Kudos to the Firewall team! The new firewall and intrusion detection synchronization is FABULOUS! I cant tell you how long I have been waiting for this feature. It appears to be working great. Now we need to work on the fail2ban a little. I have fail2 ban set for
Max Try: 2
Find time: 600
Ban time: 600000 and considering adding a few more zeros
but it doesnât seem to lock everyone out thats trying to hack my pbx, only those trying to authenticate I guess? I have the firewall setup in freepbx with responsive enabled (chan_sip and pjsip only) and all of the phones are offsite at many locations, all have firewalls with NO sip rules enabled. With NAT enabled all works well but occasionally somehow, someone will discover a phone and try to make calls to/through the phone? Hard to explain but I have had numerous cases where the phone will ring with ext 100 (my extensions are 7 digits) but when you pick up thereâs nothing there. Its annoying my customers. This is what I see in sngrep
XXX@pbx.domain.com:51 ZZZZ@pbx.domain.com 4 64.138.198.154:31000
XXX is a valid extension, ZZZZ is some random extension not on my system and the IP address is unknown to me. When I run a CDR report these concern me the most:
clid | src | dst | dcontext | channel | lastapp | lastdata | duration | billsec | disposition | amaflags | accountcode | uniqueid |
---|---|---|---|---|---|---|---|---|---|---|---|---|
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d9e | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614024301 | |
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d9d | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614022678 | |
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d9c | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614021093 | |
âsipviciousâ <100> | 100 | s | from-sip-external | PJSIP/anonymous-00004d9b | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614020695 | |
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d9a | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614019289 | |
â9999999â <9999999> | 9999999 | s | from-sip-external | PJSIP/anonymous-00004d99 | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614018772 | |
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d98 | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614016206 | |
âsipviciousâ <100> | 100 | s | from-sip-external | PJSIP/anonymous-00004d97 | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614015767 | |
â201â <201> | 201 | s | from-sip-external | PJSIP/anonymous-00004d96 | Congestion | 5 | 12 | 12 | ANSWERED | 3 | 1614012322 |
I have lots of experience in networking and firewalls but Iâm not sure what to do next to help clamp down on the potential fraud. I try to review my CDRâs but I have 7 PBX systems making about 45,000 valid calls a month so its a lot to review. I havenât found any completed calls that werenât actual extensions but I assume it helps that my SIP is configured for domestic calls only.