Why does freepbx connect to some IPs?

notwerking5 · December 11, 2016, 1:57pm

I’m running asterisk / freepbx 13 with chan_dongle on a debian 8.1 machine. I’ve noticed a few blocked IPs in the firewall logs:

217.11.63.42:11371
31.19.202.252: 11371
185.95.216.79: 11371

These appeared during a call:
10.61.20.165:4010
10.61.20.165: 4024

So I did a fresh reinstall according to the official guide here on freepbx. During the install process I’ve noticed again these 2 entries:

5.9.50.141: 11371
202.46.182.22: 11371

Should I be worried? Can someone explain these?

Issue · December 11, 2016, 2:17pm

Hi,

It seems to be connecting to the OpenPGP Key Servers, so probably not much to worry about.

notwerking5 · December 11, 2016, 2:24pm

Hi and thanks for the reply,

I’ve read that port 11371 is for OpenPGP but I don’t know how to verify if those are official/ok servers. I am more worried about the other 2 ports 4010 and 4024 though.

Issue · December 11, 2016, 2:53pm

I’ve checked those PGP servers there official servers so you’re ok there, the other ports I don’t know what they are but the IPs are private IPs so it should be something on your local network I guess.

Marbled · December 11, 2016, 3:03pm

Hi!

It’s most likely for this:

http://wiki.freepbx.org/pages/viewpage.action?pageId=29753662

(ie module signing/validation…)

Have a nice day!

Nick

notwerking5 · December 11, 2016, 3:21pm

Thanks for all the help!

I’m still a bit concerned about the private IPs because they are definitely not mine. Is it possible I’ve compiled a rogue chan_dongle module? Can a module do that? I haven’t installed anything else and I’m using CSipSimple from Google Play store. Asterisk logs don’t show any of those IPs.

Edit:

So, I migrated to the new install. I’ve built chan_dongle from wdoekes’s github fork since I can’t compile the original bg111 repo. I can’t remember which fork I’ve compiled on the first machine.

Unfortunately I don’t know enough about linux and networking to properly troubleshoot this but I’m pretty sure there’s not reason for the server to contact those private IPs. I can only suspect one of the following:

broken chan_dongle module
malware on the huawei modem firmware
hacked machine during the brief time I forwarded ports for letsencrypt certification

So far, everything seems in order.

Marbled · December 12, 2016, 1:25am

Hi!

As you said those 10/8 addresses are private IPs so they are not routable on the Internet…

If they don’t belong to your equipment then they have to belong to your ISP because after that point they would no longer be routable…

Good luck and have a nice day!

Nick