Hackers are probing my system even though they are listed in firewall

In my logs this morning I see a hacker probing my system for DAYS now. His ip address is listed as BANNED in intrusion detection. fail2ban-status fail2ban-SIP shows his ip address. iptables -L shows REJECT for fail2ban-SIP.

Still, he is unimpeded and trying to break into my Freepbx all day long.

[2021-06-22 10:09:30] NOTICE[29779]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request ‘INVITE’ from ‘“NoAuth” sip:[email protected]’ failed for ‘213.202.233.143:53438’ (callid: M8tr4gQlVqhtSfO1CitkJg…) - Failed to authenticate

Chain INPUT (policy ACCEPT)
target prot opt source destination
fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Chain fail2ban-SIP (1 references)
target prot opt source destination
REJECT all – 45.147.231.106 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 163.172.52.210 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 188.213.212.43 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 45.153.240.109 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 45.147.231.40 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 163.172.106.157 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 163.172.107.69 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 213.202.233.143 0.0.0.0/0 reject-with icmp-port-unreachable
REJECT all – 129.144.24.18 0.0.0.0/0 reject-with icmp-port-unreachable
RETURN all – 0.0.0.0/0 0.0.0.0/0

Your INPUT has in order

fpbxfirewall all – 0.0.0.0/0 0.0.0.0/0
fail2ban-SIP all – 0.0.0.0/0 0.0.0.0/0

So your fpbxfirewall chain is possibly ‘short-circuiting’ F2B

1 Like

I didn’t do that, it was created by FreePBX installer.

What do you think of the fact that the FORWARD chain is empty?
Personally, I think that is the mistake.

On second thought, I think you are correct.
I re-ordered my rules, now waiting to see the result.

What does FreePBX do out of the box on this?
I don’t understand how it could have been changed?

Are you using the Integrated Firewall, or are you trying to manage this by hand?

this is all plain vanilla FreePBX firewall and fail2ban. I was not customizing it at all.
Btw: re-ordering the INPUT chain as dicko suggested blocked the bad guys.

What worries me is why did it break in the first place, and when? And will it happen again.

The Integrated Firewall in FreePBX handles all of this; thus my question. If you are trying to do a binch of manual F2B stuff in addition to the Integrated Firewall, you might be doing this to yourself.

Without the Integrated Firewall in FreePBX (under the Connectivity tab, IIRC), you only have F2B - there isn’t a “plain vanilla FreePBX firewall”. Your results would be whatever happens unless you let the Integrated Firewall manage the system.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.