UCP intrusion

(Snaggy) #1

UCP intrusion attempts are not blocked on my server
maybe I didn’t configure the firewall correctly?!
System Firewall
Asterisk Version 16.15.1
User Control Panel

2021-01-23%20113324 Screenshot_2021-01-23%20-%20FreePBX%20Administration(1) Screenshot_2021-01-23%20-%20FreePBX%20Administration

(Itzik) #2

Please provide a little more detail on your you access UCP?..
Also, please post a screenshot of the NIC settings in the firewall.

(Snaggy) #3

the user panel is open to any address
however, no blocking occurs when trying to brute force the user’s password

Screenshot_2021-01-24-%20FreePBX%20Administration Screenshot_2021-01-24%20-%20FreePBX%20Administration

(Itzik) #4

Your firewall doesn’t do anything if the default NIC is set to local.

Please read all child pages related to the firewall: https://wiki.freepbx.org/display/FPG/Firewall

(Snaggy) #5

Perhaps I really did not configure the firewall correctly, but I found that attempts to guess the password for the web interface are not recorded correctly in the logs

in case of entering incorrect data in the login and password input field, the following entry is written to the log

 SECURITY[13168]: res_security_log.c:114 security_event_stasis_cb: SecurityEvent="SuccessfulAuth",EventTV="2021-01-25T11:59:50.958+0300",Severity="Informational",Service="AMI",EventVersion="1",AccountID="admin",SessionID="0x1ba3b90",LocalAddress="IPV4/TCP/",RemoteAddress="IPV4/TCP/",UsingPassword="0",SessionTV="2021-01-25T11:59:50.958+0300"

and for example unsuccessful attempts to connect via sip are displayed like this

NOTICE[7274]: res_pjsip/pjsip_distributor.c:676 log_failed_request: Request 'REGISTER' from '"1666" <sip:1666@X.X.X.X>' failed for '' (callid: 1339578320) - Failed to authenticate

and these addresses are blocked by the firewall regardless of the selected zone
I did check this from different IP addresses, the result is always the same

(Lorne Gaetz) #6

This should be resolved in Framework v15.0.17.17 available in edge now:

fwconsole ma upgrade framework --edge

It may be necessary to restart fail2ban.