Authenticate from unknown address

jay69 · November 5, 2013, 8:42pm

I’m in the learning process of getting a better handle on what is a security hack vs. what the PBX should be doing.

I get the following failed to authenticate from IP 108.171.240.58. Am I reading it right that someone from that IP is trying to login as admin?

I guess the big question is what do I do with this information?


[2013-11-05 14:25:01] NOTICE[4191]: acl.c:748 ast_apply_acl: Manager User ACL: Rejecting '108.171.240.58' due to a failure to pass ACL '(BASELINE)'
[2013-11-05 14:25:01] NOTICE[4191]: manager.c:2584 authenticate: 108.171.240.58 failed to pass IP ACL as 'admin'
[2013-11-05 14:25:01] NOTICE[4191]: manager.c:2618 authenticate: 108.171.240.58 failed to authenticate as 'admin'

jay69 · November 5, 2013, 9:07pm

A second note, the more I think of this I think is some kind of password/user name issue maybe but not sure. I typically see ip 127.0.0.1

jay69 · November 5, 2013, 9:11pm

Now this as well,


[2013-11-05 15:04:01] NOTICE[1885][C-000033c5]: chan_sip.c:25282 handle_request_invite: Failed to authenticate device 1000;tag=c58ca315
[2013-11-05 15:05:00] NOTICE[4359]: manager.c:2581 authenticate: 108.171.240.58 tried to authenticate with nonexistent user 'hudpro'
[2013-11-05 15:05:00] NOTICE[4359]: manager.c:2618 authenticate: 108.171.240.58 failed to authenticate as 'hudpro'

I assume this is something coming from the PBX? When I see this username it reminds me of the old HUD server we ran 5 years ago on the old Trixbox PBX.

dicko · November 5, 2013, 9:44pm

You need an effective firewall, Both you and LINDELLENGINEERING (108.171.240.58/29) are victims of not being “well prepared” virgins.

Fail2ban and a well constructed underlying set of iptables rules will so protect you. Only allow trusted hosts into your machine.

jay69 · November 5, 2013, 9:57pm

dicko

Sorry, I’m not an network security expert but I’m trying to learn here.

I been looking at this

http://www.coochey.net/?p=61

but I admit it like vodo magic to me.

I just don’t recall this issue from Trixbox, I guess I was just stuck with my head in the sand for 5 years and got lucky!

jay69 · November 5, 2013, 10:00pm

This was another thread I was trying to work thru,

http://www.freepbx.org/forum/distro-discussion-help/hacking-important-but-fail2ban-doesnt-act-failed-to-authenticate-device

dicko · November 5, 2013, 10:14pm

No voodoo or luck involved, the knuckledraggers are out there and they are a lot cleverer than you.

There are many, many posts on how to secure voip services in general and Asterisk in particular, choose your recipe but be aware that there are many areas to cover, the first one is to make sure your asterisk is up to date and patched.

My preference is to use CSF as a firewall, a properly configured Fail2Ban as an IDS that works well with CSF and rkhunter to protect your ass when you blew the other two