Running FreePBX v220.127.116.11, Asterisk 1.5.
Have configured a static IP behind Linksys WRT45G router, enabled port forwarding for both HTTP and UPD to allow for both remote SIP extensions and admin tasks. Router’s firewall is enabled
I have used FreePBX web tool to review Asterisk Logfile and see no calls to numbers that I don’t recognize. Nevertheless, reading about extension hijacking and other security issues has me concerned. I have as yet found no concise, clear description of how to secure FreePBX web GUI, etc., by changing password, etc.
Can anyone comment about the easiest, most straightforward way to ensure system security?
…from holiday, so apologies for the late response.
I’m going to try fail2ban first as although it may be old it tried and tested. If it fails (no pun intended) to deliver the goods, then I’ll into APF with the BFD module.
SSH is masqueraded on our PBX’s with a non standard port forwarded to port 22, however, I’ve not had any success using this method for SIP 5060. One of the major problems is some of the external devices cannot change the port they connect on, such as BRIA iPhone clients, so we have to keep the external port at 5060. If fail2ban blacklists any bruteforce attacks then this shouldn’t be too much of an issue.
Thanks again guys
Fail2ban working ok. Only question is behavior with remote extensions; will check this evening.
Crystal Lake, IL.
Look into port forwarding through SSH (you are using SSH right?!), then you can close that port in your router. Not only can we forward HTTP from our Asterisk system to our local computer, but we can also forward to other computers/phones/equiptment on the remote network, and any port. On our systems that do not have remote extensions or trunks, the only port we have open is for SSH. Just make sure you tighten up security with SSH. Use public/private keys. Only allow login with keys, etc. Also, as you stated, make sure you have very strong passwords for remote extensions. I would also recommend setting up Fail2Ban (perhaps BFD, but I have no experience with it…yet) for SSH and Asterisk.
Just my $.02
In my opinion fail2ban is a bit long in tooth.
The BFD ‘brute force detection’ module for APF firewall is easier to install and configure. The APF firewall is also the simplest iptables based stateful firewall.
www.engineertim.com has a great blog with sample bfd scripts.
Somewhere on the web Kerry Garrison wrote step by step APF install guide that works great.
…quick response guys, much appreciated
I’ll be implementing fail2ban shortly. I’ve read very good things about it.
You may also want to look into installing Fail2Ban which will scan your Asterisk logs for any potential brute force attacks on your extensions and ban any attackers. You can read more about implementing Fail2Ban with Asterisk here:
I too am getting these messages in my daily logwatch reports. Did you ever find out what they mean?
I never did find out what this exactly means, but then neither have either of our 3 systems been hacked - no hackers have established extensions and hijacked service.
Shortly after this post (9/9/10) we instituted strong extension and main (GUI) passwords. I recommend using random.org to generate at least 12 character alphanumeric strings for your passwords.
Inspecting Asterisk file /var/mail/root I find instances of:
--------------------- httpd Begin ------------------------
Requests with error response codes
/admin/config.php: 10 Time(s)
404 Not Found
/favicon.ico: 8 Time(s)
http://18.104.22.168/judge.php: 5 Time(s)
http://proxyjudge1.proxyfire.net/fastenv: 1 Time(s)
Does this mean I am being probed, but Asterisk is defeating these probes?