Kudos to the Firewall team! The new firewall and intrusion detection synchronization is FABULOUS! I cant tell you how long I have been waiting for this feature. It appears to be working great. Now we need to work on the fail2ban a little. I have fail2 ban set for
Max Try: 2
Find time: 600
Ban time: 600000 and considering adding a few more zeros
but it doesnât seem to lock everyone out thats trying to hack my pbx, only those trying to authenticate I guess? I have the firewall setup in freepbx with responsive enabled (chan_sip and pjsip only) and all of the phones are offsite at many locations, all have firewalls with NO sip rules enabled. With NAT enabled all works well but occasionally somehow, someone will discover a phone and try to make calls to/through the phone? Hard to explain but I have had numerous cases where the phone will ring with ext 100 (my extensions are 7 digits) but when you pick up thereâs nothing there. Its annoying my customers. This is what I see in sngrep
XXX is a valid extension, ZZZZ is some random extension not on my system and the IP address is unknown to me. When I run a CDR report these concern me the most:
clid
src
dst
dcontext
channel
lastapp
lastdata
duration
billsec
disposition
amaflags
accountcode
uniqueid
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d9e
Congestion
5
12
12
ANSWERED
3
1614024301
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d9d
Congestion
5
12
12
ANSWERED
3
1614022678
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d9c
Congestion
5
12
12
ANSWERED
3
1614021093
âsipviciousâ <100>
100
s
from-sip-external
PJSIP/anonymous-00004d9b
Congestion
5
12
12
ANSWERED
3
1614020695
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d9a
Congestion
5
12
12
ANSWERED
3
1614019289
â9999999â <9999999>
9999999
s
from-sip-external
PJSIP/anonymous-00004d99
Congestion
5
12
12
ANSWERED
3
1614018772
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d98
Congestion
5
12
12
ANSWERED
3
1614016206
âsipviciousâ <100>
100
s
from-sip-external
PJSIP/anonymous-00004d97
Congestion
5
12
12
ANSWERED
3
1614015767
â201â <201>
201
s
from-sip-external
PJSIP/anonymous-00004d96
Congestion
5
12
12
ANSWERED
3
1614012322
I have lots of experience in networking and firewalls but Iâm not sure what to do next to help clamp down on the potential fraud. I try to review my CDRâs but I have 7 PBX systems making about 45,000 valid calls a month so its a lot to review. I havenât found any completed calls that werenât actual extensions but I assume it helps that my SIP is configured for domestic calls only.
Those are not technically intrusion attempts, just stray calls. Disable SIP Guests and Anonymous Calls in Asterisk SIP Settings, and they will just be quietly dropped without a CDR record.
And the rest of the world will still know that your system is available to further, more directed, attacks, (these guys are not stupid . . . Ostriches put their heads in the sand so they can communicate with other ostriches )
to see what you are otherwise exposing , try
ss -ltuna
It is thusly easy to define a âfingerprintâ of any particular system âflavorâ using netcat if they already found the âlow hanging fruitâ of udp:5060
OK I get that changing the signaling port to something different may make it feel like itâs more secure but itâs not. As you noted, these people arenât dumb theyâve realized for the past 15 years this has been the go to answer given by many âgurusâ over the years.
They do not just scan standard SIP ports, they scan a lot of ports. So sure you can change your port from 5060 but that does not secure you properly. Only proper security rules/firewall rules, etc are going to secure you properly.
So if the rest of the world now knows this system is open and they can attack it do you think theyâre going to be like âOh 5060 is closed, they got us. Darn them kidsâ? No. They will try other vectors.
Not having Allow Guests and leaving your PBX open to anyone also makes for cleaner logs. So there is that. A properly setup system with proper firewall rules also makes for cleaner logs.
Some âscanâ for ports usually between 5000 and 5999, You need port scan detection in your firewall, 5 ports and your out.
I only rarely see scans not on UDP, Donât use UDP, TLS by preference.
The vectors are Asterisk Management port and for FreePBX the various http/s ports you have open, which by default will be the same for most folks, All the successful recent penetrations have come not though voip but through flaws in the code.
If your âIntrusion Detection Systemâ has only voip being watched on then you are under-using it.
If you allow connections to other than your domain name to any service you are less protected, and as dig -x your.ip.add.ress often leaks the domain name you are using, sensitive services would better be on a seperate obscure domain and SNI enforced
So changing your port in itself doesnât increase you security, it does make the target a lot smaller, increasing the security at the bare minimum would insist on TLS for everything and enforcing SNI while dropping any http access to your IP address and rewriting HTTP to HTTPS for everything to your domain.
Although this can all be done on your PBX host with a TCP/HTTP proxy , having a good bastion firewall before it is preferred
Then I way under use it as I generally turn off fail2ban since I have a firewall. I really donât want to learn about things after the fact and have fail2ban tell me âOh we blocked someone after we found out they did bad thingsâ I just block them before the bad things happen.
Thatâs BS. So youâre saying that all the major providers out there that use 5060, UDP and not using TLS are just insecure? Flowroute, VoIP.ms, Twilio, Telenyx, all of them? They are all just insecure?
TLS can increase your level of security but itâs not the only way to secure your SIP network.
Those providers that insist on UDP/5060 can be pin-holed at the firewall. (and In my case are, I donât use any that use random sources for inbound calls though)
So you donât use any providers that might send calls from multiple /32âs or a block like a /28 or so? That list is shrinking on the retail side since a lot of them are now using SRV records and multiple IPs to send and receive calls over. Itâs, whatâs that word, redundancy. Yeah, thatâs it.
Of course they do. Real providers just donât tell you where calls are coming from and let you figure it out. Youâre either registering to them and that deals with it or youâre telling them what your IPs are and they tell you what theirs are and boom you can have communication.
Please show me a provider that doesnât provide you a list of IPs their requests are coming from. SIP that is, otherwise Letâs Encrypt ends up on the list.
All layers of the onion. I actually do listen for UDP on 5060, but to get past iptables, packets from non-whitelisted IPs have to present a valid public-allowed extension, user agent and domain name.
A directed/planned attack could work it out, but scanners are stopped cold. Iptables has dropped everything invalid that has hit it thus far.
So where the BS if you pin-hole them? Using Registration is also another level of insecurity if your account leaks by whatever means , then what? I also donât use HTTP-01 so that negates the LetsEncrypt argument, and sure use your own SRVâs if the provider will accept your name and not just your IP as destinations
Any good videos on setting up TLS properly? I havenât seen any videos on how to properly setup security in freepbx beyond the minimal firewall stuff. Also, not sure why, but my IP has been banned a few times even though its on the whitelist?? Thought that wasnât supposed to happen? Fortunately I have multiple IPâs that are whitelisted so I still can get in but still surprised I keep getting banned (playing with phone configes).
If you are getting a lot of this traffic, try using a tool like sngrep to monitor incoming traffic for a while and see where the nuisance INVITEs are coming from.
Note that the kernel firewall blocks the traffic after it is already seen by the server, so in sngrep you will probably notice some INVITE packets to which Asterisk does not reply. Thatâs goodâthose are being blocked by the firewall. The ones you would want to focus on are ones where Asterisk replies.