I’m hoping someone can help point me in the right direction of the problem here.
Running the latest FreePBX distro, and I happen to check the CDRs recently, only to find 1000s of suspicious looking entries, dating back quite a few months.
I’m not sure if the system has been comprised or not, hopefully someone can help suggest how I can track this down.
basically every day, we get something like this.
2013-12-16 13:40:58 1387161658.2255 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:55 1387161655.2254 120 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:54 1387161654.2253 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:52 1387161652.2252 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:50 1387161650.2251 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:47 1387161647.2250 120 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:45 1387161645.2249 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:42 1387161642.2248 120 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:40 1387161640.2247 120 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:38 1387161638.2246 120 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:36 1387161636.2245 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:34 1387161634.2244 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:32 1387161632.2243 120 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:30 1387161630.2242 120 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 13:40:28 1387161628.2241 120 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 13:40:26 1387161626.2240 120 Answer s [from-sip-external] ANSWERED 00:00
or this.
2013-12-16 11:26:48 1387153608.2138 33 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:47 1387153607.2137 1001 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:45 1387153605.2136 1001 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:42 1387153602.2135 33 Wait s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:41 1387153601.2134 1001 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:39 1387153599.2133 1001 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:37 1387153597.2132 1001 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:34 1387153594.2131 33 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:34 1387153594.2130 1001 Wait s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:31 1387153591.2129 1001 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:29 1387153589.2128 1001 Answer s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:27 1387153587.2127 1001 Wait s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:26 1387153586.2126 33 Answer s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:25 1387153585.2125 1001 Wait s [from-sip-external] ANSWERED 00:00
2013-12-16 11:26:21 1387153581.2124 1001 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:18 1387153578.2123 33 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:11 1387153571.2122 33 Wait s [from-sip-external] ANSWERED 00:01
2013-12-16 11:26:05 1387153565.2121 33 Wait s [from-sip-external] ANSWERED 00:00
There is a wealth of information on this site and 100’s of others on SIP security.
The easiest way is not to have your server open to the Internet and to either only allow the IP’s in that you want via your firewall or use VPN’s for remote users.
Under SIP Settings, make sure “Allow SIP Guests” and “Allow Anonymous Inbound SIP Calls” are both set to NO - if you are using an old version of FreePBX, these will be under “General Settings” - This will eliminate MANY of these entries - which does not mean that people aren’t still trying - To really get rid of these probers permanently, install and configure Fail-2-Ban - Here are instructions:
Thanks for the advice GSnover, “Allow SIP Guests” was enabled. I’ve turned that off. Fail2ban was already installed also (i presume as part of FreePBX distro) and has been running all along, it blocked my IP a few times, until I whitelisted. In any case, I’ve now implemented a new iptables policy and only allow traffic from our offices and known other IPs, I presume this is a good option?
Problem is that sometimes we have remote staff who can’t use a VPN, say from a phone SIP client or another solution. Any sugestions on how we can securely allow them access?
Whitelisting IP’s is more trouble that it’s worth - A kinda agree with Scott about making them VPN - The only downside I have seen with this approach is that prioritization of the RTP (Voice) sometimes doesn’t work when the packets are tunneled - if you have good bandwidth, this shouldn’t be a problem, but if you are in a low-bandwidth situation, hiding the traffic is probably going to result in poor audio quality.
Make sure that Fail-2-Ban is actually working - configure a softphone from a remote location with the wrong secret and get yourself banned - VPN first, and then you can see it ban you, and then you can clear the ban.
Finally, the brilliant people at FreePBX implemented strong password auto-generation in the Extension Setup - if you have an existing box that is publicly exposed, and you didn’t use good secrets, this is something to fix asap - and also hit the Weak Password Detection button under reports to make sure.
While there is no button to generate a new secret, you can open the new extension screen in a tab, copy the shiny new password to the old extension, and then do it again - but you will also have to change the endpoints at the same time, so set aside some time and have helpers.
Not to hijack this, but i have the same issue.
like 3 entries every second, caller ID upped by one every time.
The pbx is setup, but not yet in use.
All ports are firewalled to allow only specific ip’s.
There are not yet any extensions created and not even a sip trunk configured.
So the box is empty and firewalled. Yet is see thousands of these entries.
I’ve also checked other freepbx boxes we are running and almost every single one has these entries.
Since all servers we are running atleast one firewall (double checked), i’ve no reason to believe these are hacking/abuse attempts.
Is there any other reason this can be happening?
Example from the empty pbx:
2013-12-24 10:08:44 1387876124.40879 17531 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:44 1387876124.40878 17531 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:40 1387876120.40877 17530 Answer s [from-sip-external] ANSWERED 00:01
2013-12-24 10:08:40 1387876120.40876 17530 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:37 1387876117.40875 17529 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:36 1387876116.40874 17529 Answer s [from-sip-external] ANSWERED 00:01
2013-12-24 10:08:33 1387876113.40873 17528 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:32 1387876112.40872 17528 Answer s [from-sip-external] ANSWERED 00:01
2013-12-24 10:08:29 1387876109.40871 17527 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:29 1387876109.40870 17527 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:26 1387876106.40869 17526 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:25 1387876105.40868 17526 Answer s [from-sip-external] ANSWERED 00:00
2013-12-24 10:08:21 1387876101.40867 17525 Answer s [from-sip-external] ANSWERED 00:00
well since writing this, I’m turned on a much more restrictive iptables firewall, only allowing traffic from our known IPs for the moment. all the unexplained entries have completely stopped.