Update ip blacklist on multiple systems?

something to look into further. I don’t use LetsEncrypt, I use a wildcard certificate for all my PBX’s and then set them up in my dns as PBXNAME.mydomain.com

Thanks for the direction. Looks like I’ve stumbled into a project here.

My understanding of HAProxy though is that it’s intended more for high availability solutions. I assume you’re running multiple PBX’s as I am. Are you installing HAProxy on the actual PBX machine and doing it all internally or do you have one (or multiple) HAProxy machines (virtual or otherwise) sitting in front of all your managed PBX’s? Are you just not using the HA functionality?

@dicko Given that HAProxy doen’t do UDP I assume you’re running all your extensions on TLS in order to use HAProxy?

That would be correct. Media over UDP is not generally a security problem.

And no, HAProxy is not just for ‘Load Sharing’ the backend can be unitary.

HA will not ever fit well with a B2BUA like asterisk, use a real SIP proxy in front if you want that. (Look at DSipRouter maybe)

Ok, so you’re not using this HAProxy for all connections then? I started this as a way to stop bots from constantly brute force attacking my PBX’s by trying to log into SIP accounts. If HAProxy won’t proxy sip connections, what good is it to me? Sorry for the confusion.

Maybe I should clarify my setup. I have a bunch of small business client. I set up PBX’s for them on cloud servers. MOSTLY they just connect from desk phones in their offices with static IP’s so in those situations I just block all other connections at the VM firewall level and this isn’t an issue.

Increasingly though I have clients wanting to use softphones apps on their smart phones or have their employees out of the office be able to connect with softphones. This then requires the firewall to accept sip connections from almost anywhere.

These are the systems that are attacked relentlessly. (took the blacklist down on my own PBX to test changes to the bash script and within half an hour I had over 100 fail2ban entries.)

If 99% of the attacks I’m seeing are against SIP, and HAProxy won’t proxy SIP connections, then why do I want it?

Appreciate the help and time and sorry for being dense, just trying to wrap my head around what your saying.

Use TLS (or at least TCP) for your SIP transport (and all other services) with enforced SNI and watch the relentless attacks stop.

Tried TCP/TLS for sip years ago and couldn’t make it work so started using the OpenVPN functionality. OpenVPN however isn’t available on all desk phones and isn’t available in a lot of softphone apps either so definitely not perfect.

Probably well past time to take another look at TCP/TLS for sip so that’s on the list…

My confusion now is, are you saying to make sip connections through HAProxy with TCP/TLS and enforced SNI? Because up above you said;

If I have the phones connect to the PBX directly with TCP/TLS there’s no need for SNI because it’s not a “multi-tenent” server unless I’m not understanding the situation properly.

As I understand SNI it’s for situations like a web server hosting multiple domains on the same IP to ensure the proper certificate is read when the client connects.

if making the sip TCP/TLS connections through HAProxy then the enforced SNI makes sense to my current understanding.

In this context HA = High Availability

HAproxy with strict SNI will drop any connections, TCP or HTTP, without a verifiable cert. which HAproxy will handle.

Any number of ‘frontends’ with different domain names, can ‘forward’ to any number of ‘backends’ which could be http services or TCP services, the http servers don’t need to be https.

Ok, I completely understand what a reverse proxy like HAProxy is and what it’s purpose is.

Further back in the thread you say:

To me that suggests that I should put an HAProxy in front of all of my PBX’s and then tell the individual phone extensions to register to a FQDN of their PBX instead of an IP. Also that this will only work if my sip truck provider can use FQDN’s instead of only IP’s for connection. This way, any nefarious attackers trying to get to my PBX’s behind the HAProxy via IP address won’t get past the proxy and thererfore it will stop the nonsense cold.

All well and good, sounds logical.

Where I’m getting confused here is when you say this:

which seems to indicate that HAProxy will not work with FreePBX and contradict what you said earlier.

What am I missing or not understanding here?

Mostly there, High Availability cannot be ‘highly available’ with a B2BUA , existing calls would drop and there is no grown-up that knows about them any more.

HAProxy is light weight enough to exist on each of your PBI, You can write rules to put up with recalcitrant VSP’s , it is the bogus ‘extensions’ that try to REGISTER and/or INVITE themselves that cost you. If your systems don’t leak your ‘ServerName’ through other means, drive-bys will never know the fqdn.

You can buy frizzlesausagehitler.live from namecheap for less than $12 per annum, then have the nameservers point to something you control like DO, Neil Pang’s acme.sh has everything to issue and update free certs using the DNS protocol, and deploy them to HAProxy without any of the bs firewall rules HTTP protocol needs Using one of over a hundred nameservices.

(Use uaximelontop.info for provisioning perhaps. zzyzzxhgfdsgbvfdhhfh.com for admin management of FreePBX )

Ok so your saying the HA part won’t work, yes that I understand just due to the nature of the connections. So you’re suggesting HAProxy only for the proxy part and installing it directly on each of the PBX’s individually as it’s lightweight enough not to drag the system down. Is that correct?

I think you’re also suggesting using nonsense domain names to further obfuscate the servers and make it harder to find their FQDN with scripts and web searches.

Have I understood you correctly?

I didn’t say quite that it wouldn’t work at all , it is just not satisfactory for me, a real sip proxy in the cloud is just a more solid solution.

understood