Received strange email from Fail2Ban - Hack attempt?

freepbx
Tags: #<Tag:0x00007f702a2ab740>

(Jeff Brubaker) #1

Hello,

I just received a strange email that I’ve never seen before and it looks like it may have been a hack attempt on our FreePBX system.

The email appears to have come from our FreePBX system inside.

Fail2Ban
[Fail2Ban] SIP: banned 10.10.10.3 on localhost

Hi,
The IP 10.10.10.3 has just been banned by Fail2Ban after
8 attempts against SIP on localhost.

Regards,
Fail2Ban

We don’t even use that internal IP subnet on our network.

Not sure what to look at. I’m a “basic” FreePBX administrator so any suggestions will be appreciated!


(Dave Burgess) #2

I’d start with the standard network forensics.

  • Look at the network “at large” (not just the phone system) and see what is going on there.
  • Look back through the logs (the five minutes or so before the mail was sent out) and see if there’s anything in there that gives you a clue.

Log onto the server the PBX is on and issue the command “netstat -nr | more” and look at the network setup of your LAN interface on the PBX and the connections to your PBX from the local LAN.


(Franck Danard) #3

There’s no VPN ?
Did you check you Firewall and see what’s permit and denied?


(Dave Burgess) #4

I’d actually forgotten to mention that. The ‘standard’ OpenVPN local network is 10.10.x.x.


(Franck Danard) #5

Ok so the issue can be that.
Need to setting up nat / local network and declare all.
Just an indea like that.


(Jeff Brubaker) #6

That makes sense. We do have users connecting from the outside with VPN and the VPN pool is 10.10.x.x

It’s possible someone tried to send a fax or something. But I’ve never encountered this message before.


(Lorne Gaetz) #7

The IP 10.10.10.3 has just been banned by Fail2Ban after
8 attempts against SIP on localhost.

We know the IP was banned due to SIP, meaning the device at (or behind) 10.10.10.3 attempted to register or attempted to make an authenticated call and failed repeatedly. This is almost always a misconifgured device, but could also be an active exploit attempt.