New and greatly improved Firewall!


(David Johnson) #1

Kudos to the Firewall team! The new firewall and intrusion detection synchronization is FABULOUS! I cant tell you how long I have been waiting for this feature. It appears to be working great. Now we need to work on the fail2ban a little. I have fail2 ban set for

Max Try: 2
Find time: 600
Ban time: 600000 and considering adding a few more zeros :slight_smile:

but it doesn’t seem to lock everyone out thats trying to hack my pbx, only those trying to authenticate I guess? I have the firewall setup in freepbx with responsive enabled (chan_sip and pjsip only) and all of the phones are offsite at many locations, all have firewalls with NO sip rules enabled. With NAT enabled all works well but occasionally somehow, someone will discover a phone and try to make calls to/through the phone? Hard to explain but I have had numerous cases where the phone will ring with ext 100 (my extensions are 7 digits) but when you pick up there’s nothing there. Its annoying my customers. This is what I see in sngrep

XXX@pbx.domain.com:51 ZZZZ@pbx.domain.com 4 64.138.198.154:31000

XXX is a valid extension, ZZZZ is some random extension not on my system and the IP address is unknown to me. When I run a CDR report these concern me the most:

clid src dst dcontext channel lastapp lastdata duration billsec disposition amaflags accountcode uniqueid
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d9e Congestion 5 12 12 ANSWERED 3 1614024301
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d9d Congestion 5 12 12 ANSWERED 3 1614022678
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d9c Congestion 5 12 12 ANSWERED 3 1614021093
“sipvicious” <100> 100 s from-sip-external PJSIP/anonymous-00004d9b Congestion 5 12 12 ANSWERED 3 1614020695
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d9a Congestion 5 12 12 ANSWERED 3 1614019289
“9999999” <9999999> 9999999 s from-sip-external PJSIP/anonymous-00004d99 Congestion 5 12 12 ANSWERED 3 1614018772
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d98 Congestion 5 12 12 ANSWERED 3 1614016206
“sipvicious” <100> 100 s from-sip-external PJSIP/anonymous-00004d97 Congestion 5 12 12 ANSWERED 3 1614015767
“201” <201> 201 s from-sip-external PJSIP/anonymous-00004d96 Congestion 5 12 12 ANSWERED 3 1614012322

I have lots of experience in networking and firewalls but I’m not sure what to do next to help clamp down on the potential fraud. I try to review my CDR’s but I have 7 PBX systems making about 45,000 valid calls a month so its a lot to review. I haven’t found any completed calls that weren’t actual extensions but I assume it helps that my SIP is configured for domestic calls only.


#2

I suggest you just don’t use UDP:5060 and see almost zero of these anymore


(Lorne Gaetz) #3

Those are not technically intrusion attempts, just stray calls. Disable SIP Guests and Anonymous Calls in Asterisk SIP Settings, and they will just be quietly dropped without a CDR record.


(Jared Busch) #4

They are not just stray calls by any means.

But your answer is correct. Disabling guests and anonymous calling will stop those from coming in.


#5

And the rest of the world will still know that your system is available to further, more directed, attacks, (these guys are not stupid . . . Ostriches put their heads in the sand so they can communicate with other ostriches :wink: )

to see what you are otherwise exposing , try

ss -ltuna

It is thusly easy to define a ‘fingerprint’ of any particular system ‘flavor’ using netcat if they already found the ‘low hanging fruit’ of udp:5060


(Tom Ray) #6

OK I get that changing the signaling port to something different may make it feel like it’s more secure but it’s not. As you noted, these people aren’t dumb they’ve realized for the past 15 years this has been the go to answer given by many “gurus” over the years.

They do not just scan standard SIP ports, they scan a lot of ports. So sure you can change your port from 5060 but that does not secure you properly. Only proper security rules/firewall rules, etc are going to secure you properly.

So if the rest of the world now knows this system is open and they can attack it do you think they’re going to be like “Oh 5060 is closed, they got us. Darn them kids”? No. They will try other vectors.


(Jared Busch) #7

Exactly.
Changing the port might make your logs cleaner but it does nothing for security.


#8

Agree security through obscurity is not real security,

But…

A little “pro-active” log maintenance is a good thing. Cleaner logs make the bad actors easier to find.


(Tom Ray) #9

Not having Allow Guests and leaving your PBX open to anyone also makes for cleaner logs. So there is that. A properly setup system with proper firewall rules also makes for cleaner logs.


#10

Some ‘scan’ for ports usually between 5000 and 5999, You need port scan detection in your firewall, 5 ports and your out.

I only rarely see scans not on UDP, Don’t use UDP, TLS by preference.

The vectors are Asterisk Management port and for FreePBX the various http/s ports you have open, which by default will be the same for most folks, All the successful recent penetrations have come not though voip but through flaws in the code.

If your ‘Intrusion Detection System’ has only voip being watched on then you are under-using it.

If you allow connections to other than your domain name to any service you are less protected, and as dig -x your.ip.add.ress often leaks the domain name you are using, sensitive services would better be on a seperate obscure domain and SNI enforced

So changing your port in itself doesn’t increase you security, it does make the target a lot smaller, increasing the security at the bare minimum would insist on TLS for everything and enforcing SNI while dropping any http access to your IP address and rewriting HTTP to HTTPS for everything to your domain.

Although this can all be done on your PBX host with a TCP/HTTP proxy , having a good bastion firewall before it is preferred


(Tom Ray) #11

Then I way under use it as I generally turn off fail2ban since I have a firewall. I really don’t want to learn about things after the fact and have fail2ban tell me “Oh we blocked someone after we found out they did bad things” I just block them before the bad things happen.

That’s BS. So you’re saying that all the major providers out there that use 5060, UDP and not using TLS are just insecure? Flowroute, VoIP.ms, Twilio, Telenyx, all of them? They are all just insecure?

TLS can increase your level of security but it’s not the only way to secure your SIP network.


#12

Those providers that insist on UDP/5060 can be pin-holed at the firewall. (and In my case are, I don’t use any that use random sources for inbound calls though)


(Tom Ray) #13

So you don’t use any providers that might send calls from multiple /32’s or a block like a /28 or so? That list is shrinking on the retail side since a lot of them are now using SRV records and multiple IPs to send and receive calls over. It’s, what’s that word, redundancy. Yeah, that’s it.


#14

They all use multiple sources, but all provide a list of ip addresses to expect calls to your IP to come from


(Tom Ray) #15

Of course they do. Real providers just don’t tell you where calls are coming from and let you figure it out. You’re either registering to them and that deals with it or you’re telling them what your IPs are and they tell you what theirs are and boom you can have communication.

Please show me a provider that doesn’t provide you a list of IPs their requests are coming from. SIP that is, otherwise Let’s Encrypt ends up on the list.


#16

All layers of the onion. I actually do listen for UDP on 5060, but to get past iptables, packets from non-whitelisted IPs have to present a valid public-allowed extension, user agent and domain name.

A directed/planned attack could work it out, but scanners are stopped cold. Iptables has dropped everything invalid that has hit it thus far.


#17

So where the BS if you pin-hole them? Using Registration is also another level of insecurity if your account leaks by whatever means , then what? I also don’t use HTTP-01 so that negates the LetsEncrypt argument, and sure use your own SRV’s if the provider will accept your name and not just your IP as destinations


#18

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)