i have compiled a list of IPs from where i am getting continous INVITE or REGISTER requests on my freepbx host.
I suspect these are either SIP bots or some kind of SIP attack
these individual IPs i have converted to subnets with /16 ip range.
I have made an alias in pfsense and blocked all incoming UDP IPv4 connections in WAN firewall.
Please let me know if any of these subnets are ISPs in your country…
Also as a side note i am using port 5160 instead of 5060
whois -h whois.cymru.com ' -v 128.90.0.0/16'
AS | IP | BGP Prefix | CC | Registry | Allocated | AS Name
22363 | 128.90.0.0 | 128.90.0.0/24 | US | arin | 1987-12-03 | PHMGMT-AS1, US
You can use the ASN to check for other like minded intrusions,
I will question where you got your arbitrary n.n.0.0/16 subnet from almost all these n.n.0.0 are sub-netted at a more granular level, for more info https://www.team-cymru.com/ip-asn-mapping
it will reveal the subnet in which that host exists, but if you simply stop listening for connections to UDP/5060 all this crap will mostly no longer be a problem
Why in 2023 is anyone still stuck with messing with UDP/5060 filters ?
(Is your SSH service still on TCP/22 ?, in both cases you are a sitting duck waiting to be shot)
.I am assuming that because if you where not listening to UDP/5060 you would not get any of those connections to filter, if you are, then you will need to be unnecessarily busy;-) does that make sense?
’
It would take a few more minutes to have have your extensions to not use 5060. That is all, then no more of that crap, do you not understand how it works?
What if I want to filter connection to any port from those IPs given that they clearly originate malicious traffic and it takes me all of 30 seconds to make that happen?
In lieu of opening the port, have you tried Responsive Firewall? If that doesn’t work (please explain), open the random port only to the mobile carrier’s AS, rather than looking for addresses to block.
The responsive firewall is on but to me that’s still an open port. Yea it closes off for a specific connection if the connection ends up being illegitimate but the port is still open and accepting traffic and responding to requests coming in on that port for however brief a time period.
Changing from 5060 won’t make this magically go away; that’s far from a silver bullet.
Nor is a VPN; unless there is brute-force protection behind it, it will suffer the same brute-force attacks.
The responsive firewall is a critical component. We have one site with Fail2Ban email notifications and we get far, far more emails than we see responsive firewall blocks. This is concerning, and I’ve not had the energy or money to pay for support to figure out/explain what’s going on.
Not a silver bullet, but a recommended prophylactic against blunt force attacks
Not using UDP/5060 will appear almost like magic in reducing these connections, have you ever tried to
do that ?
Using a less travelled transport than UDP/5060 will always be a better choice for anyone.
F2B only looks at the log file it is told to, in your case you will see the floods of connections to port 5060 in that log file. change the transport and do a before/after comparison, you will be surprised
I can count on zero fingers the number of SIP exploits I have seen on Asterisk/FreePBX. In fact if you set up FreePBX in a default configuration it already has a sensible dial plan that prevents external SIP from calling out using your trunks, and it generates long SIP extension passwords. The best way to avoid SIP mishaps is to not change the defaults unless you know what you are doing. The SIP bots are just noise.
It’s all the other services that make up a FreePBX server that actually worry me.