I have a PBX that gets 100’s if not 1000’s of attempts to register phones from different IP addresses. My firewall is properly configured. What do I need to do to prevent this attempts for additional security?
Since you are apparently allowing anyone to try to connect on port 5060, you either need to tighten up the list of who can access that port in the Integrated Firewall, or turn on the Adaptive Firewall so that failed attempts will lock out the intruders.
Responsive Firewall is enabled so I’m not sure if more is needed
The RF should be handling the issues.
Remember, the only time you need to open the SIP ports to the outside world is if you can’t control where people are dialing in from. Best Practices include using Dynamic DNS or a VPN to control access and locking everyone but your SIP provider out on the SIP ports.
They use the bria app and float everywhere. I had legacy sip on. Would that be related?
If you can get the users to establish Dynamic DNS services on their phones, you can associate hostnames with each user’s phone, and then you can whitelist those hostnames in the Integrated Firewall. Once you are done with that, you can turn off the Adaptive Firewall and lock everything down.
Failing that, setting up the phones so they VPN into your network, and then connect Bria through the “VPN Local” network will also solve your problem. The goal is to get the number of “stragglers” down to zero so you can rest more easily knowing that the only people that can reach 5060 are people you want to.
you can firewall out ip ranges of whole countries to your port , that should help massively
Most better routers allows you to setup a access rule with Geo based access.
Also, if you change 5060 to a random port, you already decrease the chances of being hacked to at least 80%
That’s a good idea. How do you get the up blocks?
pfsense has integration with pfblockerng, otherwise you may have to build your rules manually -
I had a same problem and I use the Bria app also. Even though no-one was able to use my system I found always having active calls annoying when I knew there was no valid calls made me research how to correct the issue.
I had to go to “Setting - Sip Settings” “General Sip Settings” Say No to “Allow Anonymous Inbound SIP Calls”
then go to “Chan Sip Settings” “Allow SIP Guests” and say “No”
I also had responsive Firewall enabled but that did not stop the unwanted tries.
What I now get in the log is a lot of lines like below but my CDR report only shows actual calls made and no attempt to get in.
NOTICE chan_sip.c: Registration from ‘“209” <sip:email@example.com:5060>’ failed for ‘126.96.36.199:5910’ - Wrong password
Before that my CDR report would look like below and all of them were every minute or so
Date CallerID APP Destination. Disposition
2019-01-10 12:08:00 7000 Congestion s [from-sip-external] ANSWERED 00:12
You will not stop attempts but proper passwords and dial plans will ensure that no one is able to use your PBX.
We have found using PFBlocker on PFSense & the voipbl.org IP list works well, along with country level blocking.
Our system is cloud based
pfsense can run virtual. you really should have a firewall or an SBC in front of the wilderness
Unfortunately, the responsive firewall is not working well in the Freepbx system and there for you are suffering from those attacks on your pbx .
You need to write a bash script that will be executed daily. It will collect the banned ip addresses from the fail2ban IDS system and insert them to the iptables firewall as a permanent block. Of course you will have to tight your fail2ban configuration and the iptables firewall configuration.
You can PM me if you will need more assistance.
thats not a bad idea. Does someone have this script and how to set it up?
Fail2ban >= 0.9 supports permanent bans with bantime=-1 ie the banned ip’s are retained over a restart in the sqlite3 database forever
IPTables script. Lock down the goodies to your static ips or dyndns addresses and voip providers. I haven’t used freepbx’s magic firewall.
The Responsive Firewall in the FreePBX distro using rate-limiting to manage the fact it opens SIP Signaling ports on the system. fail2ban also uses rate-limiting for checking the logs. So while the OP is going on about 100’s or 1000’s of attempts from different IPs there is no data provided to show the activity of said attempts and those IPs that made the attempts.
It doesn’t matter if the Responsive Firewall (aka iptables) or fail2ban is the method you are using. The logic is still the same X attempts in Y time period. So if it’s 10 attempts in 60 seconds that means Source-IP-A must send 11 attempts in under 60 seconds for either the Firewall or fail2ban to catch that it’s a problem IP. If Source-IP-A sends 6 calls at a time and does it every 30 seconds, none of the rate limiting checks will catch it.
At some point the actual logs and traffic patterns will need to be looked at because like I said if Source-IP-A is making 6 attempts every 30 seconds the standard rate-limiting is not going to flag that as an issue because it doesn’t trigger it.
Do all your SIP devices connect to the FreePBX from the same IP? If they do, you just need to make a rule in IPTABLES on your FreePBX to only allow that IP to port 5060 or whatever port you use and same for any of your upstream provider IP’s… In this case you wont have any failed attempts because the offenders will not get past IPTABLES.
If you have mobile users, I would suggest to have a script that will create a ban for offending IP on the router. Since I use Mikrotik routers exclusively it is rather simple to accomplish.My rule permanently ban offending IP’s. But be aware fail2ban is a bit slow and sometimes there can be > 1000 failed attempts before the IP is actually banned.