FreePBX Hacked

Hi all, I see in the CDR report alot of calls being made to s [from-sip-external]

I have no clue how someone got into the system. GUI is only accessible locally. And only ports 5060 and 10000-20000 are open.

I know there have been discussions about leaving 10000-20000 closed.

We do not have any users remotely, Which ports can I close? And how do I password protect this better? Any passwords other then the GUI that I need to change?

10000-20000 UDP are for RTP traffic, there is no chance they are the source of your problems, if you have UDP/5060 (or TCP for that matter) open to the world then you WILL be probed, if you haven’t taken precautions to protect yourself against those probes, the most effective method is to not use 5060 for SIP signaling , there will be very few knuckledraggers out there probing for SIP registrations on for example port udp/45367 , otherwise follow all the normal recipes for not accepting anonymous calls and restricting at your firewall the networks that are allowed through, both with firewall rules and dynamic intrusion detection like fail2ban which has specific rules for asterisk.

There is also a big difference between being hacked and being probed.

The calls are a nuisance but if you have strong secrets they aren’t going to get anywhere.

I doubt your system has been compromised in and way.

If you don’t have any remote users why do you have port 5060/UDP and 10000-20000/UDP open to the World?

SIP trunk?

Does your provider allow you to register?

The firewall should be smart enough to pinhole inbound traffic that you register to. That’s how Vonage works.

Here is what a successful ban looks like:

Hi,

The IP 185.7.215.194 has just been banned by Fail2Ban after
8 attempts against SIP.

Here are more information about 185.7.215.194:

[Querying whois.arin.net]
[Redirected to whois.ripe.net:43]
[Querying whois.ripe.net]
[whois.ripe.net]
% This is the RIPE Database query service.
% The objects are in RPSL format.
%
% The RIPE Database is subject to Terms and Conditions.
% See http://www.ripe.net/db/support/db-terms-conditions.pdf
% Note: this output has been filtered.
% To receive output for a database update, use the “-B” flag.
% Information related to ‘185.7.214.0 - 185.7.215.255’
% Abuse contact for ‘185.7.214.0 - 185.7.215.255’ is ‘[email protected]

inetnum: 185.7.214.0 - 185.7.215.255
netname: QUALIT-INFRA
descr: QUAL.IT S.A.S.
country: FR
admin-c: QLIT-RIPE
tech-c: QLIT-RIPE
status: ASSIGNED PA
mnt-by: QUALIT-MNT
source: RIPE # Filtered

role: QUAL.IT ROLE
address: 870, Rue Denis Papin 54710 LUDRES
admin-c: RC14021-RIPE
tech-c: RC14021-RIPE
nic-hdl: QLIT-RIPE
mnt-by: QUALIT-MNT
source: RIPE # Filtered

% Information related to ‘185.7.212.0/22AS199308’

route: 185.7.212.0/22
descr: QUAL.IT S.A.S.
origin: AS199308
mnt-by: QUALIT-MNT
source: RIPE # Filtered

% This query was served by the RIPE Database Query Service version 1.71 (WHOIS2)

Regards,
Fail2Ban

Automated blocking of the Probers - Here is the voip-info link to it:

http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

It’s built in and turned on in the FreePBX Distro - It will solve MANY problems.

Greg

It’s under SIP Settings - turn it off.