Registration attacks

jmmicmc · December 3, 2015, 2:04pm

IN my asterisk full log file this type of entries occur:

[2015-12-03 08:43:57] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5070’ - Wrong password
[2015-12-03 08:44:37] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5113’ - Wrong password
[2015-12-03 08:44:50] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5112’ - Wrong password
[2015-12-03 08:45:59] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5081’ - Wrong password
[2015-12-03 08:46:02] NOTICE[2241] chan_sip.c: Registration from ‘“10000” sip:10000@[69.171.154.165:5060]:5060’ failed for ‘195.154.182.231:5086’ - Wrong password

Now we don’t have any extension 10000. Other numbers being tried are 300, 410, 301, etc. I have used these firewall rules (as rule 1-3 in the INPUT chain) to allow SIP only from trunk1.freepbx.com and trunk2:

iptables -I INPUT 1 -p tcp -s trunk1.freepbx.com --dport 5060 -j fail2ban-SIP
iptables -I INPUT 2 -p tcp -s trunk2.freepbx.com --dport 5060 -j fail2ban-SIP
iptables -I INPUT 3 -p tcp --dport 5060 -j DROP

Even with these rules we are getting these registration attempts. Is seems that the attackers spoof the freepbx IPs. So far I have not found any unwanted registrations - just attempts. Any suggestions?

James

cg180659 · December 3, 2015, 2:14pm

You need more iptables rules fam!! Please, please PLEASE!!

jmmicmc · December 4, 2015, 1:13pm

I had only given the concerning rules.

Here is the iptables -L --line-numbers output:
Chain INPUT (policy ACCEPT)
num target prot opt source destination
1 fail2ban-SIP tcp – static.192.159.66.3.cyberlynk.net anywhere tcp dpt:sip
2 fail2ban-SIP tcp – static.162.253.134.142.cyberlynk.net anywhere tcp dpt:sip
3 DROP tcp – anywhere anywhere tcp dpt:sip
4 fail2ban-SIP all – anywhere anywhere
5 fail2ban-apache-auth tcp – anywhere anywhere multiport dports http
6 fail2ban-FTP tcp – anywhere anywhere multiport dports ftp
7 fail2ban-SIP all – anywhere anywhere
8 fail2ban-SSH tcp – anywhere anywhere multiport dports ssh
9 fail2ban-recidive all – anywhere anywhere
10 fail2ban-SIP tcp – static.192.159.66.3.cyberlynk.net anywhere tcp dpt:sip
11 fail2ban-SIP tcp – static.162.253.134.142.cyberlynk.net anywhere tcp dpt:sip
12 DROP tcp – anywhere anywhere tcp dpt:sip
13 ACCEPT tcp – static.192.159.66.3.cyberlynk.net anywhere tcp dpt:sip
14 ACCEPT tcp – static.162.253.134.142.cyberlynk.net anywhere tcp dpt:sip
15 DROP tcp – anywhere anywhere tcp dpt:sip

Chain FORWARD (policy ACCEPT)
num target prot opt source destination

Chain OUTPUT (policy ACCEPT)
num target prot opt source destination

Chain fail2ban-BadBots (0 references)
num target prot opt source destination
1 RETURN all – anywhere anywhere

Chain fail2ban-FTP (1 references)
num target prot opt source destination
1 RETURN all – anywhere anywhere

Chain fail2ban-SIP (6 references)
num target prot opt source destination
1 DROP all – 192.168.20.107 anywhere
2 RETURN all – anywhere anywhere
3 RETURN all – anywhere anywhere

Chain fail2ban-SSH (1 references)
num target prot opt source destination
1 RETURN all – anywhere anywhere

Chain fail2ban-apache-auth (1 references)
num target prot opt source destination
1 RETURN all – anywhere anywhere

Chain fail2ban-recidive (1 references)
num target prot opt source destination
1 RETURN all – anywhere anywhere

I realize rules 12-15 will never get used.
Also only ports 5060 and 10000-20000 get forwarded to the server.

James

jmmicmc · December 4, 2015, 3:18pm

I just stopped the port forwarding of 5060, and the VOIP lines still work! Haven’t seen any unexplainable SIP login attempts.

I confess I don’t understand how this can work. I still have ports 10000-20000 forwarded. Maybe that is also not necessary?

james

dicko · December 4, 2015, 3:34pm

You were not filtering the udp traffic necessary.

jmmicmc · December 4, 2015, 4:54pm

You are so right, incredible that I did not think of that! How can our server work without 5060 being forwarded? do they use a VPN?

James

dicko · December 4, 2015, 4:57pm

Dont listen on 5060, 99.9% of those attacks will go away.

jmmicmc · December 4, 2015, 5:00pm

How does trunk1.freepbx connect?

James

dicko · December 4, 2015, 5:05pm

I don’t know, I don’t use them, but if they can’t/won’t change the signalling port, create a PNAT rule to allow the host address and translate the port to redirect such traffic to your “safer” listening port

jmmicmc · December 4, 2015, 5:31pm

Anyway. Thanks a lot.

James