Securing FreePBX from attacks
-
@scottalanmiller said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Current task is now figuring what "invalid data" is being sent by my external test users to cause the firewall to think they're attackers.
UDP?
In @Dashrender's case he has Yealink desk phones as the only thing on site and the site is getting blacklisted by the responsive firewall. As soon as he white lists the IP, the phones register.
-
@jaredbusch said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Current task is now figuring what "invalid data" is being sent by my external test users to cause the firewall to think they're attackers.
UDP?
In @Dashrender's case he has Yealink desk phones as the only thing on site and the site is getting blacklisted by the responsive firewall. As soon as he white lists the IP, the phones register.
Oh, the RP not the outside edge firewall. Odd, okay.
-
@scottalanmiller said in Securing FreePBX from attacks:
@jaredbusch said in Securing FreePBX from attacks:
@scottalanmiller said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Current task is now figuring what "invalid data" is being sent by my external test users to cause the firewall to think they're attackers.
UDP?
In @Dashrender's case he has Yealink desk phones as the only thing on site and the site is getting blacklisted by the responsive firewall. As soon as he white lists the IP, the phones register.
Oh, the RP not the outside edge firewall. Odd, okay.
Yeah. Forgive my lack of clarity.
-
Other oddity. Both redacted IP addresses are the same.
-
@eddiejennings said in Securing FreePBX from attacks:
Other oddity. Both redacted IP addresses are the same.
Open another tab in chrome or whatever browser and type
What is my IP to confirm the expected IP. -
@dashrender said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Other oddity. Both redacted IP addresses are the same.
Open another tab in chrome or whatever browser and type
What is my IP to confirm the expected IP.Heh. Yes, I've confirmed the IP of the client machine mentioned is the IP I'm using, which is the IP that's assigned to the Trusted zone.
-
@eddiejennings said in Securing FreePBX from attacks:
Other oddity. Both redacted IP addresses are the same.
I think I had this happen when I set up mine. Everything seemed to work fine, but the error message was still there. I can't remember if it was a simple reboot that fixed it, a firmware upgrade, or what.
-
As a test, I added one of my remote end user's IP addresses to the System Admin > Intrusion Detection Whitelist to see if that would prevent them from being blocked by the Responsive Firewall. Alas, I return from lunch and they're once again blocked. Since I'm still in a testing mode, I'm thinking of blowing away this PBX, rebuilding, and seeing if the problem replicates.
-
@eddiejennings said in Securing FreePBX from attacks:
As a test, I added one of my remote end user's IP addresses to the System Admin > Intrusion Detection Whitelist to see if that would prevent them from being blocked by the Responsive Firewall. Alas, I return from lunch and they're once again blocked. Since I'm still in a testing mode, I'm thinking of blowing away this PBX, rebuilding, and seeing if the problem replicates.
I'm curious to find out - since I'm having the same issue!
-
New PBX is now installed, configured, and updated. Let's see what happens.
-
Might be time to play with the built-in OpenVPN server. I have RF enabled on my remote FreePBX with 90% of endpoints being Yealink and have not had any issues.
-
I wonder what Eddie and I are doing differently than JB that's causing our issues?
-
Assuming you have reinstalled and the problem exists, open a support case with Sangoma. The cost is minimal compared to the time you are spending.
-
Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.
-
@eddiejennings said in Securing FreePBX from attacks:
Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.
Only your soft phones are doing this?
-
@dashrender said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.
Only your soft phones are doing this?
@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?
-
@jaredbusch said in Securing FreePBX from attacks:
@dashrender said in Securing FreePBX from attacks:
@eddiejennings said in Securing FreePBX from attacks:
Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.
Only your soft phones are doing this?
@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?
Both softphones and deskphones are causing my issue.
-
At the moment, that appears to be the case: Yealink phone users are unaffected. However, there's one user I'm watching before I can verify that to be 100% true.
-
Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.
-
@eddiejennings said in Securing FreePBX from attacks:
Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.
Are those Yealink phones only in locations that are specifically listed a trusted sites?
In my case, I never added their IP as a trusted site and they worked fine for over 2 weeks. Then one day, they started being blocked. The day they started being blocked was the first time they tried using UCP from that location.
Adding the IP to the Trusted Sites list did provide a work-a-round, but really, they shouldn't have been getting blocked for any reason I can tell.