Adaptive firewall and security issue

I have a hosted PBX. Its a brand new install and running freepbx distro 14 with all module updates and yum updates installed. I have no sip trunks and no extensions. The firewall is enabled, my interface is set to “internet”. In the firewall the only IP’s white listed is the one for my connection (/32). When I enable responsive firewall (chan_sip and pjsip), I immediately see attempts to make calls, if I turn off responsive they stop. If I leave it enabled there are several call attempts per second and nothing is getting banned? I have the intrusion detection set pretty strict with

BAN time 3600
max retry 3
find time 300

I am concerned that if I add sip trunks or extensions they will be able to make active calls. Right now without any trunks I see the call fail (congestion).

sample CDR (My IP address removed on links)

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
Fri, 24 Jan 2020 1:18 1579846722.858 250250 Congestion s [from-sip-external] ANSWERED 00:12
Fri, 24 Jan 2020 1:18 1579846713.857 738001 Congestion s [from-sip-external] ANSWERED 00:12
Fri, 24 Jan 2020 1:18 1579846709.856 250250 Congestion s [from-sip-external] ANSWERED 00:12
Fri, 24 Jan 2020 1:18 1579846706.855 250250 Congestion s [from-sip-external] ANSWERED 00:12
Fri, 24 Jan 2020 1:18 1579846706.854 250250 Congestion s [from-sip-external] ANSWERED 00:12

sample call events

Date Caller Dialed Duration Play Details
Fri, Jan 24, 2020 1:19 AM 250250 6673101148483829010 13 - show
Fri, Jan 24, 2020 1:19 AM 738002 011441923937034 13 - show
Fri, Jan 24, 2020 1:19 AM 250250 907201148122518017 13 -

Call Detail for 1st call

log file
[2020-01-24 01:44:03] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:6] Set(“PJSIP/anonymous-00000476”, “receveip=pjsip,remote_addr”) in new stack
[2020-01-24 01:44:03] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:7] Log(“PJSIP/anonymous-00000476”, "WARNING,“Rejecting unknown SIP connection from 134.119.221.174:51503"”) in new stack
[2020-01-24 01:44:03] WARNING[28007][C-00000476] Ext. s: “Rejecting unknown SIP connection from 134.119.221.174:51503”
[2020-01-24 01:44:03] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:8] Answer(“PJSIP/anonymous-00000476”, “”) in new stack
[2020-01-24 01:44:04] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:9] Wait(“PJSIP/anonymous-00000476”, “2”) in new stack
[2020-01-24 01:44:04] VERBOSE[27952][C-00000475] pbx.c: Spawn extension (from-sip-external, s, 12) exited non-zero on ‘PJSIP/anonymous-00000475’
[2020-01-24 01:44:04] VERBOSE[27952][C-00000475] pbx.c: Executing [[email protected]:1] Hangup(“PJSIP/anonymous-00000475”, “”) in new stack
[2020-01-24 01:44:04] VERBOSE[27952][C-00000475] pbx.c: Spawn extension (from-sip-external, h, 1) exited non-zero on ‘PJSIP/anonymous-00000475’
[2020-01-24 01:44:06] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:10] Playback(“PJSIP/anonymous-00000476”, “ss-noservice”) in new stack
[2020-01-24 01:44:06] VERBOSE[28007][C-00000476] file.c: <PJSIP/anonymous-00000476> Playing ‘ss-noservice.ulaw’ (language ‘en’)
[2020-01-24 01:44:08] VERBOSE[9894] pbx_variables.c: Setting global variable ‘SIPDOMAIN’ to ‘xx.xx.xx.xx’
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:1] NoOp(“PJSIP/anonymous-00000477”, “Received incoming SIP connection from unknown peer to 3248601148221530435”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000477”, “DID=3248601148221530435”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:3] Goto(“PJSIP/anonymous-00000477”, “s,1”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx_builtins.c: Goto (from-sip-external,s,1)
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:1] GotoIf(“PJSIP/anonymous-00000477”, “1?setlanguage:checkanon”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx_builtins.c: Goto (from-sip-external,s,2)
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:2] Set(“PJSIP/anonymous-00000477”, “CHANNEL(language)=en”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:3] GotoIf(“PJSIP/anonymous-00000477”, “1?noanonymous”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx_builtins.c: Goto (from-sip-external,s,5)
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:5] Set(“PJSIP/anonymous-00000477”, “TIMEOUT(absolute)=15”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] func_timeout.c: Channel will hangup at 2020-01-24 01:44:23.712 EST.
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:6] Set(“PJSIP/anonymous-00000477”, “receveip=pjsip,remote_addr”) in new stack
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:7] Log(“PJSIP/anonymous-00000477”, "WARNING,“Rejecting unknown SIP connection from 134.119.217.190:59510"”) in new stack
[2020-01-24 01:44:08] WARNING[28008][C-00000477] Ext. s: “Rejecting unknown SIP connection from 134.119.217.190:59510”
[2020-01-24 01:44:08] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:8] Answer(“PJSIP/anonymous-00000477”, “”) in new stack
[2020-01-24 01:44:09] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:9] Wait(“PJSIP/anonymous-00000477”, “2”) in new stack
[2020-01-24 01:44:11] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:11] PlayTones(“PJSIP/anonymous-00000476”, “congestion”) in new stack
[2020-01-24 01:44:11] VERBOSE[28007][C-00000476] pbx.c: Executing [[email protected]:12] Congestion(“PJSIP/anonymous-00000476”, “5”) in new stack
[2020-01-24 01:44:11] VERBOSE[28008][C-00000477] pbx.c: Executing [[email protected]:10] Playback(“PJSIP/anonymous-00000477”, “ss-noservice”) in new stack
[2020-01-24 01:44:11] VERBOSE[28008][C-00000477] file.c: <PJSIP/anonymous-00000477> Playing ‘ss-noservice.ulaw’ (language ‘en’)

