Best way to block malicious IP Host when using Firewall Module?

adolfoc · March 2, 2016, 4:12pm

Background:

I’m using FreePBX 13, and I have the firewall module installed.
I have FreePBX in a hosted VMS environment.
I have the Responsive Firewall disabled, and have whitelisted the IPs where my phones and SIP trunks are located.
Filter Type is set to reject.

I also have the Intrusion Detection module running with a max retry of 1, find time of 600, and ban time of 86400.

However in watching the asterisk console in realtime, I see several attempts from IPs (“Friendly scanners”) trying to make SIP connections. Fail2ban IDS does not seem to ban these IPs, nor does the Firewall block attacker or Rate Limited Host.

Question:
Since I’m running both Intrusion Detection and the Firewall… what is the best way to block a known offending IP Host?

Can I insert an iptables entry “iptables -A INPUT -s [badhostIP] -j DROP” ?
Does putting the host in the Firewall Blacklist Zone work, even though I’m not using a responsive firewall?
(or is the Blacklist Zone ignored unless you use a responsive firewall?)
Should I change my Firewall filter type to DROP instead of REJECT?

adolfoc · March 9, 2016, 6:14pm

So for example, I’m getting hit right now from a couple of IPs… but the FreePBX IDS and the Firewall aren’t blocking these IPs… they are blocking others… but not these:

[2016-03-09 12:01:51] NOTICE[2423] chan_sip.c: Registration from '"41" <sip:41@MYPBXIP:5060>' failed for '190.75.143.13:5075' - Wrong password
[2016-03-09 12:02:18] VERBOSE[1817] asterisk.c: -- Remote UNIX connection
[2016-03-09 12:02:19] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 3270dc4e5a3c56cd4045ce1f6f62ae26@[::1]:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[2016-03-09 12:02:20] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 5a67b65121d63657760d17f33bc17e43@[::1]:5060 for seqno 102 (Critical Request) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-03-09 12:02:25] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5078' - Wrong password
[2016-03-09 12:02:29] NOTICE[2423] chan_sip.c: Registration from '"343434" <sip:343434@MYPBXIP:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:02:37] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:444555@MYPBXIP:5060>' failed for '190.75.143.13:5069' - Wrong password
[2016-03-09 12:02:39] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:03:17] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5068' - Wrong password
[2016-03-09 12:03:35] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5075' - Wrong password
[2016-03-09 12:03:45] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:03:48] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:3388@MYPBXIP:5060>' failed for '190.75.143.13:5064' - Wrong password
[2016-03-09 12:04:13] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5063' - Wrong password
[2016-03-09 12:04:19] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:04:35] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:9922@MYPBXIP:5060>' failed for '190.75.143.13:5066' - Wrong password
[2016-03-09 12:04:45] VERBOSE[3033][C-00000000] pbx.c: -- Executing [9900972595183134@from-trunk:2] Log("SIP/MYPBXIP-00000000", "WARNING,Friendly Scanner from 89.163.242.32") in new stack
[2016-03-09 12:04:45] WARNING[3033][C-00000000] Ext. 9900972595183134: Friendly Scanner from 89.163.242.32
[2016-03-09 12:04:54] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5088' - Wrong password
[2016-03-09 12:05:10] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:444555@MYPBXIP:5060>' failed for '190.75.143.13:5079' - Wrong password
[2016-03-09 12:05:17] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 4fc05a33f7498cceb2d136b51acd82f1 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 32000ms with no response
[2016-03-09 12:05:27] NOTICE[2423] chan_sip.c: Registration from '"343434" <sip:343434@MYPBXIP:5060>' failed for '190.75.143.13:5081' - Wrong password
[2016-03-09 12:05:41] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:3388@MYPBXIP:5060>' failed for '190.75.143.13:5067' - Wrong password
[2016-03-09 12:05:47] VERBOSE[3125][C-00000001] pbx.c: -- Executing [200011972598727607@from-trunk:2] Log("SIP/MYPBXIP-00000001", "WARNING,Friendly Scanner from 89.163.242.74") in new stack
[2016-03-09 12:05:47] WARNING[3125][C-00000001] Ext. 200011972598727607: Friendly Scanner from 89.163.242.74
[2016-03-09 12:06:18] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:3388@MYPBXIP:5060>' failed for '190.75.143.13:5077' - Wrong password
[2016-03-09 12:06:19] WARNING[2423] chan_sip.c: Retransmission timeout reached on transmission 369e23e5460b8265286e3d663e058e55 for seqno 1 (Critical Response) -- See https://wiki.asterisk.org/wiki/display/AST/SIP+Retransmissions
Packet timed out after 31999ms with no response
[2016-03-09 12:06:46] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5080' - Wrong password
[2016-03-09 12:06:55] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5085' - Wrong password
[2016-03-09 12:07:03] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:3388@MYPBXIP:5060>' failed for '190.75.143.13:5073' - Wrong password
[2016-03-09 12:07:21] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:9922@MYPBXIP:5060>' failed for '190.75.143.13:5067' - Wrong password
[2016-03-09 12:07:50] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5086' - Wrong password
[2016-03-09 12:07:53] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:9922@MYPBXIP:5060>' failed for '190.75.143.13:5082' - Wrong password
[2016-03-09 12:08:04] NOTICE[2423] chan_sip.c: Registration from '"9922" <sip:9922@MYPBXIP:5060>' failed for '190.75.143.13:5061' - Wrong password
[2016-03-09 12:08:23] NOTICE[2423] chan_sip.c: Registration from '"3388" <sip:3388@MYPBXIP:5060>' failed for '190.75.143.13:5064' - Wrong password
[2016-03-09 12:08:40] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5070' - Wrong password
[2016-03-09 12:09:05] NOTICE[2423] chan_sip.c: Registration from '"222" <sip:222@MYPBXIP:5060>' failed for '190.75.143.13:5068' - Wrong password
[2016-03-09 12:09:10] NOTICE[2423] chan_sip.c: Registration from '"8006" <sip:8006@MYPBXIP:5060>' failed for '190.75.143.13:5071' - Wrong password
[2016-03-09 12:09:55] NOTICE[2423] chan_sip.c: Registration from '"444555" <sip:444555@MYPBXIP:5060>' failed for '190.75.143.13:5078' - Wrong password

