To start off with, this server is NOT in production use. It has no paid trunking provider attached to it. I started TESTING some trunking providers through it is all. I’ve run FreePBX servers for years without a problem. So I’m trying to determine what I might have done wrong in this situation and am looking for insight. I thought it was setup the same as other machines I’ve done. It looks like someone got in, but perhaps it is something else (FYI, the test SIP trunks show no activity over them),
What I see in the CDR logs is a bunch of calls with a CallerID of 2022, that get Congestion, and have a destination of s[from-sip-external].
It then seems to start incrementing the Caller ID by 1. There were 2 attempts to dial 10 digit numbers as well it seems.
This got to something like 600 or so.
Fail2Ban blocked the offender, 74.36.254.123. IP lookup HERE implies it’s from Virginia and the Softlayer ISP
nslookup
[root@pbx]# nslookup 174.36.254.123
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
123.254.36.174.in-addr.arpa name = 7b.fe.24ae.ip4.static.sl-reverse.com.
dig;
[root@pbx]# dig
; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.3 <<>>
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41122
;; flags: qr rd ra; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;. IN NS
;; ANSWER SECTION:
. 17682 IN NS m.root-servers.net.
. 17682 IN NS j.root-servers.net.
. 17682 IN NS e.root-servers.net.
. 17682 IN NS l.root-servers.net.
. 17682 IN NS k.root-servers.net.
. 17682 IN NS i.root-servers.net.
. 17682 IN NS g.root-servers.net.
. 17682 IN NS h.root-servers.net.
. 17682 IN NS b.root-servers.net.
. 17682 IN NS d.root-servers.net.
. 17682 IN NS c.root-servers.net.
. 17682 IN NS a.root-servers.net.
. 17682 IN NS f.root-servers.net.
;; ADDITIONAL SECTION:
m.root-servers.net. 1543 IN A 202.12.27.33
f.root-servers.net. 1697 IN A 192.5.5.241
;; Query time: 16 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Jan 6 14:26:30 2016
;; MSG SIZE rcvd: 273
fail2ban log shows;
[root@pbx jgould]# grep "Ban " /var/log/fail2ban.log | awk -F[\ \:] '{print $10,
1 174.36.254.123 [asterisk-iptables]
The FreePBX server is fully updated. It sits on the LAN behind a hardware firewall. To test out some service providers (twilio, voip.ms, flowroute, etc) I port forwarded UPD 10000-20000 like so many times before. I also port forwarded UDP 5060 as many ask you to do that (although I don’t currently have to do this in my other environments). I didn’t restrict those forwarded ports to specific IP addresses in the firewall, as I’ve never had to do that in the past. All providers use IP authentication (NOT SIP username/password registration). That is all I did. From there I set the trunks, outbound, and inbound routes for the SIP providers.
Unless something strange is going on at the SIP Trunking side, it seems like someone, somehow, got into the server. I’ve since disabled the trunks and stopped forwarding port 5060. After removing the IP from fail2ban, I don’t see anything. Could UDP 5060 being forwarding have been the problem?
FYI, had only setup and tested Twilio and Voip.ms.