Anyone experiencing massive attack?

vaibhav · July 2, 2020, 1:58pm

I have received over 100 fail2ban emails in the last 2 hours, almost all reporting attempts in 2-digit. Is it just me or anyone else is also experiencing this?

BlazeStudios · July 2, 2020, 3:01pm

Just you so far

vaibhav · July 2, 2020, 3:52pm

I’m getting 2 types of email
Sub: [Fail2Ban] SIP: banned xx.xx.xx.xx on {hostname}
[Fail2Ban] recidive: banned xx.xx.xx.xx on {hostname}

A large number of them… is there anything I should be worried about?

Thanks

billsimon · July 2, 2020, 3:59pm

recidive tells you when an IP has been repeatedly banned and now is in the long-term jail. The SIP bans are shorter term. Should you be worried? that’s up to you If you don’t need that external traffic pestering your server, perhaps you could set up some firewall rules.

vaibhav · July 2, 2020, 4:13pm

Thanks @billsimon

Long-term jail is good!!

We have remote workers so the only way for me to setup firewall rules is to first have a VPN in place. A VPN would actually work like a firewall.

Are there any workarounds to avoid spam traffic?

billsimon · July 2, 2020, 4:20pm

Sure… use only TLS for your remotes and block plain SIP. Scanners don’t usually bother with TLS. Or change to an unusual port. (recommended on this forum often)

vaibhav · July 2, 2020, 4:34pm

Both suggestions sounds good, will get this done!!

vaibhav · July 3, 2020, 6:01am

I changed SIP port.
Did “Apply” in freepbx,
Did “fwconsole restart” in terminal
Still getting insane fail2ban email.
Is there something I missed?

Stewart1 · July 3, 2020, 6:07am

Are you certain that most of the fail2ban notices relate to SIP (it also monitors SSH, web, etc.)?

When you changed the SIP port (if you did it properly), all your extensions should have stopped working. To get them going again, you would have to forward the new port through your firewall, and reconfigure each extension to use the new port.

For pjsip, the port is called Port to Listen On; for chan_sip it’s called Bind Port.

vaibhav · July 3, 2020, 6:34am

Yes. See attached. https://nimb.ws/xh48H7

Yes, the extensions stoped working. I changed the configuration of a few extensions to connect to the new SIP port. Extensions connected fine. I did a few extn-to-extn test calls, all worked fine. But within minutes I started seeing Fail2Ban emails again. I waited for 30 min. Emails continued. That’s when I concluded that changing SIP port did not do anything good for me.

I use PJSIP.
I changed the port here → FreePBX Web GUI > Settings > Asterisk SIP Settings > SIP Settings (chan_pjsip) > Port to Listen On.

Did “Apply” in freepbx,
Did “fwconsole restart” in terminal

I think I did it right.

vaibhav · July 3, 2020, 6:37am

oh! wait, I only changed pjsip & not chansip.

vaibhav · July 3, 2020, 6:52am

Changed ports in chan_sip & chan_jpsip.
Waiting for fail2ban emails… to not come :))

vaibhav · July 3, 2020, 7:00am

fail2ban emails still coming. It did not help, what could I be doing wrong?

franckdanard · July 3, 2020, 8:26am

Hi.

If you want to use some remote extensions, the best way should be to connect the extensions through a VPN of course.
Next, configure some rules in your firewall to accept only trusted hosts, IP address and drop the others.
I did it for many years, that works fine.
Sometimes it’s not easy to know what are trusted host / ip address but you can add one any time you want.

Otherwise, you could use a SBC in front of your system.

system · August 3, 2020, 8:26am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.