FreePBX Security Alert (VoIP Server)

wa4zlw · December 11, 2017, 10:15am

I’ve been getting two emails with the above subject twice a day about an hour apart as follows at 125AM and then 225AM:

-------- Forwarded Message --------
Subject: FreePBX Security Alert (VoIP Server)
Date: Mon, 11 Dec 2017 01:25:04 -0500 (EST)
From: [email protected]
Reply-To: [email protected] [email protected]
To: [email protected]

SECURITY NOTICE:

Some Certificates are expiring or have expired:
There was an error updating certificate “pbx.backwoodswireless.net”: Error
'Requested
‘http://pbx.backwoodswireless.net//.freepbx-known/aba351752cd62af38937e0c962e990c6’

couldn’t connect to host’ when requesting
http://pbx.backwoodswireless.net//.freepbx-known/aba351752cd62af38937e0c962e990c6

I only have a Let’s Encrypt cert which is valid. I deleted the original DEFAULT cert over the weekend. ALso rebooted server with same results.

thoughts please?

tm1000 · December 11, 2017, 3:40pm

Your certificate is going to expire in 17 days and the pbx is unable to renew it.

wa4zlw · December 11, 2017, 10:46pm

Hi andrew,…I know it expires ion 17 days it Let’s encrypt auto renewed it this month so why am I getting these error messages? 17 days is too early to renew it anyway

leon

xrobau · December 11, 2017, 11:34pm

Did you, by any chance, miss the big ‘DO NOT INSTALL YOUR OWN CERTIFICATE UPDATER’, that’s in the screenshot you posted?

wa4zlw · December 12, 2017, 12:29am

I didnt install my own cert manager. Let’s encrypt I believe is part of the payload

tm1000 · December 12, 2017, 1:50am

I don’t know what you mean by that

No it’s not. 30 days left is when Let’s Encrypt allows one to renew.

How do you know this?

wa4zlw · December 12, 2017, 1:54am

because when I first looked a week or so ago it was just past when it renewed. This has been running for months and then things just seem to fall apart.

by part of the payload I mean as part of the distribution. I believe cert is good for 60 days or 30 I forget. but its supposed to autorenew.

Leon

tm1000 · December 12, 2017, 1:59am

What distribution? You have to configure Let’s Encrypt in Certificate Manager. This is a free FreePBX module which has nothing to do with distributions. The certificates are good for 90 days and they auto renew around 30 (or less).

From what I am seeing in your screenshots you certificate did not auto renew and will cease to function in 17 days.

I am not sure where you think it auto renewed. I don’t see that anywhere.

tm1000 · December 12, 2017, 2:02am

Since you posted your system information in the original post I went ahead and had our mirror server (this is done before lets encrypt attempts) try to talk to your server, which it was unable to do. This is why the renewals are failing.

[[email protected] ~]# wget http://pbx.XXXXX.net/.freepbx-known/aba351752cd62af38937e0c962e990c6
--2017-12-11 21:00:53--  http://pbx.XXXXX.net/.freepbx-known/aba351752cd62af38937e0c962e990c6
Resolving pbx.XXXXX.net... XXXXX
Connecting to pbx.XXXXX.net|XXXXX|:80... failed: Connection refused.

xrobau · December 12, 2017, 2:06am

Can I just give Kudos to @tm1000 here - it was his idea to make Certman complain loudly if the certificate renewals failed. This is one of the (many!) times it has helped people realise their certificates are going to expire BEFORE they actually expire and break everything.

It was also his idea to check from the mirror servers, so we could give better diagnostics than LetsEncrypt does, too.

wa4zlw · December 12, 2017, 10:24am

GM guys…Let’s Encrypt is configured and I believe I posted a screenshot. THank you for testing on your end.

If you look above at Let’s Encrypt screen shot it says it is correctly setup. Here’s a screenshot of the firewall as well.

ok on the 90 days and auto renew which it didnt do.

I try to leave this system alone up on Vultr especially now I am down in Philadelphia during the week.

SO why does the PBX say everything is configured correctly yet it fails?

THanks for the assist here. Leon

wa4zlw · December 12, 2017, 10:48am

something is really flaky here…

Firewall

The client machine you are using to manage this server (96.64.64.18/32) is not a member of the Trusted zone. It is highly recommended to add this client to your Trusted Zone to avoid accidental lockouts.

You can add the host automatically here.

this host is already in the firewall:

i’m stumped

wa4zlw · December 12, 2017, 10:57am

I restarted the fireall and it said the rules were corrupted:

[[email protected] ~]# service iptables restart
Redirecting to /bin/systemctl restart iptables.service
[[email protected] ~]#
Broadcast message from [email protected] (Tue Dec 12 05:50:19 2017):

Firewall Rules corrupted! Restarting in 5 seconds
More information available in /tmp/firewall.log
Broadcast message from [email protected] (Tue Dec 12 05:50:36 2017):

Firewall service now starting.

==========

I looked in /tmp/firewall.log and didnt see anything unusual. I have to leave for work. Please let me know if you want me to capture anything tonight.

Thanks

wa4zlw · December 13, 2017, 5:08pm

hi folks…any other ideas?

thanks

tm1000 · December 13, 2017, 6:26pm

mirror1.freepbx.org cant connect back to your server to verify the token it sent out. Turn off your firewalls. All of them.

MS1 · December 13, 2017, 10:49pm

Hi,
Change your Admin HTTP port to [PORT:80] & HTTPS to [PORT:443]. along with that make sure the firewall is deactivated. The issue will be fixed & then you can revert the changes as per your needs.

kind Regards,
Mohammad

wa4zlw · December 13, 2017, 11:43pm

hi there…ok i havent done anything different. As shown in the screenshots the cert manager says it is satisfied and looking at the firewall there are entries in that were put in when I installed it. Why would this stop working?

turning off the firewall leaves one vulnerable.you’re talking about reverting a change. I have no idea what change(s) your talking about. I didn’t make any recent changes.

It may seem obvious to you guys but not to me, not at this time.

Leon

tm1000 · December 14, 2017, 12:42am

Leon,

Certificate Manager is only telling you that the FreePBX firewall is correctly configured to allow the connection inbound. This does not take into account your router/wireless access point/I dont know what.

I have put extra effort into this in trying to get mirror1.freepbx.org to talk to your server directly to get the token and my connection is refused.

You should do what we have stated. Turn off the firewall and then attempt to update the certificate. I am not proposing turning it off all together.Turn. It. off. for now. To test. The whole “I haven’t done anything different” I understand why you are saying this but we have not accused you once of doing anything different. We are walking through a normal troubleshooting process and you have to cooperate with us instead of arguing about how you didn’t change anything.

There’s only so much I can do without having access to your server and I have exhausted all of those routes.

wa4zlw · December 14, 2017, 1:04am

Hi andrew…ok that makes more sense. the only firewall is the linux firewall. I’ll try and get some time to work on this in the next day or so and see what happens.

I’m not trying to argue just you need a little more words than being really terse.

I’ll report back once I can play with it

thanks leon

wa4zlw · December 17, 2017, 2:30pm

GM andrew et al…

I disabled the firewall, went into the cert manager and updated the cert manually.

Valid Until
2018-03-17 (89 days)

And then turned it back on (firewall)

So that worked thanks but why if the rules were set correctly it didnt work? This is running on a vultr.com instance. The only firewall is the linux firewall. If you’d like to get access to my server, please message me privately and we can arrange to get access so you can take a look.

Thanks leon