assume it is running.

JaredBusch

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

wirestyle22

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

How many and over what amount of time?

EddieJennings

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

AdamF

@eddiejennings said in Securing FreePBX from attacks:

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.

EddieJennings

@fuznutz04 said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.

Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.

AdamF

@eddiejennings said in Securing FreePBX from attacks:

@fuznutz04 said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.

Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.

For me, I do nothing in regards to the responsive firewall. It adds and removes as it needs to. If I have an IP get banned by the responsive firewall, I remove it. (This will sometimes happen, even when legitimate extensions attempt to connect) In that case, if it is a known IP, you could add them to the trusted networks.

In regards to Fail2Ban, I put my local IP in, so I am never accidentally banned, and then set the max tries REALLY low, and set the ban time to REALLY high. It does a decent job overall. If you have remote users using softphones, this is the only way I know of to really secure the PBX.

anthonyh

The only external presence our FreePBX deployment has is to our SIP trunk provider. So we do the obvious and set up the firewall policy so that only our trunk provider is allowed inbound to the PBX and only over the necessary ports.

I have been considering opening up SIP/RTP to the public as there have been instances where setting up remote phones would be beneficial, but not knowing how to mitigate potential attacks has stopped me. However, we did purchase some Yealink! phones that seem to support OpenVPN...I've been considering building an OpenVPN server for us to use in the event we need to set up a remote phone.

EddieJennings

@anthonyh The all of our users will be remote to the FreePBX system as it'll be hosted on Vultr; however, just allowing traffic from my office isn't an option, as the majority of the users will be outside of the office.

anthonyh

@eddiejennings I should have added that my post wouldn't be very helpful.

It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.

anthonyh

Perhaps you've already seen this?

https://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

JaredBusch

@anthonyh said in Securing FreePBX from attacks:

@eddiejennings I should have added that my post wouldn't be very helpful.

It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.

FreePBX already does this.

JaredBusch

From my email this morning

anthonyh

@jaredbusch Hmm. If that's the case, what's the issue here? lol

wirestyle22

@anthonyh said in Securing FreePBX from attacks:

@jaredbusch Hmm. If that's the case, what's the issue here? lol

That is his point. There is no issue.

EddieJennings

Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.

lol not an issue, it's you learning.

anthonyh

@eddiejennings Got it. Makes perfect sense. I will go back to lurking status for now.

EddieJennings

A bit of a necropost; however, it still applies to the theme of this thread. So after 2,787 of these (mind you different callid values) in 30 seconds, I decided to poke around a bit.

[2017-09-20 14:33:10] NOTICE[7926] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"228" <sip:[email protected]>' failed for '62.210.162.82:5165' (callid: 2207667031) - Failed to authenticate

Is it odd that, running fail2ban-client status yields Number of Jail: 0 and an empty jail list?