So I check the Asterisk logs and this error message keeps coming. Sometimes it lasts for 5 mins sometimes its 1 min. I does this several times a day. Check out the image below. The number after NOTICE outlined in the red box always seems to change, also the second outlined in red changes as well. Does any one know where this is coming from and how to stop it? The second ip address changes after my pbx ip. Is someone trying to access or DDOS the system? Thanks in advance!
You need to disable guest and anonymous connections and provide a functional firewall
but do you recognize any reason to accept connections from your elided 162 ip network, if not
iptables -i eth1 -A INPUT -s 18.104.22.168/8 -j DROP
would block that guy.
Looks like a hack attempt to me. Someone is trying to register their SIP device with your FreePBX by guessing the password. Make sure your passwords are strong, consider whether you want to allow random IPs to register their SIP devices, consider IP whitelisting or using a VPN. If possible, block IPs that fail to authenticate 5 times in a row. It’s best to stop this activity so they don’t eventually guess the right password.
If you’re using a recent version (which you failed to mention), the firewalls built into FreePBX would also help stop this type of activity.
Thanks everyone for your responses. So I agree it seems like a hacking attempt to me. “Allow Anonymous Inbound SIP Calls” is set to No. Under Chan SIP settings “Default Context” is left blank. “Allow SIP Guests” is set to No. Still getting the hack attempts on a regular basis. This is a VPBX hosted from cyberlynk. On the dashboard it shows the firewall is on and has a green check mark. Currently on Asterisk Version 11.25.1, and FreePBX 22.214.171.124. Should either of these be updated? I’m kind of new to this. Only had this system for about a month and working out the kinks.
If you have phones in the wild (changing IP’s such as Softphones on Laptops) you need to have SIP open to the Internet - if you only have onsite phones, you can block SIP being forwarded to the PBX and the hacking attempts will stop.
Also, make sure that Fail2Ban is working - from the CLI, “iptables -L -v” will show you if Fail2Ban is working - if it’s not, troubleshoot that also.
Finally, if you are using SIP trunking, do not assume that you have to have SIP open on the firewall. SIP Trunks that register do NOT need SIP forwarded to the PBX to work - the act of sending the registration opens the Firewall to the ITSP.
If you are using SIP trunks with IP-Authentication (They just send the traffic to your IP without registration) you still don’t have to open SIP to the world - find out where your ITSP will be sending traffic from (their IP Addresses) and ONLY open the firewall to those ports.
Make sure your responsive firewall is on. Make sure Fail2Ban is Croce and working. I would change all ports to an obscure port as well as the other recommendations as well.
Wouldn’t I want responsive firewall off? I did have it on before when I was getting the “Notices”. I though the responsive firewall allowed limited registration attempts to address that would otherwise be blocked. I also changed the bind port to something not standard. So far this seems to be helping. I’m getting a lot less hacking attempts now.
I know the developers praise their responsive firewall, but I personally don’t use it; it’s off on my FreePBX. I just don’t forward ANY ports on our WAN firewall because we don’t have external IP phones that need to connect. If you have external phones, you either have to use a VPN or SSH tunnel to bypass the WAN firewall, or forward the ports and use the FreePBX responsive firewall to protect those open ports.
I also don’t use the Built-In firewall instead preferring to use SonicWALL’s in front of all the assets we manage.
I think they have done some very nice work with the built-in firewall and I would use it if I didn’t already have SonicWALL’s in place and my staff trained on setting them up to have any PBX’s behind them.
Only enable Responsive if you need it. The ONLY use case for Responsive is for accepting registrations from remote clients where you can’t white list their host IP/FQDN in advance.