CDR question

Hello all,

I just canged from trixbox to FreePBX and I have noticed something odd in my CDR. I do not have an extension 1000 nor have I setup any external SIP users so I’m a little confused by this. I did change all of my passwords when I rebuilt my server, including the account name and password for my VoIP provider. Here is what I am seeing:

5/22/2012 2:33 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000057 Answer 0 0 ANSWERED 3 1337671981 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000055 Answer 0 0 ANSWERED 3 1337671980 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000056 Answer 0 0 ANSWERED 3 1337671980 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000053 Answer 0 0 ANSWERED 3 1337671979 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000054 Answer 0 0 ANSWERED 3 1337671979 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000052 Answer 0 0 ANSWERED 3 1337671978 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000050 Answer 0 0 ANSWERED 3 1337671977 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000051 Answer 1 0 ANSWERED 3 1337671977 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004e Answer 0 0 ANSWERED 3 1337671976 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004f Answer 1 1 ANSWERED 3 1337671976 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004c Answer 0 0 ANSWERED 3 1337671975 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004d Answer 1 1 ANSWERED 3 1337671975 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004a Answer 0 0 ANSWERED 3 1337671974 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-0000004b Answer 1 1 ANSWERED 3 1337671974 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000048 Answer 0 0 ANSWERED 3 1337671973 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000049 Answer 1 1 ANSWERED 3 1337671973 5/22/2012 2:32 1000 <1000> 1000 s from-sip-external SIP/MyPublicIP-00000046 Answer 0 0 ANSWERED 3 1337671972
calldate clid src dst dcontext channel dstchannel lastapp lastdata duration billsec disposition amaflags accountcode uniqueid userfield
... it goes for about 50 lines.

So far it has happened at the same time every morning. I have reset my SIP account information again to see if it stops but I have not seen any coorsponding entries in the CDR’s at my VoIP provider. Any ideas?

Thanks,

Tom

Looks like someone is trying to flood you.

Use and install fail2ban

If you want to be affirmative its a flood, pull out some SIP debug messages and post it here perhaps.

Thanks for the reply! Could you point me to instructions for using fail2ban with FreePBX. Also, do you know if it conflicts with Advanced Policy Firewall & Brute Force Detection?

You don’t want to run both. Personally I think BFD is better.

Make sure that you are hitting your rules in BFD. The messages have changed in recent Asterisk so if you are using the old Engineer Tim rules you need to update.

Scott

Thanks for the reply Scott! I am using the old Engineer Tim rules. Do you know if there is a FAQ or step-by-step with current information?

Tom

No, I have not had a chance. Its well documented if you take a stab at it we can all chip in and help.

I appreciate the offer! Here is what I have in bfd.conf:

#!/bin/bash

BFD 1.5 [email protected]

Copyright © 1999-2012, R-fx Networks [email protected]

Copyright © 2012, Ryan MacDonald [email protected]

This program may be freely redistributed under the terms of the GNU GPL

NOTE: This file should be edited with word/line wrapping off,

if your using pico please start it with the -w switch.

(e.g: pico -w filename)

how many failure events must an address have before being blocked?

you can override this on a per rule basis in /usr/local/bfd/rules/

TRIG=“5”

send email alerts for all events [0 = off; 1 = on]

EMAIL_ALERTS=“1”

local user or email address alerts are sent to (separate multiple with comma)

EMAIL_ADDRESS="[email protected]"

subject of email alerts

EMAIL_SUBJECT=“Brute Force Warning for $HOSTNAME”

executable command to block attacking hosts

BAN_COMMAND="/etc/apf/apf -d $ATTACK_HOST {bfd.$MOD}"

You should not need to edit any options below this line

installation path

INSTALL_PATH="/usr/local/bfd"

rule files path

RULES_PATH="$INSTALL_PATH/rules"

track log script path

TLOG_PATH="$INSTALL_PATH/tlog"

syslog kernel log path

KERNEL_LOG_PATH="/var/log/messages"

syslog auth log path

AUTH_LOG_PATH="/var/log/secure"

bfd application log path

BFD_LOG_PATH="/var/log/bfd_log"

log all events to syslog [0 = off; 1 = on]

