FreePBX security concern

vcba79 · July 25, 2020, 2:03pm

I just opened my firewall for voip test and saw many log like showed below:

[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [0019146423112952@from-sip-external:1] NoOp("PJSIP/anonymous-00000164", "Received incoming SIP connection from unknown peer to 0019146423112952") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [0019146423112952@from-sip-external:2] Set("PJSIP/anonymous-00000164", "DID=0019146423112952") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [0019146423112952@from-sip-external:3] Goto("PJSIP/anonymous-00000164", "s,1") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx_builtins.c: Goto (from-sip-external,s,1)
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:1] GotoIf("PJSIP/anonymous-00000164", "1?setlanguage:checkanon") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx_builtins.c: Goto (from-sip-external,s,2)
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:2] Set("PJSIP/anonymous-00000164", "CHANNEL(language)=en") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:3] GotoIf("PJSIP/anonymous-00000164", "1?noanonymous") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx_builtins.c: Goto (from-sip-external,s,5)
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:5] Set("PJSIP/anonymous-00000164", "TIMEOUT(absolute)=15") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] func_timeout.c: Channel will hangup at 2020-07-23 23:11:31.040 CST.
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:6] Set("PJSIP/anonymous-00000164", "receveip=pjsip,remote_addr") in new stack
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:7] Log("PJSIP/anonymous-00000164", "WARNING,"Rejecting unknown SIP connection from 156.96.117.183:58154"") in new stack
[2020-07-23 23:11:16] WARNING[12793][C-0000015d] Ext. s: "Rejecting unknown SIP connection from 156.96.117.183:58154"
[2020-07-23 23:11:16] VERBOSE[12793][C-0000015d] pbx.c: Executing [s@from-sip-external:8] Answer("PJSIP/anonymous-00000164", "") in new stack

I have several questions:

Is 156.96.117.183 tried to connect my freepbx but freebpx did not serve this ip address?
I have several subnet defined in local networks under general sip settings tab. Every sip client from local network can use outbound route to reach remote sip device and any other client not listed in local network will be rejected by freebpx. Is this right?
sip device must register in extensions module before that got served by freepbx. any sip device not register to freepbx will not be served even they are in local network. Is this right?
what about the anonymous appeared in log? I do not see any information in freepbx wiki. Will freepbx serve anonymous sip cient?

Sorry, I am just a freepbx newbee who is trying to figure out these important security issue. Any help would be appreciated.

Thanks,

dicko · July 25, 2020, 2:12pm

as long as you are listening on UDP/5060, these will never stop unless you have an upstream firewall protecting you.

jerryriggin · July 25, 2020, 11:04pm

It amazes me how fast hackers start pounding 5060 as soon as it’s open. The FreePBX firewall and fail2ban are your friends. I always change fail2ban (Admin > System Admin > Intrusion Detection Ban Time = 2592000 (30 days) and Find Time to 86400 (24 hours). That seems to slow attacks and has caused no issues with users. (Sometimes admins with fat fingers sometimes need to be manually unbanned.)

dicko · July 25, 2020, 11:12pm

Actually, some are pounding it even before it is open. (next time you build a machine anywhere, first off install sngrep, then fire that up and start your stop watch. Having absorbed that info, then build the machine appropriately)

There is no really valid reason to ever listen on UDP/5060 . (avoid 5000-5099 also, they sometimes go there too, once in a while TCP same ports, never yet even seen one against TLS/5061 apart from PEBKAC , not only would it be likely futile, it would also seriously incriminate the perp. )

vcba79 · July 27, 2020, 3:14am

I don’t understand why freepbx answer those calls. It is not local network device, not registered sip device and not from known sip trunk. I saw a lot of case that local trunks are used by unauthorized external device. How can I prevent those to happen?

dicko · July 27, 2020, 3:27am

Generally, unless you have set your machine to accept anoymous or guest calls, (a mistake) asterisk will drop those calls, you can stop 99.999% of them by not listening on UDP/5060 until you do that your doorbell will continue to ring.

vcba79 · July 27, 2020, 9:00am

Hi, dicko

I think you are right. Asterisk SIP setting > General SIP setting > 'Allow Anonymous Inbound SIP Calls ’ and ‘Allow SIP Guests’, after set these 2 options to ‘No’ I never see any reject log now. I do not know why I changed it. Those who do not want to accept anonymous access should set these 2 options to ‘No’.

Thanks for you help,

system · August 27, 2020, 9:00am

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.