FreePBX brake in

Hi All, we’ve had a situation where our FreePBX have been compromised and some t**t used our system to make few phone calls. Since then we’ve changed all passwords, ssh connections are only available from local network, etc…

The pbx is behind the pfsense firewall, it’s up to date and all seems to be fine, except for some entries in the secure log of the centos.

[2014-12-14 19:58:39] SECURITY[20265] res_security_log.c: SecurityEvent=“ChallengeSent”,EventTV=“1418587119-143878”,Severity=“Informational”,Service=“SIP”,EventVersion=“1”,AccountID=“sip:[email protected]..",SessionID=“0x164a4178”,LocalAddress="IPV4/UDP/81.../5060”,RemoteAddress=“IPV4/UDP/69.30.254.10/5078”,Challenge=“5d55d1cf”
[2014-12-14 19:58:39] NOTICE[20298][C-00000257] chan_sip.c: Failed to authenticate device 209sip:[email protected];tag=78344e98
[2014-12-14 19:58:39] NOTICE[20298][C-00000257] chan_sip.c: Failed to authenticate device 209sip:[email protected];tag=78344e98
[2014-12-14 19:58:39] SECURITY[20265] res_security_log.c: SecurityEvent=“InvalidPassword”,EventTV=“1418587119-411500”,Severity=“Error”,Service=“SIP”,EventVersion=“2”,AccountID=“900972595144330”,SessionID=“0x164a4178”,LocalAddress=“IPV4/UDP/81...*/5060”,RemoteAddress=“IPV4/UDP/69.30.254.10/5078”,Challenge=“5d55d1cf”,ReceivedChallenge=“5d55d1cf”,ReceivedHash=“340659fe23f13581d2e5e4bac7dc301c”

This clearly doesn’t look right and looks like some one is still trying to do bad things to my system/bank account.
The AccountID is a premium phone number.
Device 209 does not exist on our network yet for some reason it’s trying to authenticate.

What else can we do?
Any help much appreciated.

I suggest, in no particular order:-

add appropriate rules for UDP/5060 on your firewall to only allow "known hosts"
Setup Fai2ban to catch such attacks
Don’t use udp/5060 to avoid 99.99% or more of those attacks

Shudders I…agree with Dick[o] :stuck_out_tongue: Seriously though, he’s right.

We have our PBX hosted on a popular cloud provider, and jerks from all over the world try to break into our server. Fail2Ban + iptables are your friends.

You could also try blocking certain regions’ IP addresses with the list at http://www.nirsoft.net/countryip/
I recommend blocking France, Israel, Palestine Territory, and China for starters if you don’t have a need to connect with those countries.

It might sound counter-intuitive but you should consider blacklisting your bindport for the whole of the network on which you have your cloud instance, they are almost certainly also hosting those very same “jerks” from those countries you note, (they are not stupid and GeoIP is largely irrelevant in these days of cloud servers) and they will always look for the lowest hanging fruit first (I would) :wink: .

As I have elsewhere suggested, just not using 5060 for your bindport is probably the best prophylactic though.

In case you ask, there would very unlikely be a legitimate connection to your SIP server from that network unless you have more than one instance,i, including your own machine. If you do have multiple instances then pinhole the other machine in iptables if you have “tie-lines” between them , but not your own machine.