Firewall not detecting/blocking bad users

VoIPTek · October 24, 2016, 11:01pm

Hello All,

I installed the new firewall and enabled it. During that time I saw that a million attempts to login as asterisk were being made from another country (see below), should the firewall not be tracking those login attempts and rejecting the IP?


[2016-10-24 18:52:56] NOTICE[13034]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:52:56] NOTICE[13034]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:52:58] NOTICE[13043]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:52:58] NOTICE[13043]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:52:59] NOTICE[13055]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:52:59] NOTICE[13055]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:00] NOTICE[13057]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:00] NOTICE[13057]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:02] NOTICE[13076]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:02] NOTICE[13076]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:03] NOTICE[13105]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:03] NOTICE[13105]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:05] NOTICE[13118]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:05] NOTICE[13118]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:06] NOTICE[13120]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:06] NOTICE[13120]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:07] NOTICE[13122]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:07] NOTICE[13122]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:09] NOTICE[13123]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:09] NOTICE[13123]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:10] NOTICE[13124]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:10] NOTICE[13124]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:12] NOTICE[13125]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'
[2016-10-24 18:53:12] NOTICE[13125]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'asterisk'
[2016-10-24 18:53:13] NOTICE[13126]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'asterisk'

Thanks!

dicko · October 24, 2016, 11:30pm

Quick fix, have your firewall block inbound connections on tcp 5038,

tonyclewis · October 24, 2016, 11:31pm

Do you have that port opened?

xrobau · October 24, 2016, 11:32pm

At a guess you have your interface zone set to ‘trusted’. There’s a big error in dashboard, and it should be complaining loudly that this is wrong.

By default, this is blocked. There is, in fact, no way to ALLOW remote access to AMI as part of firewall, you’d need to manually create a port to let it through (because it’s such a terrible idea to expose this, I make it extremely hard for someone to accidentally do it)

VoIPTek · October 24, 2016, 11:52pm

Responses:

I did an iptables-save | grep 5038 and there are no policies enabling that service.

I did not add anything to the firewall in respect to additional services ( custom/services )

The server is assigned an external IP, the interface eth0 is in interfaces as trusted.
I noticed that even though technically I have a /32 (1 IP) it’s assigning it a /24 for the interface.
I can restrict it in networks, but not in the interface.
I removed the “trusted” network with the /24 and added in the ip as a /32 ( not thinking this will break anything ).

One question is if the external IP is trusted, when looking at the services tab if I leave it with internal, will that service (lets say web management) be available from the trusted + internal or do I have to select in the services tab, external & internal?
( just want to make sure)

I do see this in the dashboard:
A network interface that is assigned to the ‘Trusted’ zone has been detected. This is a misconfiguration. To ensure your system is protected from attacks, please change the default zone of interface ‘eth0’.

xrobau · October 25, 2016, 12:00am

The help text explains it. Let me paste it here. If the wording is unclear, please suggest any changes.

VoIPTek · October 25, 2016, 12:48am

Thanks Rob, I believe I understand this, but want to be sure, so what I did is uninstalled the firewall ( so it doesn’t maintain any settings if I disable, then enable ) and reinstalled it.

I did everything default, I then added in sip trunks IP’s, client IP’s and of course my office IP’s.
I do have responsive firewall enabled.

Having said that my fun hacker friends NOT! are shown below and it keeps happening without getting rejected.

Did I miss something?


[2016-10-24 20:38:26] NOTICE[2462]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:26] NOTICE[2462]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:27] NOTICE[2463]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:27] NOTICE[2463]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:29] NOTICE[2464]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:29] NOTICE[2464]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:30] NOTICE[2466]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:30] NOTICE[2466]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:32] NOTICE[2484]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:32] NOTICE[2484]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:33] NOTICE[2485]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:33] NOTICE[2485]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'
[2016-10-24 20:38:35] NOTICE[2486]: manager.c:2640 authenticate: 195.154.172.203 tried to authenticate with nonexistent user 'administrator'
[2016-10-24 20:38:35] NOTICE[2486]: manager.c:2677 authenticate: 195.154.172.203 failed to authenticate as 'administrator'

lgaetz · October 25, 2016, 1:10am

Okay.

Unnecessary, Firewall is smart enough to know your trunking hosts (@xrobau will correct this if I’m wrong)

Okay.

If you’ve white listed all your clients, this step is not necessary.

The most important part, you don’t indicate what you’ve set the interface to, is it still set to the default ‘Trusted’ zone?

VoIPTek · October 25, 2016, 1:18am

The interface is set to the external IP of eth0 and is trusted ( happens automagically )

I enabled responsive to be safe while adding everything in to be explicit, and while we can say the firewall understands if we are opening communications to a trunk so it’s ok to accept traffic from it, I would still be safe and add it in ( no harm done per say ).

I now disabled responsive because yes, I should be good with my “trusted” interfaces.

Still not blocking the bad guys and I can get to the web interface from other external networks.

lgaetz · October 25, 2016, 1:23am

Then you did not understand Rob’s note above, read it again.

VoIPTek · October 25, 2016, 1:38am

OK, I’m off here, but I think I see what you are saying, the eth0 which is auto configured as trusted should not be trusted.

I set this to external and our hacker friends are no longer reaching the box, is this the proper setting?

I do see the wording and the confusion on my part.

VoIPTek · October 25, 2016, 1:53am

Rob,

I’m not sure I would say the wording is bad, but because the interface is built for me per say, it kind of feels like you shouldn’t touch it, but I do get it, @lgaetz had to hit me over the head with a club a couple of times

I do have one suggestion, not in the wording, that may require more thinking than I’m capable of but if possible to add a comment value for each network, this way we can easily identify “New York Office” associated with IP x.x.x.x

I know you worked a lot on this, and its an awesome tool!
Thank you!

xrobau · October 25, 2016, 5:01am

There’s actually an open feature request for this - http://issues.freepbx.org/browse/FREEPBX-10757- that I haven’t got around to. I’m vainly hoping that someone will one day send me a pull request for it 8)