Securing FreePBX from attacks
-
@anthonyh The all of our users will be remote to the FreePBX system as it'll be hosted on Vultr; however, just allowing traffic from my office isn't an option, as the majority of the users will be outside of the office.
-
@eddiejennings I should have added that my post wouldn't be very helpful.
It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.
-
Perhaps you've already seen this?
https://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
-
@anthonyh said in Securing FreePBX from attacks:
@eddiejennings I should have added that my post wouldn't be very helpful.
It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.
FreePBX already does this.
-
From my email this morning
-
@jaredbusch Hmm. If that's the case, what's the issue here? lol
-
@anthonyh said in Securing FreePBX from attacks:
@jaredbusch Hmm. If that's the case, what's the issue here? lol
That is his point. There is no issue.
-
Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.
-
@eddiejennings said in Securing FreePBX from attacks:
Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.
lol not an issue, it's you learning.
-
@eddiejennings Got it. Makes perfect sense. I will go back to lurking status for now.
-
A bit of a necropost; however, it still applies to the theme of this thread. So after 2,787 of these (mind you different callid values) in 30 seconds, I decided to poke around a bit.
[2017-09-20 14:33:10] NOTICE[7926] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"228" <sip:[email protected]>' failed for '62.210.162.82:5165' (callid: 2207667031) - Failed to authenticateIs it odd that, running
fail2ban-client statusyields Number of Jail: 0 and an empty jail list? -
Problem solved with the 2k attempts not being thrawted: Configure stuff correctly (enable responsive firewall for SIP and understand that setting a service to "Internet" shouldn't be done).
However, the
fail2ban-client statusstill shows the same output. I'm still curious to learn if that is "normal." -
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
-
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
-
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain. -
@dashrender said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?
-
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?
Forgive me if I sound thick, but I'd interpret having no logs as one of three things: 1. The service's logging mechanism not turned on. 2. No activity is being seen that would generate a log. 3. The service itself isn't functioning; thus, not producing logs.
If a blocked IP list in the RF = fail2ban activity, then that answers the mystery.
As far as my query, I see activity in the fail2ban file when viewing Reports > Asterisk Log files in the GUI. What I'm wondering is why there are no jails listed if I run
fail2ban-client status? The answer to this is probably, "Hey Eddie! Go read up on fail2ban and don't be a n00b;" however, that's my current puzzle.
-
@eddiejennings said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?
Forgive me if I sound thick, but I'd interpret having no logs as one of three things: 1. The service's logging mechanism not turned on. 2. No activity is being seen that would generate a log. 3. The service itself isn't functioning; thus, not producing logs.
Seems a bit extreme. Given that Fail2Ban is integrated into another service and not being run on its own and that "you" did not configure it yourself so have no specific expectation of behaviour, those are some pretty wild assumptions to make for what would be totally normal behaviour by design.
-
@scottalanmiller said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?
Forgive me if I sound thick, but I'd interpret having no logs as one of three things: 1. The service's logging mechanism not turned on. 2. No activity is being seen that would generate a log. 3. The service itself isn't functioning; thus, not producing logs.
Seems a bit extreme. Given that Fail2Ban is integrated into another service and not being run on its own and that "you" did not configure it yourself so have no specific expectation of behaviour, those are some pretty wild assumptions to make for what would be totally normal behaviour by design.
Since, as I've learned in this thread, Fail2Ban is integrated into the Responsive Firewall it does make sense that it might not produce specific logs. However, I fail to see how my general assumption about logs is wild. It is not reasonable to ask "why?" when you look for logs and see none, given that you might not already know that no logs is normal behavior, rather than say "oh well, this thing must not produce logs."
-
@eddiejennings said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
The responsive firewall doesn't use Fail2Ban as far as I can tell.
I'm currently looking up a blocked IP as well.
In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.
It does.
I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?
Forgive me if I sound thick, but I'd interpret having no logs as one of three things: 1. The service's logging mechanism not turned on. 2. No activity is being seen that would generate a log. 3. The service itself isn't functioning; thus, not producing logs.
Seems a bit extreme. Given that Fail2Ban is integrated into another service and not being run on its own and that "you" did not configure it yourself so have no specific expectation of behaviour, those are some pretty wild assumptions to make for what would be totally normal behaviour by design.
Since, as I've learned in this thread, Fail2Ban is integrated into the Responsive Firewall it does make sense that it might not produce specific logs. However, I fail to see how my general assumption about logs is wild. It is not reasonable to ask "why?" when you look for logs and see none, given that you might not already know that no logs is normal behavior, rather than say "oh well, this thing must not produce logs."
Asking why is NOT what you did. You made three extreme assumptions INSTEAD of asking why. Had you asked why, the answer might be simple - it's not supposed to log or you are looking in the wrong place. Instead, you didn't ask why but decided it must be broken and came up with three ways you felt in might be broken in. Very different things.
