Question about FreePBX Firewall

I got firewall enabled and running on my FreePBX system and I got some questions:

  1. After the latest update (or maybe some updated ago) it stopped blocking hosts. I got tons of logs like those:

[2016-06-01 10:49:25] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"90000" <sip:[email protected]:5060>' failed for '74.208.12.24 0:5105' - Wrong password [2016-06-01 10:49:27] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"816" <sip:[email protected]:5060>' failed for '74.208.12.240:50 97' - Wrong password [2016-06-01 10:49:27] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"530" <sip:[email protected]:5060>' failed for '74.208.12.240:50 71' - Wrong password [2016-06-01 10:49:34] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"540" <sip:[email protected]:5060>' failed for '74.208.12.240:50 90' - Wrong password [2016-06-01 10:49:35] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"3411" <sip:[email protected]:5060>' failed for '74.208.12.240: 5091' - Wrong password [2016-06-01 10:49:36] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"601" <sip:[email protected]:5060>' failed for '74.208.12.240:50 92' - Wrong password [2016-06-01 10:49:42] NOTICE[29659]: chan_sip.c:28446 handle_request_register: Registration from '"1511" <sip:[email protected]:5060>' failed for '74.208.12.240:50

The IP is not blocked in neither Firewall of Fail2ban. Shouldn’t it be blocked?

  1. How can I get an email after a host has been blocked? When I was using only Fail2Ban (Instrusion detection) I had emails coming, but now with the firewall I dont.

My module versions are:

| framework | 13.0.124 | Enabled | | core | 13.0.91 | Enabled | | firewall | 13.0.33 | Enabled | | sysadmin | 13.0.57.4 | Enabled |

Email is properly setup (ie the system sends email) and the retry on fail2ban is 5.

Thanks in advance,
esarant

I did a remove and reinstall of the firewall and not it seems to be working and blocking hosts. The problem now is that I got the following emails

Hi, The IP 74.208.12.240 has just been banned by Fail2Ban after 136 attempts against SIP on xxxx Regards, Fail2Ban

Hi, The IP 74.208.12.240 has just been banned by Fail2Ban after 104 attempts against SIP on ****** Regards, Fail2Ban

The problems are two. First, I have set up the block at 5 attempts and the emails sais 100+ and second problem is that there are 3 more IP’s blocked which I have not recieved any email.

Yes the issue with how many attempts mean they hit your system so fast it could not block it after 5 as they hit you 136 times instantlly and fail2ban has to parse logs after it happens to block people.

if you are not trying to have remote phones register why don’t you disable the legacy sip setting on the responsive firewall tab? i think this will block all sip attempts except for those coming from known IP’s.

If you don’t have remote phones, don’t allow the SIP ports at all.

If you need SIP for your VOIP provider, whitelist them and block the ports specifically. Same with remote phones with static IP addresses.

If you have remote phones that don’t have static IP addresses, change the ports that you use for SIP from 5060 and 5061 to something completely different (12834 and 18725 work fine). Security through obscurity isn’t preventative, but it will mitigate your exposure to script kiddies.

I forgot to say that this is not a 100% productive FreePBX installation. As so, I do have PJSIP extension registering from public and the whole point of this is to test the FreePBX firewall.

I have another question about the FreePBX firewall.

I forward all relevant services to the FreePBX server. No I can login to freepbx administration and ucp from anywhere on the internet.

I was under impression that I need to have a successful SIP registration before I can allow access to any other services. Is not it the case?

i am not sure i understand what you are saying. are you saying that you can log into the freepbx admin panel from the internet? if yes then 1) do you have your interfaces marked as external and 2) how have you set your web management and web management (secure) services in the firewall?

I’m assuming you mean ‘now’, not ‘no’.

Firstly, Zones->Interfaces. Look at unknown traffic arriving at interface (whatever). Is that set to External? If not, do you know why it’s not? Go set it to External, that’s what it should be.

Secondly, who is allowed to access what?

Have you stopped people from accessing things?

No. A successful registration automatically allows access to a few things - UCP, RestApps, WebRTC - even if they’re not explicitly allowed. That’s all.

xrobau,

Yes, “No”, is a type, it meant to be “Now”.

The services are set to the same thing that what you show in your screen-shot…

i assume your NIC’s are also set to external?

NIC is set to internal

my guess is that is your problem. make sure you have all your ip addresses white listed and then set the nic to external.

Well, there’s your problem then. There’s even a pop up warning that says ‘No, you REALLY DON’T WANT THIS TO BE INTERNAL’. There’s an extremely small number of cases when you would do that.

I set NIC to external and set sip services to external and internal as I have outside clients. I set UCP to be external and internal, http web management to internal, https web management to external and internal.

Now, my remote clients can login

UCP is not accessible from external network, neither is web management (which is set to that). That remains the same, even if I have a registered sip client from the same network from wher I try to access UCP. It looks like, I need to set web management to external, before UCP becomes available as well. Is that how it supposed to work.

bad practice to set sip services to external. leave it set to external, but enable the the sip service on the response firewall tab. this will allow external clients to attempt to register a couple of times before banning them. once registered things like UCP will also become available to those clients.

I am still confused on how the Firewall actually works.

Today for example I got this logs

[2016-06-15 11:31:25] NOTICE[12588][C-0000000d]: chan_sip.c:26125 handle_request_invite: Failed to authenticate device admin<sip:[email protected]>;tag=c9ff1184

[2016-06-15 11:42:20] NOTICE[12588]: chan_sip.c:28446 handle_request_register: Registration from '1003 <sip:[email protected]>' failed for '173.224.117.140:51364' - Wrong password

When I disabled the firewall (Settings->System Firelwall->Disable Firewall), after 5 retries the IP is indeed blocked and I get an email.

When I enable it, the IP is not blocked and it continues on trying to authenticate. Shouldn’t it get blocked?
On the menu “Responsive Firewall” , Legacy SIP (chan_sip) (that works on 5060) is set to disabled. If I understood correctly, disabled means that after 5 retries (or as many as you have set at intrusion detection) the IP will be blocked and it will be not be rate limited.

EDIT: Abit more on my network setup. My PBX has eth0 with private IP and on Interafcesmenu eth0 is set to Internal. From my router I forward 5060-5070 TCP / 10000-20000UDP to the PBX IP address (so remote clients can register)