i’m running a raspberry pi 2 with Asterisk Version: 11.22.0 FreePBX 13.0.123.
after being hacked twice previously, mainly due to poor setup and security measures. I thought I had resolved the issues but though it hasn’t happened again I am a bit worried about recent emails I’m receiving about asterisk attacks, I was previously getting multiple ssh attacks. I now use a hashed ssh password, increased ban times, decrease find times and max retry and have changed ssh port.
despite this I am now getting warnings repeatedly from the same ip address about asterisk attacks likes this:
Hi,
The IP 209.126.97.240 has just been banned by Fail2Ban after
20 attempts against Asterisk.
Regards,
Fail2Ban
what worries me is the 20 attempts part, which I was pretty sure was covered by my settings in fail2ban but obviously not. the emails were being sent every 80 mins (sometime less) let’s say average 4800 seconds, the ban times I use in my jail.conf are set to several days.
I don’t want to ban ip’s permanently but want to increase the ban time for asterisk and sip attacks in line with what i believe i have set for ssh but can’t seem to find where I can make changes.
First of all, is your PBX behind a firewall and why do you allow unrestricted access over ssh?
It’s much better to not have SSH and http ports open to the internet at all, but use VPN for remote access.
Any remote phones? Use VPN for those as well.
If you need ports opened, then restrict access only to known IP addresses (whitelist).
If your PBX is not behind a firewall, use the FreePBX firewall module.
there is a firewall on the gateway activated, there is no remote activity, I just use the freepbx to monitor incoming calls sipgate numbers I have for various reasons - there are no outgoing routes (since previous) troubles.
as far as I know I don’t have any open ports. if it were not for these emails I would not have any connectivity with it.
there is no firewall on the raspberry pi version of freepbx - only fail2ban which is active with settings mention above.
Scan your public ip for open doors, if fail2ban reports that a public ip attacks yout pbx that means they can see you so there is a hole in the gateway’s firewall.A customer he was using the providers router, tcp ports all closed but udp opened. Use iptables on the rasbperry to block anything unwanted.
Check your ports with nmap anything else is not reliable.
I have installed and run nmap and scanned the server from windows pc from within the network and the results are that it found 5 tcp ports open: 53, 80, 139, 445. 9001.
is this what I should be scanning or should I be scanning the gateway?
You must have a port forwarded to your Asterisk box from the router to allow you to connect to it via SSH. As mentioned by others, either use a VPN to connect to your LAN and then SSH to the local address, or limit incoming connections on the port forwarding rule to known addresses (If you don’t have static IPs for your phone, house, etc, though, this is mostly unworkable).
As a side note , you can often just allow the whole network of a dhcp provided device at “home” for connections through your firewall, rather than just a host, this is due to the way DHCP is done by the big guys. So look for the CIDR or NetRange in the return from
whois (the current ip address)
that device will always be awarded address within that range, a caveate is that some cable companies will send back a /12 or something from whois, generally a /16 netmask will cover that for the likes of Comcast etc. . Softphones on Cellular networks, not so much
Another forum member was kind enough to check my public ip with nmap scan and it came back as follows:
Starting Nmap 6.01 ( http://nmap.org ) at 2016-06-02 15:22 CDT
Nmap scan report for 31.185.203.35
Host is up.
All 1000 scanned ports on 31.185.203.35 are filtered
Nmap done: 1 IP address (1 host up) scanned in 203.22 seconds
1000 ports down, 64535 to go. If you don’t specify which ports to scan, nmap scans the first 1000. That’s ok for most cases when you are searching to find http, https, ssh, telnet or smtp ports but remember asterisk by default uses 5060, 10000-20000 and 4569. Also you need to check for udp ports, not tcp.
Further , most decent iptables/firewalls will notice a blunt nmap scan and block it quickly, more sophisicated voip specific probes would more likely be successful in identifying your system’s existance.