Grep the external IP address of connected devices

moussa854 · 2020-10-06 09:04:43 UTC

I am trying to get the external IP address of the connected devices. I did:
grep 'Added contact' /var/log/asterisk/full* | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}' but it gives me both the internal and external IPs. Also this does not seems to get all the connected devices.

VERBOSE[13539] res_pjsip_registrar.c: Added contact 'sip:203@342.413.532.345:48721;transport=TLS;rinstance=70df52f927ca6728;x-ast-orig-host=192.168.1.213:35279' to AOR '203' with expiration of 60 seconds

Any idea how to get the external IP only?
Is there other keywords / files to look at?

Stewart1 · 2020-10-06 04:50:54 UTC

What are you trying to do? If you have one week of logs (the default), then any devices that have remained registered for more than a week won’t show up.

Possibly, you want
asterisk -rx 'pjsip show contacts' | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}'
or
asterisk -rx 'pjsip show aors' | grep -E -o '([0-9]{1,3}[\.]){3}[0-9]{1,3}'

moussa854 · 2020-10-06 11:48:54 UTC

Thanks @Stewart1. Your suggestion work.

In the past I had issues securing my server so with the help of people here I build a script that alert me when there is unauthorized access/attempt to me FreePBX. I would like to take it one step further by included any unauthorized (attempt) registration to an extension not part of my trusted IP list.

!/bin/bash
email="myemail@gmail.com"
myips=( "IP1"  "IP2" "::1")
#access monitoring authorized, denied and failed
accessip=`sudo cat  /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat  /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' | sort | uniq | sort -nr | more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = | sort | uniq | tr '\n' ' ' | sort -nr`

readarray -t uniqueaccessip < <( \
    comm -23 \
	<(printf '%s\n' "${accessip[@]}" | sort) \
        <(printf '%s\n' "${myips[@]}" | sort) \
)

readarray -t uniquedeniedip < <( \
    comm -23 \
	<(printf '%s\n' "${deniedip[@]}" | sort) \
        <(printf '%s\n' "${myips[@]}" | sort) \
)

if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(
echo "Unknow accress from: ${uniqueaccessip[*]}" > /tmp/acceessmonitor/uniqueaccessip.txt
)
fi


if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(
echo "Denied accress from: ${uniquedeniedip[*]}" > /tmp/acceessmonitor/uniquedeniedip.txt
)
fi

if [ ${#failedpasswordip[@]} -gt 0 ]; then
(
echo "Failed password attempt from: ${failedpasswordip[*]}" > /tmp/acceessmonitor/failedpasswordip.txt
)
fi


if [ ${#failedauthip[@]} -gt 0 ]; then
(
echo "Failed authentication attempt from: ${failedauthip[*]}" > /tmp/acceessmonitor/failedauthip.txt
)
fi

cat /tmp/acceessmonitor/uniqueaccessip.txt  /tmp/acceessmonitor/uniquedeniedip.txt  /tmp/acceessmonitor/failedpasswordip.txt  /tmp/acceessmonitor/failedauthip.txt > /tmp/acceessmonitor/accessmonit$
A=`comm -23 <(sort /tmp/acceessmonitor/accessmonitor1.txt) <(sort /tmp/acceessmonitor/accessmonitor2.txt) | wc -l`
B=`comm -23  /tmp/acceessmonitor/accessmonitor1.txt /tmp/acceessmonitor/accessmonitor2.txt`
cp /tmp/acceessmonitor/accessmonitor1.txt   /tmp/acceessmonitor/accessmonitor2.txt
if [ "$A" -gt 0 ]; then
(
echo "Subject: [FREEPBX]: ACCESS ALERT"
printf "$B"
) | /usr/sbin/sendmail ${email}
fi

PitzKey · 2020-10-06 12:11:22 UTC

If you have a list of trusted IPs or FQDNs, why not whitelist them in your network, or Sangoma firewall?

If you need to keep your PBX exposed for some reason, I’d suggest using a random port for SIP and restrict access based on GEOIP, you can also install apiban to prevent bad actors from even attempting to register.

However, I do agree with the idea of getting failed registration alerts, that way if there’s something bad happening, or a user has trouble, you’ll know it right away.

cynjut · 2020-10-06 14:01:32 UTC

On the APIBAN front - there was a really good set of posts about using apiban on the firewall/frontend for working with this.

moussa854 · 2020-10-06 18:51:16 UTC

I agree with you. I blocked everything except the trusted IPs in both FreePBX and my cloud provider firewalls. I am also using fail2ban, VPN, HTTPS, HTTP to HTTPS redirect, and long strong passwords. Fortunately, the script did not fire since then. But we are humans and mistakes happens, this is another layer of defense / alerting in case something fails or someone find an unpatched security hole.