What can I do to make this more secure??? What did I miss? I took asterisk advanced administration class at Sangoma and they said, sure use responsive, no problem? This looks like a problem to me.

If you know the ip addresses, add they to the iptables with drop, or add the same address into router ip add ip route address subnet mask to null 0

iptables -A INPUT -s 185.63.252.0/19 -p TCP -j DROP

change TCP to UDP, or add to chain “permit” your sip providers and deny all other udp or tcp to any others

The log lines indicate incoming calls, not intrusion attempts, so there is nothing to ban. Think of them as someone ringing the doorbell as opposed to someone trying to pick the door lock. You can eliminate them by disabling SIP guests per @kierknoby’s suggestion.

@vasmanrossano, once you’re running the FreePBX firewall, adding iptables rules is not as simple as you make it out to be. There is a supported way to do this, but manually maintaining a blacklist of SIP offenders will wear you out before them.

My anonymous was off but the allow guest was on. I believe turning off the guest fixed it. THANKS! No new calls attempts in 40 minutes now.

1 Like

Dont want to block the IP’s manually, I can see they are constantly changing (probably to avoid being black listed). Also, I cant add or whitelist IP’s as I plan to use adaptive mode to support thousands of phones all over the place. I need something to be more automatic. I also think I may have to enable VPN type connections for phones (using sangoma S505, but as of now even with “zero touch” havent been able to get the phones to connect at all)

I still have an issue with many, many calls even though I have no trunks enabled and no extensions configured? How do I prevent this?

