Responsive firewall constantly blocking remote users


(Eduard Akulov) #1

Hi everyone,

After continuous attempts to adapt responsive firewall for our remote users (bria and zoiper users) i have become disappointed in it. It constantly blocks even legitimate users, and on some occasions it let’s them in. I feel like offering this to our customers will end up in hundreds of calls just about this issue for remote users.

I really wanted to ask you guys what can be the solution to have freepbx secure and without responsive firewall. The idea of RF is great, but it just doesn’t work like it’s supposed to. It’s not supposed to keep blocking users who have the correct password.

Would it be secure to have the port for registration open but have very strong passwords? Ddns is not an option foe mobile users.

What can be the solution for this?

Thanks!


Sangoma Firewall banning "work from home" folks with Sangoma phones
(Tony Lewis - https://bit.ly/2SbDAyc) #2

Is the IP of those users changing. As responsive whitelist the IP once it registers. The only reason it would block later is if the IP changes and it doesn’t send a new registration attempt.


#3

Another reason I have found is that if the user is having internet problems this too can cause the responsive firewall to error out and block the user.

Not exactly sure why but I’m guessing that there is data loss and the re-registration is not being completed successfully.


(Eduard Akulov) #4

Thanks for your responses.

For some reason my bria app almost never gets connected to our pbx. Only when I’m on my trusted wifi. Even when my phone ip changes (which i assume is supposed to act like a new client attempt) it won’t let it in. The ip appears in the limited section and then gets blocked. On some occasions it does let it in. Could it be a bad responsive firewall module?


#5

Put the ddns client right on the cell phone then add your ddns URL to your firewalls whitelist.


(Tony Lewis - https://bit.ly/2SbDAyc) #6

No the issue is it wont get white listed until it registers but if it slams lots of packets before it gets registered it would get blacklisted.


(Tony Lewis - https://bit.ly/2SbDAyc) #7

Frank again this is not a full fix. If the IP is changing alot the firewall wont know the IP is changing as iptables caches FQDNs so we resolve the FQDN at the time you put it in and we recheck the IP once a minute.


(Eduard Akulov) #8

I don’t really understand the point of responsive firewall. Shouldn’t it eliminate the need for any ddns or manual white listing?

When i get a new ip ony phone i try to register again(pbx should assume it’s a new client with correct credentials) why would RF put it in a suspicious section? I don’t get it.

If i open a port so anybody can try and register but have a very secure password, would it be secure enough?


(Tony Lewis - https://bit.ly/2SbDAyc) #9

The problem is after your phone registers is slamming the server with packets before the firewall is picked up it was registered as their is a delay so after 10 packets which happen really fast for some reason on your client it gets blacklisted.

To solve this we need to move the checking for registration to watch the AMI so we see it real-time instead of checking every 15 seconds like we do now as your client is slamming the server with packets before we see it registered.

@tm1000 I think was looking at moving RF to AMI I believe.


#10

@tonyclewis thanks for the clarification. I have a large number of clients setup with ddns on their laptops, cell phones and tablets as described and it seemed to fix all my clients problems. I guess my clients ip is not changing more than once a minute as you have described.


(Avayax) #11

Well, “secure enough” also depends on the level of risk you are willing to accept.

I wouldn’t be able to sleep well if I had the port open to the internet with only fail2ban running and strong passwords, especially when international calls are allowed on the PBX, then the damage can be immense.
But that doesn’t mean it’s absolutely not possible to do, but it’s not recommendable, however some people accept that risk.
Certainly, you will often get targeted with hackers trying to guess extension and password.

There are ways to lower the risks a little by changing the signaling port to something other than 5060 e.g., etc.

It’s true that there is no great firewall solution for people operating remote mobile clients.
DDNS is an option, but it’s a lot of work to implement when you have many users, instructing each one to install a DDNS client on the cell is burdensome.

The situation with remote IP phones is better as some manufacturers allow for those to connect to a VPN server.

I bet this topic is currently hot amongst Sangoma, with Zulu mobile coming out this year, and how to make that secure.
I wonder what solution we will end up having for that.


