Would you be able to explain how to define them? I’d really appreciate it.
You’re right, because it looks like fail2ban works when i try to ssh into the pbx with an incorrect password. How would I add a jail for sip?
The jails are in /etc/fail2ban/jail.local.
The one for SIP is under [asterisk-iptables].
Custom jails can be added in jail.conf.
However, the SIP jail is already there, it just seems that enabling the FreePBX firewall disables it, but I don’t why and I am not familiar with the FPBX firewall, I have never used it.
I have moved to using the RF with all of our deployments and I can say that for the most part it works well. I have had the occasional issue where it does not allow any new phones to register at a site and I go into the Intrusion system and see that my IP hit the blacklist, even though it was only pulling config files to program the phone. Once I white-list it then everything else works correctly, but that sort of defeats the purpose of having it.
The other issue that has happened a couple times is that Sangoma phones just stop working. No SIP registration and no XML apps. I disabled the firewall and immediately they light up and I can re-enable the firewall. Now I say Sangoma phones because this has happened in multiple environments and the one environment it happened in first had a mix of Sangoma and Yealink. It was very weird. All the yealink phones worked but nothing from the Sangoma’s. It was really odd. But again, disabled and re-enable fixed it.
Yeah, I don’t think i have ever had a problem with RF using hard phones. The problem is with remote users that would like to use their app on the go. I wish RF worked correctly with them, that way i could just set it and forget it, but now I’m still trying to figure out what can be the best and reliable solution for this.
I really like the idea of intrusion detection because the way it works is a perfect fit for this. You let them register 2 or 3 times, then block them after a couple of unsuccessful attempts. Perfect. I don’t really see this being less secure than somebody’s gmail account. It’s completely open for the public to guess passwords but has very limited number of attempts. I even tried setting it to only 1 attempt, and it worked great.
RF on the other side has been acting up. Especially with bria.
Forgot to mention, my only problem with ID is that it stops banning sip protocol when the firewall is enabled. I don’t understand why don’t these simple tools just work they way they’re supposed to.
I’m not seeing any jail named asterisk-iptables. Would you be able to help me insert it?
These are the examples I have for gui and ssh. Would asterisk-iptables look similar to these two?
enabled = true
filter = freepbx
action = iptables-allports[name=SIP, protocol=all]
sendmail[name=SIP, [email protected], [email protected]]
logpath = /var/log/asterisk/freepbx_security.log
enabled = true
filter = sshd
action = iptables-multiport[name=SSH, protocol=tcp, port=ssh]
sendmail[name=SSH, [email protected], [email protected]]
logpath = /var/log/secure
It should be in there.
Maybe it gets removed with the firewall being enabled?
Thanks for pointing me in the right direction. I want to make sure I post the solution for others to use.
The problem was that as soon as you enable firewall in the gui, asteris-iptables record would get deleted from jails.local. Jails.local is a file generated by the module. When you disable the firewall, the asterisk-iptables record would appear back in that file. To bypass this, add a custom asterisk-iptables record in etc/fail2ban/jails.conf.
enabled = true
filter = asterisk
action = iptables-allports[name=SIP, protocol=all]
logpath = /var/log/asterisk/fail2ban
This fixes the issue, and fail2ban starts banning the invalid sip registrations.
Fail2ban is not a reliable solution. It only detect failed logins. If there’s an exploit that doesn’t require a login attempt in Asterisk, Apache, SSH, or one of the other services that run on your system, Fail2ban will do nothing to prevent it.
I’ve looked at FreePBX’s responsive firewall, but I’m concerned because there’s not enough details about what each option does and how it works for me to be satisfied that it is a reliable solution. Also, I find the UI is not intuitive, either. The fact that you are experiencing problems with it seems to support my view.
IMHO- the only right answer is to NOT forward any ports from your router unless they are limited to a particular source IP, or if you must forward a port, configure IPtables so that it only allows in packets that are from trusted sources and only on ports that are essential for that particular user.
If you need to allow remote users, either (1) use a whitelist solution with DDNS (like Ward Mundy’s Travellin’ Man Scripts), (2) route the remote users through a service provider and create a mechanism for them to get their calls routed into your system as needed, or (3) use a VPN solution like OpenVPN. I use the last option.
We are using the RF for both Zoiper and Bria remote users without any issues. I would suggest there is a problem with your setup that prevents the initial registration when not on wifi and in that case RF blocks the users as it should.
What could be an exploit that doesn’t require a login attempt? Can there be anything else that hackers can attack with other than trying to login to the server? Do you have any examples?
I’m afraid ddns and openvpn aren’t good options for mobile users. It’s a bit too much.
Asterisk, CentOS, and FreePBX have all been the subject of various exploits over the years that allowed people to remotely hijack the system without knowing a SIP username/password. I don’t know of any that apply to a fully patched system today (because they’ve been patched), but it seems almost certain that another one will be discovered eventually.
You do that on remote mobile clients and cell phones as well?
I use openvpn on remote IP phones, but would like to do that on cell phones too.
There is openvpn on Android, but it doesn’t give you the option to only route sip traffic through the VPN.
Best would be to have a soft phone app that includes an openvpn client (or DDNS client second choice), so you don’t have to install two things. But there is no such thing.
I am hoping Zulu will do something like that.
Zulu does not use SIP for traffic. It uses its own protocol and ports. So it will by default (if its the same as desktop) route only that traffic using an SSL.
Sure, but the security question will be the same.
There’s a port which we will have to forward on our firewalls and we don’t want to have that port open to everyone but we want to whitelist to known IP addresses.
Those will change, hence the need for hostnames and DDNS, or better, use VPN.
And either one (or both) should be Integrated into the Zulu mobile app, so we don’t have to install something extra.
Im using ZOIPER on Android, with openVPN for Android from Arne Schwabe.
It works well most of the time. I’m travelling a lot, right now I’m in Oman for example.
I have RF deactivated, since it always blocks my VPN users. I use yealink with the yealink VPN implementation to an openVPN Server running OpenMediaVault that’s also my file storage and providing as host for my freepbx VM in Virtualbox.
I did go for FreePBX 14/14 while it was still beta. All updates done.
Now I just tried to reactivate my ZOIPER on my Android, but Fail2Ban always kills the IP from my openVPN server. It happens after the ZOIPER phone starts registering. After I switch f2b off, everything works fine.
As long as I’m registered its fine, I could switch f2b back on, but after i change wifi or have bad network coverage and the VPN gets killed, it will take some time for restarting the VPN and while this, or right after that, I’ll get banned again.
No clue as to what I have to change on ZOIPER to make sure it wont get banned.
Anny suggestions-? Thanks!
I use OpenVPN for desktop IP phones and smartphones, Iphone and Android, and on both only the traffic destined to the FreePBX network is encrypted, the rest is not. It is of course a little more inclusive than just encrypting only SIP, but that should not be an issue, because your softphone app will only connect to your FreePBX server, nothing else will be using the OpenVPN connection, at least if you configure it properly not to redirect all traffic to the VPN tunnel.
Hi @arielgrin, could you please explain me how to do this? We have our server in the US and we have some employees in Latin America with Zoiper softphone on their mobile phones. They are not always in the office but on the street, so they cannot be attached to a wifi connection. Thanks for your attention.
There is basically two ways of doing this. You either use your router as an openvpn server if it provides that function or you install openvpn server on freepbx, or use the included one if you have sysadmin pro. I prefer to do it on the router so not to overload the freepbx server with the openvpn service.