Asterisk attack question

alexcal · June 1, 2016, 5:39pm

i’m running a raspberry pi 2 with Asterisk Version: 11.22.0 FreePBX 13.0.123.

after being hacked twice previously, mainly due to poor setup and security measures. I thought I had resolved the issues but though it hasn’t happened again I am a bit worried about recent emails I’m receiving about asterisk attacks, I was previously getting multiple ssh attacks. I now use a hashed ssh password, increased ban times, decrease find times and max retry and have changed ssh port.
despite this I am now getting warnings repeatedly from the same ip address about asterisk attacks likes this:
Hi,
The IP 209.126.97.240 has just been banned by Fail2Ban after
20 attempts against Asterisk.
Regards,
Fail2Ban

what worries me is the 20 attempts part, which I was pretty sure was covered by my settings in fail2ban but obviously not. the emails were being sent every 80 mins (sometime less) let’s say average 4800 seconds, the ban times I use in my jail.conf are set to several days.
I don’t want to ban ip’s permanently but want to increase the ban time for asterisk and sip attacks in line with what i believe i have set for ssh but can’t seem to find where I can make changes.

can someone out there help me with this please.

avayax · June 1, 2016, 6:00pm

First of all, is your PBX behind a firewall and why do you allow unrestricted access over ssh?
It’s much better to not have SSH and http ports open to the internet at all, but use VPN for remote access.
Any remote phones? Use VPN for those as well.
If you need ports opened, then restrict access only to known IP addresses (whitelist).

If your PBX is not behind a firewall, use the FreePBX firewall module.

Good luck.

alexcal · June 1, 2016, 8:05pm

Hi avayax,

there is a firewall on the gateway activated, there is no remote activity, I just use the freepbx to monitor incoming calls sipgate numbers I have for various reasons - there are no outgoing routes (since previous) troubles.
as far as I know I don’t have any open ports. if it were not for these emails I would not have any connectivity with it.
there is no firewall on the raspberry pi version of freepbx - only fail2ban which is active with settings mention above.

astbox · June 1, 2016, 8:21pm

Scan your public ip for open doors, if fail2ban reports that a public ip attacks yout pbx that means they can see you so there is a hole in the gateway’s firewall.A customer he was using the providers router, tcp ports all closed but udp opened. Use iptables on the rasbperry to block anything unwanted.

avayax · June 1, 2016, 8:35pm

If there are no ports open on your firewall, then it’s a mystery to me how you could be subject to ssh attacks from public addresses.

alexcal · June 2, 2016, 8:34am

I’ve scanned my ip address with shields up and it shows nothing open, I’ve looked into using iptables before but it looks way beyond my scope.

bksales · June 2, 2016, 3:29pm

my guess is that port 5060 is wide open for the sip trunks. double check the firewall settings.

astbox · June 2, 2016, 4:04pm

Check your ports with nmap anything else is not reliable.

alexcal · June 2, 2016, 5:14pm

astbox

Check your ports with nmap anything else is not reliable.

I have installed and run nmap and scanned the server from windows pc from within the network and the results are that it found 5 tcp ports open: 53, 80, 139, 445. 9001.
is this what I should be scanning or should I be scanning the gateway?

astbox · June 2, 2016, 5:18pm

The public ip that the gateway has. Checking internally doesn’t have anything to do with attacks that you get from the internet.

alexcal · June 2, 2016, 5:43pm

if I have to scan the public ip from outside. i’ll have to wait till tomorrow when i’m at work
.

rymes · June 3, 2016, 4:55pm

You must have a port forwarded to your Asterisk box from the router to allow you to connect to it via SSH. As mentioned by others, either use a VPN to connect to your LAN and then SSH to the local address, or limit incoming connections on the port forwarding rule to known addresses (If you don’t have static IPs for your phone, house, etc, though, this is mostly unworkable).

dicko · June 3, 2016, 5:04pm

As a side note , you can often just allow the whole network of a dhcp provided device at “home” for connections through your firewall, rather than just a host, this is due to the way DHCP is done by the big guys. So look for the CIDR or NetRange in the return from

whois (the current ip address)

that device will always be awarded address within that range, a caveate is that some cable companies will send back a /12 or something from whois, generally a /16 netmask will cover that for the likes of Comcast etc. . Softphones on Cellular networks, not so much

Previously I posted in

allowing is just the reverse of denying and IWFM

alexcal · June 4, 2016, 8:32am

sorry for late reply.

Another forum member was kind enough to check my public ip with nmap scan and it came back as follows:

Starting Nmap 6.01 ( http://nmap.org ) at 2016-06-02 15:22 CDT
Nmap scan report for 31.185.203.35
Host is up.
All 1000 scanned ports on 31.185.203.35 are filtered

Nmap done: 1 IP address (1 host up) scanned in 203.22 seconds

it looks like no ports open.

astbox · June 4, 2016, 2:55pm

1000 ports down, 64535 to go. If you don’t specify which ports to scan, nmap scans the first 1000. That’s ok for most cases when you are searching to find http, https, ssh, telnet or smtp ports but remember asterisk by default uses 5060, 10000-20000 and 4569. Also you need to check for udp ports, not tcp.

dicko · June 4, 2016, 3:04pm

Almost, all scanning methods covered here

https://nmap.org/book

For the “standard portss” outside the “priviliged”

https://nmap.org/book/nmap-services.html

Further , most decent iptables/firewalls will notice a blunt nmap scan and block it quickly, more sophisicated voip specific probes would more likely be successful in identifying your system’s existance.