OUTPUT_SYSLOG=“1”

log file path for syslog logging

OUTPUT_SYSLOG_FILE="$KERNEL_LOG_PATH"

template of the email message body

EMAIL_TEMPLATE="$INSTALL_PATH/alert.bfd"

contains list of files to search for addresses that are excluded from bans

IGNORE_HOST_FILES="$INSTALL_PATH/exclude.files"

grab the local time zone

TIME_ZONE=date +"%z"

grab the local unix time

TIME_UNIX=date +"%s"

lock file path

LOCK_FILE="$INSTALL_PATH/lock.utime"

lock file timeout

LOCK_FILE_TIMEOUT=“300”

And here are the PBX rules:
asterisk_badauth

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/usr/sbin/asterisk"

if [ -f “$REQ” ]; then
LP="/var/log/asterisk/full"
TLOG_TF=“asterisk"
TMP=”/usr/local/bfd/tmp"

## ASTERISK BADAUTH
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF |grep "Wrong password" /var/log/asterisk/full | awk '{NF=NF-3} { print $NF}'| tr -d '\'\' `

fi

asterisk_iax

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/usr/sbin/asterisk"

if [ -f “$REQ” ]; then
LP="/var/log/asterisk/full"
TLOG_TF=“asterisk.iax"
TMP=”/usr/local/bfd/tmp"

## ASTERISK: IAX2 auth failed
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "failed MD5 authentication" | grep chan_iax2 | awk '{NF=NF-8} {print $NF}'`

fi

asterisk_nopeer

failed logins from a single address before ban

uncomment to override conf.bfd trig value

TRIG=“10”

file must exist for rule to be active

REQ="/usr/sbin/asterisk"

if [ -f “$REQ” ]; then
LP="/var/log/asterisk/full"
TLOG_TF=“asterisk_nopeer"
TMP=”/usr/local/bfd/tmp"

## ASTERISK NOPEER
ARG_VAL=`$TLOG_PATH $LP $TLOG_TF | grep -i "No matching peer found" | grep chan_sip | awk '{NF=NF-5} {print $NF}'| tr -d '\'\'`

fi

Here is a snippet of my log:

