UCP intrusion attempts are not blocked on my server
maybe I didn’t configure the firewall correctly?!
System Firewall 18.104.22.168
Asterisk Version 16.15.1
User Control Panel 22.214.171.124
Please provide a little more detail on your you access UCP?..
Also, please post a screenshot of the NIC settings in the firewall.
the user panel is open to any address
however, no blocking occurs when trying to brute force the user’s password
Your firewall doesn’t do anything if the default NIC is set to local.
Please read all child pages related to the firewall: https://wiki.freepbx.org/display/FPG/Firewall
Perhaps I really did not configure the firewall correctly, but I found that attempts to guess the password for the web interface are not recorded correctly in the logs
in case of entering incorrect data in the login and password input field, the following entry is written to the log
SECURITY: res_security_log.c:114 security_event_stasis_cb: SecurityEvent="SuccessfulAuth",EventTV="2021-01-25T11:59:50.958+0300",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x1ba3b90",LocalAddress="IPV4/TCP/0.0.0.0/5038",RemoteAddress="IPV4/TCP/127.0.0.1/60158",UsingPassword="0",SessionTV="2021-01-25T11:59:50.958+0300"
and for example unsuccessful attempts to connect via sip are displayed like this
NOTICE: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"1666" <sip:[email protected]>' failed for '126.96.36.199:5499' (callid: 1339578320) - Failed to authenticate
and these addresses are blocked by the firewall regardless of the selected zone
I did check this from different IP addresses, the result is always the same
This should be resolved in Framework v188.8.131.52 available in edge now:
fwconsole ma upgrade framework --edge
It may be necessary to restart fail2ban.
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.