We have several installs from distro that we have recently updated the OS through Module Admin (great feature!). Subsequent to those updates (version 14.0.3.13) Fail2Ban is being kept quite busy, just as we are, blacklisting the “mostly” Eastern Block countries IP blocks.
Three questions:
What got updated in the OS updates that caused a new flag to be raised to the hacker community?
Fail2Ban is not responding as quickly as the settings. We set it at 5 attempts and lockout of 172800 seconds (2 days) yet we get Fail2Ban notices on the same IP 12 hours apart after 15 attempts, not five and not 2 days later. Why?
There was work being done on the firewall module in FreePBX to auto-blacklist attackers IP’s. What happened to that project?
Appreciate any insights.
Side note: when we blacklist the attacking IP blocks they go away (firewall is doing a great job), but it is time consuming and after the fact.
The rise in hacking attempts is probably a coincidence. The impending US election is making everyone that wants to screw with us work overtime to make sure whatever puppet they are supporting gets elected.
If the defaults in the system firewall aren’t meeting your needs, I’d suggest submitting a ticket with your concerns on it and supporting data through the Issues link at the top of the page. Rob (@xrobau) will probably spot this on his own and take a look, but if we can come to a concensus on settings that meet our needs, we should be able to make improvements in the system.
Short of that, you should be sure that your system meets the current “best practices” that we’ve been discussing sine the firewall module was established. One of those is to only allow “known” address blocks to access your SIP ports and to relocate those ports (when reasonable) to other port addresses to get rid of the automated scripts that target our systems. Also, make sure that “Guest” and “Anonymous” calls to your server are blocked, This will prevent calls that come in from doing damage.
One of the guys that worked for me about 10 years ago did a Master’s Thesis on “electronic pheromone data”, which posited that similar systems (such as our phone systems) could establish a network of services that could act like plant pheromones, warning other servers in a particular species of attacks and to establish defenses based on warning segments. I’ve always thought that community based systems like FreePBX (where we are all working together for the most part anyway) could be the perfect testbed for such a system. Perhaps I need to start looking at his work again…
Sorry this has taken me so long to respond…I had responded to the email notification I had received when you first responded, but the reply obviously doesn’t reach the community. Hope you received it at the time…