I am seeing entries like the following in my log:
[2016-01-13 15:09:20] NOTICE
res_pjsip/pjsip_distributor.c: Request from ‘"504"
sip:[email protected]’ failed for ‘xxx.xxx.xxx.xxx:5060’ (callid:
[email protected]) - No matching endpoint found
Now, it was my understanding the FreePBX has a Responsive Firewall that would “block” unauthorized access. It obviously can’t do this when it just happens a few times, but I was expecting that it would block the same IP if it would try to get access multiple times.
My Responsive Firewall is activated, but it doesn’t seem to block any external IPs when they are scouting for extensions. Do I miss a setting or did I misunderstand the functionality?
Rob can better explain this and any specifics, but here’s the basics.
All unknown SIP requests are throttled such that a minimal number of requests per minute will be allowed in. This is the mechanism that allows a new external extension to try to register. If it registers properly, it will be white listed and throttling will be removed as long as it stays registered.
During this throttling period, it will allow a small handful of attempts to come in, and not very quickly. This allows you the ability to try and configure a new phone, make a mistake or two and still be able to register before getting locked out for a period of time.
Upon too many failures, an escalating algorithm is put in place to lock out the IP for a period of time. Those details Rob would have to pipe in, but it should escalate fairly quickly towards getting banned.
If it’s not getting banned, you may want to provide a bit more information such as what rate are the requests coming in at and how long that has been allowed to further evaluate the situation.
Also, if you are using responsive, the corresponding services need to be set to ‘internal’.
Thank you for getting back to me. Your explanation makes sense and it is kind of how I was hoping the firewall would work.
I will do some more monitoring, but this is what I am seeing so far:
- Up to 5 requests for a given extension for one IP address
- Next request takes place a few minutes (5 - 10 minutes?) later and might be for the same extension or a different one, but it is using the same IP to connect
So, I guess the next question is what does a handful of connections mean? And, does the counter reset if the IP goes against a different extension? And, last but least, does the counter expire for a given IP?
In addition, it would be good to know how long the lockout period is and, most importantly, if these default values are configurable.
Thank you for getting back to me.
I am new to FreePBX and so I apologize, but could you please elaborate what needs to be set to internal and where to do so?
Rob will have to pipe in with any details. I’m pretty sure the settings are not configurable, and I know there are initial throttles that back off for shorter periods of time (10 minutes or so) eventually followed by longer periods (1 hr or so) eventually going to 24+ hour chunks. The general idea is to ward off brute force attacks while allowing honest users back in. If you couple those algorithms with any form of reasonable password, you’re in great shape to ward off attacks.
It is possible to use this in conjunction with fail2ban where more specific rules can be defined but in general, if you’ve got descent passwords, the responsive control should give you everything else you need.
I really like the approach of the responsive firewall and think it is a great idea. But I can see the same behavior with the firewall as jst68. It is successfully blocking IPs, so it is working and I have it rightly configured.
But browsing through the logs I see attacks from various IPs with a certain amount of time in between each try not beeing blocked at all even though it is a continues attack going on for a long period of time.
In between these timestamps there are attempts from other IPS, also with a certain amount of time between each try. This way they avoid beeing blocked.
Is there any setting that can be used to prevent these kind of attacks? It would be nice to have an IP blocked after lets say 5 failures. Or do I need to also use fail2ban to prevent this?
Just extracting one IP it looks like this
[2016-03-07 16:10:31] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“12345” sip:[email protected]’ failed for ‘220.127.116.11:5082’ (callid: f8593ed356d031570a20b2c24cc014ab) - No matching endpoint found
[2016-03-07 16:23:15] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“12345” sip:[email protected]’ failed for ‘18.104.22.168:5083’ (callid: ff7fe6c764eccef01d3970c745bcbb66) - No matching endpoint found
[2016-03-07 16:35:54] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“12345” sip:[email protected]’ failed for ‘22.214.171.124:5079’ (callid: a5cb2b1229e563eb4ffbe19561fbace0) - No matching endpoint found
[2016-03-07 16:48:32] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“12345” sip:[email protected]’ failed for ‘126.96.36.199:5076’ (callid: 27888250307bb52b208642c02a7efb5d) - No matching endpoint found
[2016-03-07 18:04:28] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“12345” sip:[email protected]’ failed for ‘188.8.131.52:5081’ (callid: 102cf1fbe164a8f5432725096dbfafe9) - No matching endpoint found
But after the first entry the log records also these other IPs
[> 2016-03-07 16:10:55] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“2212” sip:[email protected]’ failed for ‘184.108.40.206:5070’ (callid: cfb5f293c87e62515c88ea2ac26b9723) - No matching endpoint found
[2016-03-07 16:11:00] NOTICE res_pjsip/pjsip_distributor.c: Request from ‘“1001” sip:[email protected]’ failed for ‘220.127.116.11:5071’ (callid: 7729504046e6e3c2e5e2f456ffbfe05b) - No matching endpoint found