Firewall Update?

AxelLottel · June 4, 2023, 6:05am

I run several PBXs and a few weeks ago I started seeing a lot of fail2ban messages from one system.
Today, after last nights updates I noticed a few more detecting attacks at a high rate.
I have blocked some countries using the Advanced Custom Rules for the Firewall. This has worked great for several years now.

Looking at a system that deflects attackers here is the top of IPTABLES:

Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 10050:10051
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 multiport dports 6000:65000
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set block src
fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-apache-auth all – 0.0.0.0/0 0.0.0.0/0
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-api tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0

On the system that allow the hackers thru here is the IPTABLES top:

Chain INPUT (policy ACCEPT)
target prot opt source destination
fail2ban-recidive all – 0.0.0.0/0 0.0.0.0/0
fail2ban-api tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-BadBots tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 80,443
fail2ban-FTP tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 21
fail2ban-apache-auth all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SSH tcp – 0.0.0.0/0 0.0.0.0/0 multiport dports 22
fail2ban-PBX-GUI all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0
DROP all – 0.0.0.0/0 0.0.0.0/0 match-set block src
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 multiport dports 6000:65000
fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0

The IPTABLE Rule I use is here:

-I INPUT -m set --match-set block src -j DROP
and you can see it is moved below the GUI, SSH, auth, FTP, API and SIP. Not blocking like before making the advanced feature useless to protecting your system.

The systems are all set to auto-update and seem to be at the same revision level.
Linux 3.10.0-1127.19.1.el7.x86_64 #1 SMP Tue Aug 25 17:23:54 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
FreePBX 15.0.37
System Firewall 15.0.43 Stable Sangoma Technologies Corporation [AGPLv3+] Enabled and up to date
System Admin 15.0.29.21 Stable Sangoma Technologies Corporation [Commercial] Enabled

system · July 4, 2023, 6:05am

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.