adolfoc · March 9, 2016, 8:33pm

So the firewall finally blocked these IPs… but it’s been 2.5 hours since.
Is there a threshold that I can set to be more aggressive?

adolfoc · October 5, 2017, 4:26pm

It’s been a while… and sorry to bring up something that probably comes up very often…
Several of my PBXes have been blocking IPs from familiar actors. One IP in particular I’ve been getting almost daily fail2ban alerts for over 2 months. So fail2ban is working… but I’m afraid of the potential exposure or load on the PBXes. I had one PBX put under a DDoS attack a few months ago (thousands of different IP addresses making several different attempts) and it overloaded fail2ban and eventually I just had to shutdown the PBX for a while.

What is the best way to permanently ban a list some IP addresses?

Has anyone used blocklists like abuseipdb.com and voipbl.org with FreePBX?

lgaetz · October 5, 2017, 4:51pm

Blacklist is available in Firewall:
https://wiki.freepbx.org/display/FPG/Firewall+Blacklist

Repeated fail2ban interceptions indicates a firewall misconfig (or extremely strict fail2ban settings). Are you sure you have your Firewall configured correctly?

adolfoc · October 5, 2017, 5:00pm

I have the Intrusion Detection (fail2ban) module running with a max retry of 1, find time of 600, and ban time of 86400.

For the System Firewall, Responsive Firewall is turned off, and I have all my known hosts in Trusted Zones.

Can I use the Firewall Blacklist when Responsive Firewall is off?
I thought the System Firewall should deny by default unless Responsive Firewall is turned on?

lgaetz · October 5, 2017, 5:02pm

Yes.

It does, further evidence your Firewall is mis-configured. What zone do you have your interface(s) in?

adolfoc · October 5, 2017, 5:03pm

Only one eth0 interface in Internet (Default Firewall) zone.