Sequential Hack Attempt against our PBX

Our FreePBX box is being hit with a sequential extension attack of some sort. We have a few PBXs and we are seeing this on all of them. Does anybody know how to defend against this? Fail2Ban is not picking it up. This is what we see in the CDR logs. You can see the CallerID is incrementing, starting (in this example) at 22902 and continuing through 22931.

2014-05-02 15:45:36 1399063536.389040 22931 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389037 22928 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389039 22930 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389038 22929 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389036 22927 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389035 22926 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389034 22925 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:35 1399063535.389033 22924 Congestion s [from-sip-external] ANSWERED 00:12
2014-05-02 15:45:34 1399063534.389031 22922 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389032 22923 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389030 22921 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389029 22920 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389028 22919 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389027 22918 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389026 22917 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389024 22915 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389025 22916 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:34 1399063534.389023 22914 Congestion s [from-sip-external] ANSWERED 00:12
2014-05-02 15:45:33 1399063533.389022 22913 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389021 22912 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389020 22911 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389019 22910 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389018 22909 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389017 22908 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389016 22907 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389015 22906 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389014 22905 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389013 22904 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:33 1399063533.389012 22903 Congestion s [from-sip-external] ANSWERED 00:13
2014-05-02 15:45:32 1399063532.389011 22902 Congestion s [from-sip-external] ANSWERED 00:13

How can anyone help you? you don’t say anything about what software you installed on what hardware, by what method and what versions of everything

Do you allow anonymous or guest over SIP? Do you have Asterisk >= 10, is your fail2ban/asterisk setup to monitor SECURITY events? . . .

My apologies. I thought it may be a known issue.

This is the FreePBX distro running as a VM. The FreePBX version is 5.211.65-11 FreepbxGuest is disabled. Allow SIP Guests is disabled. Allow Anonymous Inbound SIP Calls is disabled. Fail2Ban is running with the default distro settings.

Asterisk is version 11.8.1

Then this should be taken to the Distro specific forum, it does it’s own version of fail2ban but fail2ban should be catching those attacks, (mine do)

If you are visible to the internet, of which you apparently are. If you do not require to be visible, block ports 5060 - 5061 or change the ports if you need to be visible to the net.

Since blocking these ports on my router, I have seen a 100% reduction in any attempts on my system.

Also, this topic is very similar to yours… http://support.freepbx.org/forum/general-help/am-i-being-hacked

Yeah I agree, this should solve your issue. Address the visibility of the TCP 5060-5061 ports. But really I’d consider locking this system down as much as possible from exposure to the net. Have you deployed FreePBX on a private network or public?

fail2ban out of the box will not block those events unless you define them.

But that just looks like you’ve got guest/anonymous sip enabled. You might want to double check.

fail2ban 0.8.13 will block those attacks without definition if turned on in jail.conf or its includes, by default it watches

/var/log/asterisk/messages

and expects that that file is defined somewhere in logger*.conf

messages => notice,security,warning

and that you have

.
.
alwaysauthreject=on
allowguest=no
.
.

in your /etc/asterisk/sip*.conf files

(any further events like error,debug or verbose are spurious to it’s needs and significantly slow it down)

(if the ‘asterisk jail’ is turned on in jail.conf. . )

Dicko is correct; do verify that it is included (or defined).

Good luck!

Just remember when writing fail2ban rules you must be aware of legitimate axtivity with the same log entry. You dont want to start blocking legitimate traffic.

that’s why fail2ban-regex is included wi5h the package.