(Eduard Akulov) #12

Wait, what exactly is the difference between fail2ban and RF? I know that RF blocks clients after it doesn’t see them registered after sending 10 packets, and fail2ban blocks them after certain unsuccessful registration attempts. But why not just have a port open and have just fail2ban running? How would it be less secure than for example somebody’s gmail account, where it is open to the public, and certain number of login attempts are allowed? Sorry if I’m missing something here, but would really appreciate your guys advise.

Again, in a setting where a SIP port is open with a fail2ban with only 3 attempts allowed, wouldn’t it be pretty secure? Or are there some other security risks other than password attacks?


FreePBX 14, fail2ban dead
(Eduard Akulov) #13

Let me know what you guys think


(Avayax) #14

Many people got burnt with the SIP port open to the Internet, others would consider it acceptable.
It’s up to you.
At least change the port to something other then 5060 then, then you avoid the majority of hacking attempts.
If you have fail2ban and strong passwords, I guess the risk is not very high for a successful hack, but you have the door open for them to try.

I personally would not do it, but rather go with the DDNS and whitelist hostnames.
It’s your choice.

On UDP port 5060?
Not that I know of.
They will try to guess one of your extensions and password and make calls at your cost.


#15

Often it is an eye opener to watch your http server’s logs (apache2 or httpd), you might well be surprised :-), make sure that tcp/5038 is well protected.


(Eduard Akulov) #16

I’m testing fail2ban right now, and getting pretty confused with it already.

For some reason, fail2ban only bans failed attempts when firewall is completely disabled. When firewall is enabled, and port 5060 is open, it does not ban anything, and you can try passwords as many times as you want.
Why does fail2ban not work when firewall is enabled and only one port is open?

When I disable firewall completely it starts banning failed attempts.

How can I set it up so that firewall would still be enabled but sip udp port would be open and guarded by fail2ban?

Thanks a lot for your responses.


(Eduard Akulov) #17

Let me know what you guys think.


#18

What do the logs say?


(Eduard Akulov) #19

I don’t know how much of a log I should show. I’m not very familiar with fail2ban log. Here it is. Hope you can find something here:

2017-07-31 20:01:02,773 fail2ban.jail [30006]: INFO Jail ‘vsftpd-iptables’ stopped
2017-07-31 20:01:02,778 fail2ban.server [30006]: INFO Exiting Fail2ban
2017-07-31 20:01:03,048 fail2ban.server [32033]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2017-07-31 20:01:03,050 fail2ban.jail [32033]: INFO Creating new jail 'recidive’
2017-07-31 20:01:03,053 fail2ban.jail [32033]: INFO Jail ‘recidive’ uses Gamin
2017-07-31 20:01:03,089 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,092 fail2ban.filter [32033]: INFO Added logfile = /var/log/fail2ban.log-20170722
2017-07-31 20:01:03,093 fail2ban.filter [32033]: INFO Added logfile = /var/log/fail2ban.log-20170613
2017-07-31 20:01:03,095 fail2ban.filter [32033]: INFO Added logfile = /var/log/fail2ban.log-20170719
2017-07-31 20:01:03,096 fail2ban.filter [32033]: INFO Added logfile = /var/log/fail2ban.log-20170728
2017-07-31 20:01:03,098 fail2ban.filter [32033]: INFO Added logfile = /var/log/fail2ban.log
2017-07-31 20:01:03,099 fail2ban.filter [32033]: INFO Set maxRetry = 20
2017-07-31 20:01:03,103 fail2ban.filter [32033]: INFO Set findtime = 86400
2017-07-31 20:01:03,104 fail2ban.actions[32033]: INFO Set banTime = 604800
2017-07-31 20:01:03,129 fail2ban.jail [32033]: INFO Creating new jail 'ssh-iptables’
2017-07-31 20:01:03,129 fail2ban.jail [32033]: INFO Jail ‘ssh-iptables’ uses Gamin
2017-07-31 20:01:03,131 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,134 fail2ban.filter [32033]: INFO Added logfile = /var/log/secure
2017-07-31 20:01:03,135 fail2ban.filter [32033]: INFO Set maxRetry = 3
2017-07-31 20:01:03,138 fail2ban.filter [32033]: INFO Set findtime = 300
2017-07-31 20:01:03,140 fail2ban.actions[32033]: INFO Set banTime = 3600
2017-07-31 20:01:03,400 fail2ban.jail [32033]: INFO Creating new jail 'apache-badbots’
2017-07-31 20:01:03,400 fail2ban.jail [32033]: INFO Jail ‘apache-badbots’ uses Gamin
2017-07-31 20:01:03,401 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,403 fail2ban.filter [32033]: INFO Added logfile = /var/log/httpd/access_log
2017-07-31 20:01:03,404 fail2ban.filter [32033]: INFO Added logfile = /var/log/httpd/ssl_access_log
2017-07-31 20:01:03,405 fail2ban.filter [32033]: INFO Set maxRetry = 3
2017-07-31 20:01:03,407 fail2ban.filter [32033]: INFO Set findtime = 300
2017-07-31 20:01:03,408 fail2ban.actions[32033]: INFO Set banTime = 3600
2017-07-31 20:01:03,449 fail2ban.jail [32033]: INFO Creating new jail 'pbx-gui’
2017-07-31 20:01:03,450 fail2ban.jail [32033]: INFO Jail ‘pbx-gui’ uses Gamin
2017-07-31 20:01:03,451 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,452 fail2ban.filter [32033]: INFO Added logfile = /var/log/asterisk/freepbx_security.log
2017-07-31 20:01:03,453 fail2ban.filter [32033]: INFO Set maxRetry = 3
2017-07-31 20:01:03,457 fail2ban.filter [32033]: INFO Set findtime = 300
2017-07-31 20:01:03,457 fail2ban.actions[32033]: INFO Set banTime = 3600
2017-07-31 20:01:03,471 fail2ban.jail [32033]: INFO Creating new jail 'apache-tcpwrapper’
2017-07-31 20:01:03,471 fail2ban.jail [32033]: INFO Jail ‘apache-tcpwrapper’ uses Gamin
2017-07-31 20:01:03,472 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,473 fail2ban.filter [32033]: INFO Added logfile = /var/log/httpd/error_log
2017-07-31 20:01:03,474 fail2ban.filter [32033]: INFO Set maxRetry = 3
2017-07-31 20:01:03,476 fail2ban.filter [32033]: INFO Set findtime = 300
2017-07-31 20:01:03,477 fail2ban.actions[32033]: INFO Set banTime = 3600
2017-07-31 20:01:03,625 fail2ban.jail [32033]: INFO Creating new jail 'vsftpd-iptables’
2017-07-31 20:01:03,626 fail2ban.jail [32033]: INFO Jail ‘vsftpd-iptables’ uses Gamin