Call Date Recording System CallerID Outbound CallerID DID App Destination Disposition Duration Userfield Account CDR Table CDR Graph
Fri, 7 Feb 2020 16:23 1581110638.2218 8604282812 SayAlpha s [from-trunk] ANSWERED 00:11
Fri, 7 Feb 2020 16:10 1581109817.2217 5168562024 Playback s [from-trunk] ANSWERED 00:04
Fri, 7 Feb 2020 14:46 1581104795.2216 5165595655 Playback s [from-trunk] ANSWERED 00:03
Fri, 7 Feb 2020 12:54 1581098097.2215 3148538445 Playback s [from-trunk] ANSWERED 00:07
Fri, 7 Feb 2020 11:19 1581092343.2214 5168562026 Playback s [from-trunk] ANSWERED 00:04
Fri, 7 Feb 2020 10:41 1581090064.2213 9179620566 Playback s [from-trunk] ANSWERED 00:04
Thu, 6 Feb 2020 17:41 1581028888.2212 5165595655 SayAlpha s [from-trunk] ANSWERED 00:10
Thu, 6 Feb 2020 16:21 1581024095.2211 7184006731 Wait s [from-trunk] ANSWERED 00:01
Thu, 6 Feb 2020 16:15 1581023723.2210 7188437996 SayAlpha s [from-trunk] ANSWERED 00:10
Thu, 6 Feb 2020 13:59 1581015551.2209 4145513002 SayAlpha s [from-trunk] ANSWERED 00:11
Thu, 6 Feb 2020 13:35 1581014154.2208 9179620566 Playback s [from-trunk] ANSWERED 00:03
Thu, 6 Feb 2020 13:31 1581013914.2207 3148538445 SayAlpha s [from-trunk] ANSWERED 00:11
Thu, 6 Feb 2020 13:31 1581013902.2206 7609934102 Hangup s [from-trunk] ANSWERED 00:16
Thu, 6 Feb 2020 13:31 1581013876.2205 6313187934 Playback s [from-trunk] ANSWERED 00:04
Thu, 6 Feb 2020 12:24 1581009873.2204 7183382386 SayAlpha s [from-trunk] ANSWERED 00:11
Thu, 6 Feb 2020 11:59 1581008381.2203 5165145822 Playback s [from-trunk] ANSWERED 00:06
Thu, 6 Feb 2020 11:59 1581008365.2202 5165145822 SayAlpha s [from-trunk] ANSWERED 00:10
Thu, 6 Feb 2020 10:35 1581003307.2201 9292990256 Playback s [from-trunk] ANSWERED 00:05
Thu, 6 Feb 2020 10:15 1581002112.2200 5168656659 SayAlpha s [from-trunk] ANSWERED 00:10
Wed, 5 Feb 2020 18:17 1580944669.2199 9198136074 Playback s [from-trunk] ANSWERED 00:04
Wed, 5 Feb 2020 17:37 1580942242.2198 2524682469 SayAlpha s [from-trunk] ANSWERED 00:10
Wed, 5 Feb 2020 15:55 1580936159.2197 7183134608 SayAlpha s [from-trunk] ANSWERED 00:11
Wed, 5 Feb 2020 15:28 1580934494.2196 2403976498 SayAlpha s [from-trunk] ANSWERED 00:11
Wed, 5 Feb 2020 15:12 1580933571.2195 9148296137 SayAlpha s [from-trunk] ANSWERED 00:11
Wed, 5 Feb 2020 13:18 1580926685.2194 9842062002 SayAlpha s [from-trunk] ANSWERED 00:10
Wed, 5 Feb 2020 13:06 1580926007.2193 9842061963 SayAlpha s [from-trunk] ANSWERED 00:10
Wed, 5 Feb 2020 11:55 1580921722.2192 2403976498 SayAlpha s [from-trunk] ANSWERED 00:12
Wed, 5 Feb 2020 11:33 1580920399.2191 5168562024 Playback s [from-trunk] ANSWERED 00:03
Wed, 5 Feb 2020 11:20 1580919636.2190 5169165113 SayAlpha s [from-trunk] ANSWERED 00:09
Wed, 5 Feb 2020 10:36 1580916987.2189 5189523385 SayAlpha s [from-trunk] ANSWERED 00:11

Post the Asterisk log covering the time period of one of these calls. (Paste it at pastebin.freepbx.org and post the link here.)

detail for a call: https://pastebin.freepbx.org/view/b11537ee
asterisk logfile for call: https://pastebin.freepbx.org/view/1b19c382

That IP does belong to Telnyx, they believe that the 718338 number is yours and when it is called (probably by spam robots) they send you the call.

AFAICT your system is fine.

Well, interesting fact though. There was no trunk setup at telnyx to talk to this pbx and at telnyx I have NO numbers assigned to this pbx? I configured the trunk on the PBX side but did not set it up on the telnyx side.

This should be pretty easy to find. First, make sure what number is being called. It’s probably 7183383529, but if that number is hard-coded into your configuration e.g. in a register string or contact user, use sip debug or otherwise find out what’s in the To header of the INVITE.

Next, if the number being called is not in any of your Telnyx accounts, contact their support and explain the situation.

If the number is yours, the Telnyx portal should show you how it is being routed. If it appears to be correctly routed to another PBX, perhaps your firewall, SBC or other networking gear is misconfigured.

BTW, when I call 7183383529, the call is not answered but the ringback tone has a strange irregular cadence, as if the call is being presented to multiple systems, all of which are rejecting or failing to handle the call.

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.