New FPBX install from source allowing brute force attempts on exts. Distro doesnt?

Hi all, I’ve recently manually installed centos 5.5 asterisk 1.8.20 and FreePBX 2.9 on a server.

I have alwayauthreject set to yes in my configs.

I am penetration testing the PBX and finding its allowing me to bruteforce extensions. As far as I recall, the distro version prevents this some how.

Im using Sipvicious to do my testing. Ive scanned other known IP’s using FreePBX and the brute force fails due to unknown response. On my install Sipvicious cracks away until it gets the password.

Any ideas on resolving this? Ive searched and searched with no luck.

You are using old software , try the Schmooze distro, or at least use fail2ban set up appropriately for your version of asterisk as an intermediary between the attacker and your box.

I am running fail2ban, I’ve temporarily disabled it for penetration testing. I have no problem with upgrading, I made the assumption perhaps wrongly that 2.10 was mostly just a UI change.

I cant use the distro as its a dedicated server with no option to install via ISO. (It’s possible, but Im a cheapskate)_

Will installing 2.10 mitigate these bruteforces?

I am running fail2ban, I’ve temporarily disabled it for penetration testing. I have no problem with upgrading, I made the assumption perhaps wrongly that 2.10 was mostly just a UI change.

I cant use the distro as its a dedicated server with no option to install via ISO. (It’s possible, but Im a cheapskate)_

Will installing 2.10 mitigate these bruteforces?

Not directly, Asterisk intrinsically allows valid connections, . . . even invalid ones :-).

FreePBX is an interface to asterisk but provides no direct IDS services, the Schmooze distro contains a “Commercial but free” implementation of Fail2ban that has rules to catch many newer penetration attempts. You will need to install zendguard to avail yourself of it outside the distro though. These rules are commonly available for non Schmooze Fail2bans of course.

Best practice is not to use 5060 for SIP and implement a firewall that denies any “unfriendly” hosts. Unfortunately those who want access to your implementation will almost always prevail, they are far cleverer than you or even asterisk as we know it :wink: Hence the need for other external and rigorous prophylactic measures.

I’m considering installing an IDS but something is definitely missing from my install, like I said the distro install doesn’t allow sipvicious bruteforce attempts.

I’m confused, why would you like your system to be “brute forced” unless you are working for a “Chinese University” the attempts will normally come from another host than 127.0.0.1 , no ?

I don’t want Brute force attempts on my system. To clarify-

On Vanilla installs of the FreePBX distro, SIPvicious fails to brute force passwords. I believe asterisk refuses to respond to anything thats not got the correct user/pass. (Its not fail2ban causing this behaviour)

However on my install, SIPvicious can succesfully bruteforce an extension and asterisk makes no attempt to stop it.

As previously stated Asterisk has no mechanism to notice such attempts, that is why you need “external prophylaxes”

I will setup a virtual machine, double check, and update this thread.

I’m 80% certain out of the box FreePBX aren’t susceptible to a SIPvicious svcrack.py attack.

Don’t rely on that 20%, I can assure you the OOTB FreePBX iso distribution, or any other deployment you care for, IS and will always be a subject of attack by those who care to do so. Further SipVicious is old school and doesn’t even come close to what these new clever bastards are doing.

Ostrich thinking means that if you bury your head in the sand only other ostriches you will see you, a badly implemented IDS is more dangerous to you than none, you seriously think you are protected, but maybe someone stuck a pin in your condom and you don’t even know.

Seriously, The Chinese attack vectors are NOT ostriches (nor the ex-soviet block vectors, nor the Palestinians) and they REALLY will get you.

(Been there , done that, paid for my cock-ups, but eventually learned . . . )

And no, I am am not a paranoid Xenophobe just a pragmatist, it’s just where to look for those probes, believe me you will find them on a daily basis if you just care to look at your bare-naked deployment.

Did you reload settings after alwaysauthreject=yes ?

I’ve tested it on a from scratch install and sipvicious did not not find anything.

Doesn’t really have much to do with freepbx anyways. It’s all asterisk.