2017-07-31 20:01:03,626 fail2ban.jail [32033]: INFO Initiated ‘gamin’ backend
2017-07-31 20:01:03,628 fail2ban.filter [32033]: INFO Added logfile = /var/log/vsftpd.log
2017-07-31 20:01:03,629 fail2ban.filter [32033]: INFO Set maxRetry = 3
2017-07-31 20:01:03,631 fail2ban.filter [32033]: INFO Set findtime = 300
2017-07-31 20:01:03,632 fail2ban.actions[32033]: INFO Set banTime = 3600
2017-07-31 20:01:03,658 fail2ban.jail [32033]: INFO Jail ‘recidive’ started
2017-07-31 20:01:03,669 fail2ban.jail [32033]: INFO Jail ‘ssh-iptables’ started
2017-07-31 20:01:03,693 fail2ban.jail [32033]: INFO Jail ‘apache-badbots’ started
2017-07-31 20:01:03,731 fail2ban.jail [32033]: INFO Jail ‘pbx-gui’ started
2017-07-31 20:01:03,748 fail2ban.jail [32033]: INFO Jail ‘apache-tcpwrapper’ started
2017-07-31 20:01:03,785 fail2ban.jail [32033]: INFO Jail ‘vsftpd-iptables’ started
2017-07-31 20:03:31,053 fail2ban.server [32033]: INFO Stopping all jails
2017-07-31 20:03:32,079 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p tcp -m multiport --dports http -j fail2ban-apache-auth
iptables -F fail2ban-apache-auth
iptables -X fail2ban-apache-auth returned 100
2017-07-31 20:03:32,080 fail2ban.jail [32033]: INFO Jail ‘apache-tcpwrapper’ stopped
2017-07-31 20:03:32,848 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p all -j fail2ban-recidive
iptables -F fail2ban-recidive
iptables -X fail2ban-recidive returned 100
2017-07-31 20:03:32,849 fail2ban.jail [32033]: INFO Jail ‘recidive’ stopped
2017-07-31 20:03:33,009 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p all -j fail2ban-SIP
iptables -F fail2ban-SIP
iptables -X fail2ban-SIP returned 100
2017-07-31 20:03:33,511 fail2ban.jail [32033]: INFO Jail ‘pbx-gui’ stopped
2017-07-31 20:03:33,941 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p tcp -m multiport --dports http,https -j fail2ban-BadBots
iptables -F fail2ban-BadBots
iptables -X fail2ban-BadBots returned 100
2017-07-31 20:03:34,003 fail2ban.jail [32033]: INFO Jail ‘apache-badbots’ stopped
2017-07-31 20:03:34,888 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p tcp -m multiport --dports ssh -j fail2ban-SSH
iptables -F fail2ban-SSH
iptables -X fail2ban-SSH returned 100
2017-07-31 20:03:34,890 fail2ban.jail [32033]: INFO Jail ‘ssh-iptables’ stopped
2017-07-31 20:03:35,103 fail2ban.actions.action[32033]: ERROR iptables -D INPUT -p tcp -m multiport --dports ftp -j fail2ban-FTP
iptables -F fail2ban-FTP
iptables -X fail2ban-FTP returned 100
2017-07-31 20:03:35,104 fail2ban.jail [32033]: INFO Jail ‘vsftpd-iptables’ stopped
2017-07-31 20:03:35,108 fail2ban.server [32033]: INFO Exiting Fail2ban
2017-07-31 20:03:40,708 fail2ban.server [32672]: INFO Changed logging target to /var/log/fail2ban.log for Fail2ban v0.8.14
2017-07-31 20:03:40,709 fail2ban.jail [32672]: INFO Creating new jail 'recidive’
2017-07-31 20:03:40,710 fail2ban.jail [32672]: INFO Jail ‘recidive’ uses Gamin
2017-07-31 20:03:40,732 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:40,733 fail2ban.filter [32672]: INFO Added logfile = /var/log/fail2ban.log-20170722
2017-07-31 20:03:40,734 fail2ban.filter [32672]: INFO Added logfile = /var/log/fail2ban.log-20170613
2017-07-31 20:03:40,734 fail2ban.filter [32672]: INFO Added logfile = /var/log/fail2ban.log-20170719
2017-07-31 20:03:40,735 fail2ban.filter [32672]: INFO Added logfile = /var/log/fail2ban.log-20170728
2017-07-31 20:03:40,736 fail2ban.filter [32672]: INFO Added logfile = /var/log/fail2ban.log
2017-07-31 20:03:40,737 fail2ban.filter [32672]: INFO Set maxRetry = 20
