Securing FreePBX from attacks

EddieJennings

@fuznutz04 said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.

Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.

AdamF

@eddiejennings said in Securing FreePBX from attacks:

@fuznutz04 said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

@jaredbusch said in Securing FreePBX from attacks:

Your fail2ban is running. This is the responsive firewall doing its job.

It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.

By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."

In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?

You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.

Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.

For me, I do nothing in regards to the responsive firewall. It adds and removes as it needs to. If I have an IP get banned by the responsive firewall, I remove it. (This will sometimes happen, even when legitimate extensions attempt to connect) In that case, if it is a known IP, you could add them to the trusted networks.

In regards to Fail2Ban, I put my local IP in, so I am never accidentally banned, and then set the max tries REALLY low, and set the ban time to REALLY high. It does a decent job overall. If you have remote users using softphones, this is the only way I know of to really secure the PBX.

anthonyh

The only external presence our FreePBX deployment has is to our SIP trunk provider. So we do the obvious and set up the firewall policy so that only our trunk provider is allowed inbound to the PBX and only over the necessary ports.

I have been considering opening up SIP/RTP to the public as there have been instances where setting up remote phones would be beneficial, but not knowing how to mitigate potential attacks has stopped me. However, we did purchase some Yealink! phones that seem to support OpenVPN...I've been considering building an OpenVPN server for us to use in the event we need to set up a remote phone.

EddieJennings

@anthonyh The all of our users will be remote to the FreePBX system as it'll be hosted on Vultr; however, just allowing traffic from my office isn't an option, as the majority of the users will be outside of the office.

anthonyh

@eddiejennings I should have added that my post wouldn't be very helpful.

It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.

anthonyh

Perhaps you've already seen this?

https://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

JaredBusch

@anthonyh said in Securing FreePBX from attacks:

@eddiejennings I should have added that my post wouldn't be very helpful.

It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.

FreePBX already does this.

JaredBusch

From my email this morning

anthonyh

@jaredbusch Hmm. If that's the case, what's the issue here? lol

wirestyle22

@anthonyh said in Securing FreePBX from attacks:

@jaredbusch Hmm. If that's the case, what's the issue here? lol

That is his point. There is no issue.

EddieJennings

Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.

lol not an issue, it's you learning.

anthonyh

@eddiejennings Got it. Makes perfect sense. I will go back to lurking status for now.

EddieJennings

A bit of a necropost; however, it still applies to the theme of this thread. So after 2,787 of these (mind you different callid values) in 30 seconds, I decided to poke around a bit.

[2017-09-20 14:33:10] NOTICE[7926] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"228" <sip:[email protected]>' failed for '62.210.162.82:5165' (callid: 2207667031) - Failed to authenticate

Is it odd that, running fail2ban-client status yields Number of Jail: 0 and an empty jail list?

EddieJennings

Problem solved with the 2k attempts not being thrawted: Configure stuff correctly (enable responsive firewall for SIP and understand that setting a service to "Internet" shouldn't be done).

However, the fail2ban-client status still shows the same output. I'm still curious to learn if that is "normal."

Dashrender

The responsive firewall doesn't use Fail2Ban as far as I can tell.

I'm currently looking up a blocked IP as well.

In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.

scottalanmiller

@dashrender said in Securing FreePBX from attacks:

The responsive firewall doesn't use Fail2Ban as far as I can tell.

I'm currently looking up a blocked IP as well.

In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.

It does.

Dashrender

@scottalanmiller said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

The responsive firewall doesn't use Fail2Ban as far as I can tell.

I'm currently looking up a blocked IP as well.

In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.

It does.

I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.

scottalanmiller

@dashrender said in Securing FreePBX from attacks:

@scottalanmiller said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

The responsive firewall doesn't use Fail2Ban as far as I can tell.

I'm currently looking up a blocked IP as well.

In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.

It does.

I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.

What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?

EddieJennings

@scottalanmiller said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

@scottalanmiller said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

The responsive firewall doesn't use Fail2Ban as far as I can tell.

I'm currently looking up a blocked IP as well.

In my case I think my phones are registering unregistering to much.. and it's causing the IP to be banned by the RF.... now to find out why the phones are doing that.

It does.

I have IPs listed as blocked in the RF, but my fail2ban log is 100% empty.
Please explain.

What's to explain? Why do you feel that RF blocking something and Fail2Ban not logging is meaningful?

Forgive me if I sound thick, but I'd interpret having no logs as one of three things: 1. The service's logging mechanism not turned on. 2. No activity is being seen that would generate a log. 3. The service itself isn't functioning; thus, not producing logs.

If a blocked IP list in the RF = fail2ban activity, then that answers the mystery.

As far as my query, I see activity in the fail2ban file when viewing Reports > Asterisk Log files in the GUI. What I'm wondering is why there are no jails listed if I run fail2ban-client status? The answer to this is probably, "Hey Eddie! Go read up on fail2ban and don't be a n00b;" however, that's my current puzzle.