Logfile shows MANY "wrong password"

bob_dt · September 4, 2017, 4:43pm

I have noticed that my Asterisk logfile shows many, many “failed for ‘116.1.1.147:6150’ - Wrong password” as well as other ip address attempts. Google search says these are of Chinese origin.

Fail2Ban appears to be working and I am as up to date (software wise) as I can get.

So, two questions. How can I confirm Fail2Ban is working properly?

Should I be concerned about all these “Wrong password” listings?

frazzels · September 4, 2017, 6:16pm

Yes, I would be concerned. Tighten up your firewall and close any ports that are exposed to the outside world. If having exposed ports is an absolute must (and you can’t/don’t want us VPN or similar) then have a look at the response firewall available in FreePBX 13.

Also, ensure your extensions have long secure passwords and that you only permit pre configured IP addresses (in advanced tab of the exten)

On my Asterisk system, I monitor the asterisk log file and get email alerts of any suspicions activity such as wrong passwords etc.

Fraser.

bob_dt · September 5, 2017, 8:39pm

Thanks for your response. I am currently using the “Responsive Firewall” and my extensions have very long complicated passwords.

As far as the “only permit pre configured IP addresses (in advanced tab of the exten)” can you point me to further documentation as I am unclear how to set ‘what’ ip address, the server address or the extension address?

frazzels · September 5, 2017, 9:07pm

These would be the IP addresses of the endpoints.

For example, if you enter 0.0.0.0/0.0.0.0 into the deny field and 123.123.123.123/255.255.255.255 into permit, then only an endpoint matching 123.123.123.123 would be allowed to register for that exten.

The catch to this is that your remote endpoints must have static addresses (unless you can enter a ddns address - I’m not sure, maybe the tooltip will tell you or someone else can confirm?) however you can permit IP subnets such as 192.168.0.0/255.255.255.0

Fraser.

bob_dt · September 5, 2017, 10:12pm

That helped, THANKS!!

bob_dt · September 7, 2017, 4:18pm

I did as was suggested in that I assigned the extension ip address to the “extension” >> “advanced” >> “permit” to restrict only “that” extension can connect and only “that” extension. It did not help and the hits continued.

Did a little more research and tightened the (PfSense) firewall rules to allow only connections from my VOIP service provider ip address.

So far, the log files are quiet.