2017-07-31 20:03:40,738 fail2ban.filter [32672]: INFO Set findtime = 86400
2017-07-31 20:03:40,739 fail2ban.actions[32672]: INFO Set banTime = 604800
2017-07-31 20:03:40,750 fail2ban.jail [32672]: INFO Creating new jail 'ssh-iptables’
2017-07-31 20:03:40,751 fail2ban.jail [32672]: INFO Jail ‘ssh-iptables’ uses Gamin
2017-07-31 20:03:40,751 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:40,752 fail2ban.filter [32672]: INFO Added logfile = /var/log/secure
2017-07-31 20:03:40,753 fail2ban.filter [32672]: INFO Set maxRetry = 3
2017-07-31 20:03:40,754 fail2ban.filter [32672]: INFO Set findtime = 300
2017-07-31 20:03:40,755 fail2ban.actions[32672]: INFO Set banTime = 3600
2017-07-31 20:03:40,918 fail2ban.jail [32672]: INFO Creating new jail 'apache-badbots’
2017-07-31 20:03:40,919 fail2ban.jail [32672]: INFO Jail ‘apache-badbots’ uses Gamin
2017-07-31 20:03:40,919 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:40,920 fail2ban.filter [32672]: INFO Added logfile = /var/log/httpd/access_log
2017-07-31 20:03:40,921 fail2ban.filter [32672]: INFO Added logfile = /var/log/httpd/ssl_access_log
2017-07-31 20:03:40,921 fail2ban.filter [32672]: INFO Set maxRetry = 3
2017-07-31 20:03:40,923 fail2ban.filter [32672]: INFO Set findtime = 300
2017-07-31 20:03:40,923 fail2ban.actions[32672]: INFO Set banTime = 3600
2017-07-31 20:03:40,951 fail2ban.jail [32672]: INFO Creating new jail 'pbx-gui’
2017-07-31 20:03:40,952 fail2ban.jail [32672]: INFO Jail ‘pbx-gui’ uses Gamin
2017-07-31 20:03:40,952 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:40,953 fail2ban.filter [32672]: INFO Added logfile = /var/log/asterisk/freepbx_security.log
2017-07-31 20:03:40,954 fail2ban.filter [32672]: INFO Set maxRetry = 3
2017-07-31 20:03:40,955 fail2ban.filter [32672]: INFO Set findtime = 300
2017-07-31 20:03:40,956 fail2ban.actions[32672]: INFO Set banTime = 3600
2017-07-31 20:03:40,965 fail2ban.jail [32672]: INFO Creating new jail 'apache-tcpwrapper’
2017-07-31 20:03:40,965 fail2ban.jail [32672]: INFO Jail ‘apache-tcpwrapper’ uses Gamin
2017-07-31 20:03:40,965 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:40,966 fail2ban.filter [32672]: INFO Added logfile = /var/log/httpd/error_log
2017-07-31 20:03:40,967 fail2ban.filter [32672]: INFO Set maxRetry = 3
2017-07-31 20:03:40,968 fail2ban.filter [32672]: INFO Set findtime = 300
2017-07-31 20:03:40,969 fail2ban.actions[32672]: INFO Set banTime = 3600
2017-07-31 20:03:41,064 fail2ban.jail [32672]: INFO Creating new jail 'vsftpd-iptables’
2017-07-31 20:03:41,064 fail2ban.jail [32672]: INFO Jail ‘vsftpd-iptables’ uses Gamin
2017-07-31 20:03:41,065 fail2ban.jail [32672]: INFO Initiated ‘gamin’ backend
2017-07-31 20:03:41,066 fail2ban.filter [32672]: INFO Added logfile = /var/log/vsftpd.log
2017-07-31 20:03:41,066 fail2ban.filter [32672]: INFO Set maxRetry = 3
2017-07-31 20:03:41,068 fail2ban.filter [32672]: INFO Set findtime = 300
2017-07-31 20:03:41,068 fail2ban.actions[32672]: INFO Set banTime = 3600
2017-07-31 20:03:41,086 fail2ban.jail [32672]: INFO Jail ‘recidive’ started
2017-07-31 20:03:41,102 fail2ban.jail [32672]: INFO Jail ‘ssh-iptables’ started
2017-07-31 20:03:41,124 fail2ban.jail [32672]: INFO Jail ‘apache-badbots’ started
2017-07-31 20:03:41,153 fail2ban.jail [32672]: INFO Jail ‘pbx-gui’ started
2017-07-31 20:03:41,178 fail2ban.jail [32672]: INFO Jail ‘apache-tcpwrapper’ started
2017-07-31 20:03:41,220 fail2ban.jail [32672]: INFO Jail ‘vsftpd-iptables’ started

Let me know if I should post more.


#20

You have no “:jails” defied that protect you from attacks against your sip server.on SIP/5060