FreePBX | Register | Issues | Wiki | Portal | Support

CLI Repeat Repeat Repeat


(Edrick Smith) #1

[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[17553]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4843]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[28905]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14920]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20950]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[1662]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20810]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[24033]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[5178]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[30275]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14604]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[30275]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4721]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[18980]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[11250]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[7316]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[7316]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[17553]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[4843]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[28905]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[12778]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14530]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14920]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20950]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[1662]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[20810]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[24033]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[5178]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs
[2018-06-12 19:12:33] WARNING[14604]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

This just floods the asterisk CLI what can I do to stop it?


(Edrick Smith) #2

So being that its related to external traffic trying to hammer the freePBX box what is the best way to setup some type of rule that would block access after a few failed attempts at registering an extension? The box needs to be port forward for chan_sip and pj_sip for remote devices that are at a site with dynamic IP addresses and soft phones through iOS


(Dave Burgess) #3

Do you have “anonymous” access turned on? Hopefully not.

Turn on the Integrated Firewall and set up your internal and public zones. If you do not have phones calling in from the Internet, turn off ports 5060 and 5160 in the “public” zone and only allow access to these ports from your internal network and your ITSP.


(Edrick Smith) #4

The firewalls have been properly configured, anonymous access is not turned on. It’s all properly configured we do have a remote extension and a soft phone on cell phones. I’m getting so annoyed all three freepbx boxes have this and it just freaking crams the CLI so I can’t do any work on monitoring. Thousands of entries. What is allowing FreePBX to continuously allow these boxes to get hammered? I enabled all the firewall and responsive firewall settings I could find.


#5

I would expect Fail2ban (if installed and properly configured) to take care of this, unless the attackers are somehow sourcing the attempts from a huge number of different IP addresses (big botnet). Is it running? Are addresses getting banned? Do you see further requests from addresses listed as banned?

Is it feasible to change pjsip bind port from 5060 to a randomly chosen value? (This would require changing each extension to register to the new port number.)


(Edrick Smith) #6

[root@freepbx ~]# service fail2ban status
Systemd shim for fail2ban running ‘/usr/sbin/systemctl status fail2ban’
● fail2ban.service - Fail2Ban Service
Loaded: loaded (/usr/lib/systemd/system/fail2ban.service; disabled; vendor preset: disabled)
Active: active (running) since Mon 2018-06-18 13:23:03 EDT; 3 days ago
Main PID: 1856 (fail2ban-server)
CGroup: /system.slice/fail2ban.service
├─1856 /usr/bin/python /usr/bin/fail2ban-server -b -s /var/run/fail2ban/fail2ban.sock -p /var/run/fail2ban/fail2ban.pid -x
└─1860 /usr/libexec/gam_server

Jun 18 13:23:02 freepbx.sangoma.local systemd[1]: Starting Fail2Ban Service…
Jun 18 13:23:03 freepbx.sangoma.local fail2ban-client[1852]: 2018-06-18 13:23:03,028 fail2ban.server [1854]: INFO Starting Fail2ban v0.8.14
Jun 18 13:23:03 freepbx.sangoma.local fail2ban-client[1852]: 2018-06-18 13:23:03,028 fail2ban.server [1854]: INFO Starting in daemon mode
Jun 18 13:23:03 freepbx.sangoma.local systemd[1]: Started Fail2Ban Service.
[root@freepbx ~]#

34%20PM


#7

Fail2ban cannot catch anonymous connections , there wont be any log entry to get the ip address. Make sure you have regexes to catch pjsip as well as chan_sip.

https://issues.freepbx.org/plugins/servlet/mobile#issue/FREEPBX-11575


(Edrick Smith) #8

So what’s allowing these anonymous connections? I don’t have it enabled for SIP. What do I do to stop the machines from being hammered by endless requests like this?


#9

Sorry , I can’t help there the link I posted shows it still unresolved for your system. I don’t have pjsip open on 5060 and

[2018-06-12 19:12:33] WARNING[8116]: res_pjsip_registrar.c:963 registrar_on_rx_request: Endpoint ‘anonymous’ has no configured AORs

does not have an IP address (<HOST> in fail2ban speak) to ban in it


(Edrick Smith) #10

So this seems to be a big security issue is it not? Something that freepbx engineers should resolve? Who’s to blame here? There’s quite a few users who have 5060 open to the outside world so their systems function properly.


#11

No Blame likely, but I have always been a proponent of never using 5000-5199 for any SIP connections, that’s where they all come from less so when not the "well known ports " 5060,5061, 5160 et al but ‘they’ do scan these mports regularly, and yes I’ve watched it for years., it’s trivial to enforce, but you might need a firewall translation rule or two for those ISP’s who refuse to allow anything but 5060

Its the same reason that no sane admin still uses 22 for ssh.


(Edrick Smith) #12

At least with ssh and other protocols you can enable something that locks out brute force attempts. Where as there’s nothing here to stop someone from hammering the PJSIP as fail2ban is failing to ban


#13

You can do that, but then you are just another rabbit , and the foxes is really quite clever, they ‘profile’ briefly in a “drive by” , if a pattern is discerned, they will hand off your ip to ‘secondary inspection’ so 22, 5060, 80, 443, 2002, 5038 3306, even if they are not open is a fingerprint that can send your ip to the clever palestinian who specializes in Asterisk systems. , just because I am paranoid, it doesn’t mean they are not “out to get me”

JM2CWAE