Securing FreePBX from attacks
-
I was going to add this to my thread about FreePBX CPU load, as this might be related, but then I'm reminded of the times I'm admonished by Jared for not making new threads.
I decided to look at my full Asterisk Log File (from the GUI) and expand it to 100,000 lines. All of the results are variants of this:
[2017-08-30 17:41:15] NOTICE[18406] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"530" <sip:[email protected]>' failed for '62.210.167.181:5068' (callid: 790905902) - No matching endpoint found[2017-08-30 17:41:15] NOTICE[18406] res_pjsip/pjsip_distributor.c: Request 'REGISTER' from '"530" <sip:[email protected]>' failed for '62.210.167.181:5068' (callid: 790905902) - Failed to authenticateClearly this isn't legit traffic, as none of my test end points are on a network that would have addresses allocated by RIPE. Despite, following the wizard when I installed, I notice that the pjsip isn't enabled within the Responsive Firewall. I've since enabled it.
I'm curious to know what you folks do to protect your FreePBX systems from traffic such as this.
-
@eddiejennings Did you setup fail2ban?
-
@wirestyle22 Not explicitly. I assumed that was setup when you say "yes" to the Responsive Firewall setup within the FreePBX installer.
-
@eddiejennings said in Securing FreePBX from attacks:
@wirestyle22 Not explicitly. I assumed that was setup when you say "yes" to the Responsive Firewall setup within the FreePBX installer.
Ask @JaredBusch. It may just protect you from people attempting to directly login to the server itself. Unsure.
-
@wirestyle22 said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
@wirestyle22 Not explicitly. I assumed that was setup when you say "yes" to the Responsive Firewall setup within the FreePBX installer.
Ask Jared. It may just protect you from people attempting to directly login to the server itself. Unsure.
Yeah. The goal of this thread is to see what others do in general to protect their FreePBX systems. And there are logs available for Fail2Ban, so I assume it is running.
-
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
-
@jaredbusch said in Securing FreePBX from attacks:
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
How many and over what amount of time?
-
@jaredbusch said in Securing FreePBX from attacks:
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."
In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?
-
@eddiejennings said in Securing FreePBX from attacks:
@jaredbusch said in Securing FreePBX from attacks:
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."
In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?
You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.
-
@fuznutz04 said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
@jaredbusch said in Securing FreePBX from attacks:
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."
In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?
You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.
Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.
-
@eddiejennings said in Securing FreePBX from attacks:
@fuznutz04 said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
@jaredbusch said in Securing FreePBX from attacks:
Your fail2ban is running. This is the responsive firewall doing its job.
It takes multiple attempts in order to block. Most bot designers know this and don't attack many times.
By default pjsip was disabled (above pic was after I enabled). Was anything really gained by enabling it? I imagine the answer is "yes."
In day-to-day administration, do you usually ignore this and let Fail2Ban do its thing, or do you start adding these hosts to the Blacklist with the Firewall > Services setting?
You will die tired adding IPs to blacklists. Just let the responsive firewall and Fail2Ban do its thing.
Heh. That's what I figured. I ask, for I'm curious as to what the expected administrative behavior is.
For me, I do nothing in regards to the responsive firewall. It adds and removes as it needs to. If I have an IP get banned by the responsive firewall, I remove it. (This will sometimes happen, even when legitimate extensions attempt to connect) In that case, if it is a known IP, you could add them to the trusted networks.
In regards to Fail2Ban, I put my local IP in, so I am never accidentally banned, and then set the max tries REALLY low, and set the ban time to REALLY high. It does a decent job overall. If you have remote users using softphones, this is the only way I know of to really secure the PBX.
-
The only external presence our FreePBX deployment has is to our SIP trunk provider. So we do the obvious and set up the firewall policy so that only our trunk provider is allowed inbound to the PBX and only over the necessary ports.
I have been considering opening up SIP/RTP to the public as there have been instances where setting up remote phones would be beneficial, but not knowing how to mitigate potential attacks has stopped me. However, we did purchase some Yealink! phones that seem to support OpenVPN...I've been considering building an OpenVPN server for us to use in the event we need to set up a remote phone.
-
@anthonyh The all of our users will be remote to the FreePBX system as it'll be hosted on Vultr; however, just allowing traffic from my office isn't an option, as the majority of the users will be outside of the office.
-
@eddiejennings I should have added that my post wouldn't be very helpful.
It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.
-
Perhaps you've already seen this?
https://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk
-
@anthonyh said in Securing FreePBX from attacks:
@eddiejennings I should have added that my post wouldn't be very helpful.
It sounds like what you need is a way to perform something like Fail2Ban on SIP authentication.
FreePBX already does this.
-
From my email this morning
-
@jaredbusch Hmm. If that's the case, what's the issue here? lol
-
@anthonyh said in Securing FreePBX from attacks:
@jaredbusch Hmm. If that's the case, what's the issue here? lol
That is his point. There is no issue.
-
Yeah. The "issue" is me seeing the malicious traffic, and starting a discussion about what's considered best practice for securing a FreePBX server.
