Responsive firewall constantly blocking remote users

It should be in there.
Maybe it gets removed with the firewall being enabled?

Thanks for pointing me in the right direction. I want to make sure I post the solution for others to use.

The problem was that as soon as you enable firewall in the gui, asteris-iptables record would get deleted from jails.local. Jails.local is a file generated by the module. When you disable the firewall, the asterisk-iptables record would appear back in that file. To bypass this, add a custom asterisk-iptables record in etc/fail2ban/jails.conf.


[asterisk-iptables]
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban


This fixes the issue, and fail2ban starts banning the invalid sip registrations.

Thanks!

Fail2ban is not a reliable solution. It only detect failed logins. If there’s an exploit that doesn’t require a login attempt in Asterisk, Apache, SSH, or one of the other services that run on your system, Fail2ban will do nothing to prevent it.

I’ve looked at FreePBX’s responsive firewall, but I’m concerned because there’s not enough details about what each option does and how it works for me to be satisfied that it is a reliable solution. Also, I find the UI is not intuitive, either. The fact that you are experiencing problems with it seems to support my view.

IMHO- the only right answer is to NOT forward any ports from your router unless they are limited to a particular source IP, or if you must forward a port, configure IPtables so that it only allows in packets that are from trusted sources and only on ports that are essential for that particular user.

If you need to allow remote users, either (1) use a whitelist solution with DDNS (like Ward Mundy’s Travellin’ Man Scripts), (2) route the remote users through a service provider and create a mechanism for them to get their calls routed into your system as needed, or (3) use a VPN solution like OpenVPN. I use the last option.

1 Like

We are using the RF for both Zoiper and Bria remote users without any issues. I would suggest there is a problem with your setup that prevents the initial registration when not on wifi and in that case RF blocks the users as it should.

What could be an exploit that doesn’t require a login attempt? Can there be anything else that hackers can attack with other than trying to login to the server? Do you have any examples?

I’m afraid ddns and openvpn aren’t good options for mobile users. It’s a bit too much.

Asterisk, CentOS, and FreePBX have all been the subject of various exploits over the years that allowed people to remotely hijack the system without knowing a SIP username/password. I don’t know of any that apply to a fully patched system today (because they’ve been patched), but it seems almost certain that another one will be discovered eventually.

You do that on remote mobile clients and cell phones as well?
I use openvpn on remote IP phones, but would like to do that on cell phones too.
There is openvpn on Android, but it doesn’t give you the option to only route sip traffic through the VPN.
Best would be to have a soft phone app that includes an openvpn client (or DDNS client second choice), so you don’t have to install two things. But there is no such thing.

I am hoping Zulu will do something like that.

Zulu does not use SIP for traffic. It uses its own protocol and ports. So it will by default (if its the same as desktop) route only that traffic using an SSL.

Sure, but the security question will be the same.

There’s a port which we will have to forward on our firewalls and we don’t want to have that port open to everyone but we want to whitelist to known IP addresses.
Those will change, hence the need for hostnames and DDNS, or better, use VPN.
And either one (or both) should be Integrated into the Zulu mobile app, so we don’t have to install something extra.

Hi Folks,

Im using ZOIPER on Android, with openVPN for Android from Arne Schwabe.

It works well most of the time. I’m travelling a lot, right now I’m in Oman for example.

I have RF deactivated, since it always blocks my VPN users. I use yealink with the yealink VPN implementation to an openVPN Server running OpenMediaVault that’s also my file storage and providing as host for my freepbx VM in Virtualbox.

I did go for FreePBX 14/14 while it was still beta. All updates done.

Now I just tried to reactivate my ZOIPER on my Android, but Fail2Ban always kills the IP from my openVPN server. It happens after the ZOIPER phone starts registering. After I switch f2b off, everything works fine.

As long as I’m registered its fine, I could switch f2b back on, but after i change wifi or have bad network coverage and the VPN gets killed, it will take some time for restarting the VPN and while this, or right after that, I’ll get banned again.

No clue as to what I have to change on ZOIPER to make sure it wont get banned.

Anny suggestions-? Thanks!
Manne

I use OpenVPN for desktop IP phones and smartphones, Iphone and Android, and on both only the traffic destined to the FreePBX network is encrypted, the rest is not. It is of course a little more inclusive than just encrypting only SIP, but that should not be an issue, because your softphone app will only connect to your FreePBX server, nothing else will be using the OpenVPN connection, at least if you configure it properly not to redirect all traffic to the VPN tunnel.

Hi @arielgrin, could you please explain me how to do this? We have our server in the US and we have some employees in Latin America with Zoiper softphone on their mobile phones. They are not always in the office but on the street, so they cannot be attached to a wifi connection. Thanks for your attention.

There is basically two ways of doing this. You either use your router as an openvpn server if it provides that function or you install openvpn server on freepbx, or use the included one if you have sysadmin pro. I prefer to do it on the router so not to overload the freepbx server with the openvpn service.

Hi @arielgrin ,

I have my FreePBX on a virtual server with Vultr, so there is no way that I can setup the router. Could you please guide me on how to do it step by step? I’m sorry to bother you but I’m new to FreePBX and this is the last step to complete my project. Thanks again for your cooperation.

Do you have a license for sysadmin pro? If not, you probably want to follow the online tutorial to install openvpn from scratch, I’m probably not aware of all the steps involved while installing from scratch.

https://openvpn.net/index.php/open-source/documentation/howto.html

An easier and quicker way perhaps ?

it does all the heavy lifting for you.

To this day the Responsive Firewall is still an issue. With many users now working from home, the situation is untenable.

Users leaving their home WiFi jumping to 4G are constantly disconnected, often cannot reconnect for several minutes.

Testing with an allow SIP rule, the problem is no longer there.

The RF has no documentation, no documented way to look at logs and no way to tune it’s functionality.

Another approach worth checking is to use VoIP tunneling, instead of a responsive firewall, for remote users. It works by managing communication to/from the softphones and forwarding calls to your PBX server using a standard SIP protocol. The main advantage is that all traffic from the softphones to the PBX comes from a single IP address that needs to be whitelisted on the Firewall. Tunnels often come as server software or as a cloud service with integrated softphones. As a drawback, you might need to change softphone apps for remote users and maintain the tunnel. But once set up, it can scale easily for any number of users, and they don’t need to use VPN or anything like that. VoIP tunnels are also used to bypass VoIP blockages in some countries.

Hey there, I have the same problem. I opened a ticket there :

There is an issue opened for this here.

https://issues.freepbx.org/browse/FREEPBX-22196

Did you reach to have a normal behavior without compromising the security ?
I don’t want using VPN on smartphones for now.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.