Received strange email from Fail2Ban - Hack attempt?

Hello,

I just received a strange email that I’ve never seen before and it looks like it may have been a hack attempt on our FreePBX system.

The email appears to have come from our FreePBX system inside.

Fail2Ban
[Fail2Ban] SIP: banned 10.10.10.3 on localhost

Hi,
The IP 10.10.10.3 has just been banned by Fail2Ban after
8 attempts against SIP on localhost.

Regards,
Fail2Ban

We don’t even use that internal IP subnet on our network.

Not sure what to look at. I’m a “basic” FreePBX administrator so any suggestions will be appreciated!

I’d start with the standard network forensics.

  • Look at the network “at large” (not just the phone system) and see what is going on there.
  • Look back through the logs (the five minutes or so before the mail was sent out) and see if there’s anything in there that gives you a clue.

Log onto the server the PBX is on and issue the command “netstat -nr | more” and look at the network setup of your LAN interface on the PBX and the connections to your PBX from the local LAN.

There’s no VPN ?
Did you check you Firewall and see what’s permit and denied?

I’d actually forgotten to mention that. The ‘standard’ OpenVPN local network is 10.10.x.x.

Ok so the issue can be that.
Need to setting up nat / local network and declare all.
Just an indea like that.

That makes sense. We do have users connecting from the outside with VPN and the VPN pool is 10.10.x.x

It’s possible someone tried to send a fax or something. But I’ve never encountered this message before.

1 Like

The IP 10.10.10.3 has just been banned by Fail2Ban after
8 attempts against SIP on localhost.

We know the IP was banned due to SIP, meaning the device at (or behind) 10.10.10.3 attempted to register or attempted to make an authenticated call and failed repeatedly. This is almost always a misconifgured device, but could also be an active exploit attempt.

2 Likes

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.