[HOW-TO] Monitor and Set Email Alert For Unauthorized Access to FreePBX (Centos) Server


(Moussa) #1

I was able to set my FreePBX in the cloud. I was also able to secure the FreePBX by using firewall, VPN and intrusion detection to limit the allowed IPs that access the FreePBX.

While I was browsing this forum I read some FreePBX were hacked. Hope I won’t but I would like to set an email alert for any newly created admin, user and/or extension.

I appreciate any help or directions.

Best.


FreePBX on FreePBXHosting.com Best Practices & VPN
[How-to] Install Freepbx distro (with commercial modules) on Google (cloud) Compute Engine - Easier and Secure
[Fail2Ban] SIP: banned 62.210.180.163 on localhost
(Itzik) #2

Out of the box, there isn’t such a feature.

Your only option is to hire someone, or DIY.


(Moussa) #3

dicko mentioned in a post that the access_log has the information of who access what and when. Looking around I was able to write this script that will do the purpose of monitoring users’ access by IP. In my situation, I have limited IP that I access the FreePBX from. Hence, this script should do it for me.

#!/bin/bash
email="myemail@yahoo.com"
myips=("IP1"  "IP2" "IP3"  "IP4")
accessip=`sudo cat /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' |sort|uniq |sort -nr|more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" |cut -f 11 -d ' '|sort|uniq |sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = |sort|uniq |sort -nr`

readarray -t uniqueaccessip < <( \
   comm -23 \
      <(printf '%s\n' "${accessip[@]}" | sort) \
      <(printf '%s\n' "${myips[@]}" | sort) \
)
if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(echo "Subject: UNKNOWN IP ACCESS"
printf "Unknow accress from ${uniqueaccessip[*]}"
) | /usr/sbin/sendmail ${email}
fi

readarray -t uniquedeniedip < <( \
   comm -23 \
      <(printf '%s\n' "${deniedip[@]}" | sort) \
      <(printf '%s\n' "${myips[@]}" | sort) \
)

if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(echo "Subject: DENIED IP ACCESS"
printf "Denied accress from ${uniquedeniedip[*]}"
) | /usr/sbin/sendmail ${email}
fi

if [ ${#failedpasswordip[@]} -gt 0 ]; then
(echo "Subject: FAILED PASSWORD"
printf "Failed password attempt from ${failedpasswordip[*]}"
) | /usr/sbin/sendmail ${email}
fi

if [ ${#failedauthip[@]} -gt 0 ]; then
(echo "Subject: FAILED AUTHENTICATION"
printf "Failed authentication attempt from ${failedauthip[*]}"
) | /usr/sbin/sendmail ${email}
fi

Slightly modified version of the above script.

#!/bin/bash
email="myemail@yahoo.com"
myips=("IP1"  "IP2" "IP3"  "IP4")
accessip=`sudo cat  /var/log/httpd/access_log | awk '{print $1}' | sort -n | uniq | sort -nr | head -20`
deniedip=`sudo cat  /var/log/httpd/error_log | grep denied |cut -f 10 -d ' '| sed 's/.\{7\}$//' | sort | uniq | sort -nr | more`
failedpasswordip=`sudo cat /var/log/secure | grep "Failed password" | grep -E -o "([0-9]{1,3}[\.]){3}[0-9]{1,3}" | cut -f 11 -d ' '| sort | uniq | tr '\n' ' ' | sort -nr`
failedauthip=`sudo cat /var/log/secure | grep "authentication failures" |cut -f 16 -d ' ' |cut -f 2 -d = | sort | uniq | tr '\n' ' ' | sort -nr`

readarray -t uniqueaccessip < <( \
    comm -23 \
    <(printf '%s\n' "${accessip[@]}" | sort) \
        <(printf '%s\n' "${myips[@]}" | sort) \
)

readarray -t uniquedeniedip < <( \
    comm -23 \
    <(printf '%s\n' "${deniedip[@]}" | sort) \
        <(printf '%s\n' "${myips[@]}" | sort) \
)

if [ ${#uniqueaccessip[@]} -gt 0 ]; then
(
echo "Unknow accress from: ${uniqueaccessip[*]}" > /tmp/acceessmonitor/uniqueaccessip.txt
)
fi


if [ ${#uniquedeniedip[@]} -gt 0 ]; then
(
echo "Denied accress from: ${uniquedeniedip[*]}" > /tmp/acceessmonitor/uniquedeniedip.txt
)
fi

if [ ${#failedpasswordip[@]} -gt 0 ]; then
(
echo "Failed password attempt from: ${failedpasswordip[*]}" > /tmp/acceessmonitor/failedpasswordip.txt
)
fi


if [ ${#failedauthip[@]} -gt 0 ]; then
(
echo "Failed authentication attempt from: ${failedauthip[*]}" > /tmp/acceessmonitor/failedauthip.txt
)
fi

cat /tmp/acceessmonitor/uniqueaccessip.txt  /tmp/acceessmonitor/uniquedeniedip.txt  /tmp/acceessmonitor/failedpasswordip.txt  /tmp/acceessmonitor/failedauthip.txt > /tmp/acceessmonitor/ac$
A=`comm -23 <(sort /tmp/acceessmonitor/accessmonitor1.txt) <(sort /tmp/acceessmonitor/accessmonitor2.txt) | wc -l`
B=`comm -23  /tmp/acceessmonitor/accessmonitor1.txt /tmp/acceessmonitor/accessmonitor2.txt`
cp /tmp/acceessmonitor/accessmonitor1.txt   /tmp/acceessmonitor/accessmonitor2.txt
if [ "$A" -gt 0 ]; then
(
echo "Subject: [FREEPBX]: ACCESS ALERT"
printf "$B"
) | /usr/sbin/sendmail ${email}
fi

The modified version will do the following:

  • Set trusted IPs
  • Look at var/log/httpd/access_log for all IPs that accessed your FreePBX and compare them to the trusted IPs if there is unknown IP then will sent email alert.
  • Fail2ban will send email alert if an IP is banned. To otherwise get IP of suspicious activities, will monitor /var/log/httpd/access_log and /var/log/httpd/error_log for any denied access, failed password or failed authentication
  • to avoid Alert fatigue. The script will send alert once for each IP.
  • Save the file somewhere like /usr/ipmonitor.sh
  • chmod +x /usr/ipmonitor.sh
  • Put in crontab

My question is will “/var/log/secure” access information pass to “/var/log/httpd/access_log”? i.e. do I need to work on “/var/log/secure”?

Thanks in advance.


FreePBX Security Vulnerability SEC-2019-001
Search for and delete files question - hacked system
#4

Unlikely , /var/log/secure tracks ssh attempts, just don’t use 22 for ssh to make it quiet , and use public key authentication and not password authentication, you are then pretty secure.


(Moussa) #5

Thank you, dicko. I do have public key authentication. I am hoping to put these script as an extra layer of security. You never know what security issue may appear in the future.


#6

You don’t indeed. They will . . .

every line in

netstat -tulpn|grep -v 127\.0\.0\.1

is possibly vunerable

(Thinking about it, any attack through localhost is far more insidious if successful. and in the past has caused far more damage . . . )


(system) closed #7

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.