[2012-05-25 08:01:22] VERBOSE[-1] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-25 08:01:22] VERBOSE[-1] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [972595637212@from-sip-external:1] NoOp(“SIP/MyPublicIP-00000073”, “Received incoming SIP connection from unknown peer to 972595637212”) in new stack
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [972595637212@from-sip-external:2] Set(“SIP/MyPublicIP-00000073”, “DID=972595637212”) in new stack
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [972595637212@from-sip-external:3] Goto(“SIP/MyPublicIP-00000073”, “s,1”) in new stack
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,1)
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/MyPublicIP-00000073”, “0?checklang:noanonymous”) in new stack
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,5)
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/MyPublicIP-00000073”, “TIMEOUT(absolute)=15”) in new stack
[2012-05-25 08:01:22] VERBOSE[-1] func_timeout.c: Channel will hangup at 2012-05-25 08:01:37.631 CDT.
[2012-05-25 08:01:22] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/MyPublicIP-00000073”, “”) in new stack
[2012-05-25 08:01:23] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/MyPublicIP-00000073’
[2012-05-25 08:01:23] VERBOSE[-1] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/MyPublicIP-00000073”, “”) in new stack
[2012-05-25 08:01:23] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/MyPublicIP-00000073’
[2012-05-25 08:01:24] VERBOSE[-1] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-25 08:01:24] VERBOSE[-1] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [011972595637212@from-sip-external:1] NoOp(“SIP/MyPublicIP-00000074”, “Received incoming SIP connection from unknown peer to 011972595637212”) in new stack
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [011972595637212@from-sip-external:2] Set(“SIP/MyPublicIP-00000074”, “DID=011972595637212”) in new stack
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [011972595637212@from-sip-external:3] Goto(“SIP/MyPublicIP-00000074”, “s,1”) in new stack
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,1)
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/MyPublicIP-00000074”, “0?checklang:noanonymous”) in new stack
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,5)
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/MyPublicIP-00000074”, “TIMEOUT(absolute)=15”) in new stack
[2012-05-25 08:01:24] VERBOSE[-1] func_timeout.c: Channel will hangup at 2012-05-25 08:01:39.741 CDT.
[2012-05-25 08:01:24] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/MyPublicIP-00000074”, “”) in new stack
[2012-05-25 08:01:25] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/MyPublicIP-00000074’
[2012-05-25 08:01:25] VERBOSE[-1] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/MyPublicIP-00000074”, “”) in new stack
[2012-05-25 08:01:25] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/MyPublicIP-00000074’
[2012-05-25 08:01:26] VERBOSE[-1] netsock2.c: == Using SIP RTP TOS bits 184
[2012-05-25 08:01:26] VERBOSE[-1] netsock2.c: == Using SIP RTP CoS mark 5
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [9011972595637212@from-sip-external:1] NoOp(“SIP/MyPublicIP-00000075”, “Received incoming SIP connection from unknown peer to 9011972595637212”) in new stack
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [9011972595637212@from-sip-external:2] Set(“SIP/MyPublicIP-00000075”, “DID=9011972595637212”) in new stack
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [9011972595637212@from-sip-external:3] Goto(“SIP/MyPublicIP-00000075”, “s,1”) in new stack
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,1)
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:1] GotoIf(“SIP/MyPublicIP-00000075”, “0?checklang:noanonymous”) in new stack
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Goto (from-sip-external,s,5)
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:5] Set(“SIP/MyPublicIP-00000075”, “TIMEOUT(absolute)=15”) in new stack
[2012-05-25 08:01:26] VERBOSE[-1] func_timeout.c: Channel will hangup at 2012-05-25 08:01:41.950 CDT.
[2012-05-25 08:01:26] VERBOSE[-1] pbx.c: – Executing [s@from-sip-external:6] Answer(“SIP/MyPublicIP-00000075”, “”) in new stack
[2012-05-25 08:01:27] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, s, 6) exited non-zero on ‘SIP/MyPublicIP-00000075’
[2012-05-25 08:01:27] VERBOSE[-1] pbx.c: – Executing [h@from-sip-external:1] Hangup(“SIP/MyPublicIP-00000075”, “”) in new stack
[2012-05-25 08:01:27] VERBOSE[-1] pbx.c: == Spawn extension (from-sip-external, h, 1) exited non-zero on ‘SIP/MyPublicIP-00000075’

I just noticed that fail2ban is installed, is that a default for the FreePBX distro? Would “yum remove fail2ban” work to uninstall it?

I did a little research and removed fail2ban.

For anyone else that is wondering I got this reply from Ryan M. from R-FXNetworks. I believe that he write Brute Force Detection.

“Public release of BFD has asterisk rules included now, so you should be good to go.”

So after further research it seems that FreePBX did have intrusion detection installed by default that can be accessed by going to Admin -> System Admin -> Intrusion Detection and it looks like it was setup to use Fail2Ban. That, of course, doesn’t work for me as I uninstalled Fail2Ban. So now I’m just going to hope BFD takes care of it.

Thanks,

Tom

How is BFD installed? I installed a fresh copy of AsteriskONE 2.0.2 32-bit and I don’t have the System Admin submenu (Indicated in the previous post) under the Admin menu. Seems that I need to install an extra module.

Not sure what AsteriskONE is. Are you speaking of Asterisk now?

Only the FreePBX Distro includes the sysadmin module. It’s not BFD it’s Fail2ban , same concept.