My RasPBX is getting attacked. Fail2Ban is blocking failed attempts to login, I assume to extensions but I am confused how the attack is possible without the RasPBX making a call out to the internet or in some way advertising it is there.
The RasPBX can freely conect to the internet but there is no inbound route to it in the form of a port forward or anything else so how is it possible for an attacer to make an attempt to login?
I have secured it by preventing access to the internet from the RasPBX but as soon as I list that blockage it's back to being attacked.
Any thoughts on how this is possible?
Regards
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Provided that you are behind the NAT and haven't port forwarded to your Linux box I would assume that it is local net sip client attempts trying to register on your PBX.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Is this happening to anyone else?
I have no internet facing trunks or VIPS or anything which has a direct connection inbound yet Fial2Ban is blocking SIP login attempts.
Example:
Hi,
The IP xxx.xxx.xxx.xxx has just been banned by Fail2Ban after
2 attempts against Asterisk-raspbx.
Regards,
Fail2Ban
How is this possible?
Does the Raspbx make any calls out which attackers can tunnle in on?
If something was using a jump box else were on the same submet would I not see a local IP address banned?
If I block the Raspbx from connecting to the internet the problem stops so what packages are running on this build which allows external connections without an inbound route defined on my border firewall?
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Did you configure at least one trunk that registers with a host on the internet? Because in this case the registration would be continuously renewed, keeping port 5060 on your router open in order to allow incoming calls. Your router usually allows connections to this port from other IPs, too. This could be a possible explanation for your observations.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
There is a trunk to a another asterisk box sat in a dmz however the trunks out from that box are on an ACL and the attemps are none of there allowed list.
I've taken that firewall rule down to see if the attacks continue.
Will report back
Thanks
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
You are a brave person using DMZ feature of your router. I suggest that you simply make use of portforwarding because DMZ can expose your intranet to the outer space more than it is supposed to.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi, I had a similar event recently although I do have three sip trunks defined. However, the problem has gone away since I upgraded the Framework module which did have some vulnerability as mentioned in one of the posts in freepbx forum a couple of weeks ago. https://wiki.freepbx.org/display/FOP/2018-05-15+Information+Disclosure+CVE
I did try to trace using Wireshark but the problem is if the attacker is using my providers connection then unless you set up the Wireshark filters to only display SIP Request via Address packets it is unlikely that you are going to pick it up. However, in OP's case he has no SIP trunks so the possibility that the attacker is using the same provider to hack is not a likely scenario.
The other thing I did was to increase the fail2ban ban time to a larger number than the default value as this then reduces the frequency of attack and hopefully will encourage the attacker to go else where.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
My RasPBX is getting attacked. Fail2Ban is blocking failed attempts to login, I assume to extensions but I am confused how the attack is possible without the RasPBX making a call out to the internet or in some way advertising it is there.
The RasPBX can freely conect to the internet but there is no inbound route to it in the form of a port forward or anything else so how is it possible for an attacer to make an attempt to login?
I have secured it by preventing access to the internet from the RasPBX but as soon as I list that blockage it's back to being attacked.
Any thoughts on how this is possible?
Regards
Provided that you are behind the NAT and haven't port forwarded to your Linux box I would assume that it is local net sip client attempts trying to register on your PBX.
Is this happening to anyone else?
I have no internet facing trunks or VIPS or anything which has a direct connection inbound yet Fial2Ban is blocking SIP login attempts.
Example:
How is this possible?
Does the Raspbx make any calls out which attackers can tunnle in on?
If something was using a jump box else were on the same submet would I not see a local IP address banned?
If I block the Raspbx from connecting to the internet the problem stops so what packages are running on this build which allows external connections without an inbound route defined on my border firewall?
Thanks
Unless you set it up on purpose – it doesn’t. There is however a demo trunk coming with a fresh RasPBX installation. But you can easily remove it.
Did you configure at least one trunk that registers with a host on the internet? Because in this case the registration would be continuously renewed, keeping port 5060 on your router open in order to allow incoming calls. Your router usually allows connections to this port from other IPs, too. This could be a possible explanation for your observations.
There is a trunk to a another asterisk box sat in a dmz however the trunks out from that box are on an ACL and the attemps are none of there allowed list.
I've taken that firewall rule down to see if the attacks continue.
Will report back
Thanks
You are a brave person using DMZ feature of your router. I suggest that you simply make use of portforwarding because DMZ can expose your intranet to the outer space more than it is supposed to.
Nope the attacks keep comming.
Does the RASPBX have any services which are calling out to the internet?
Is there a command which will show what this unit is calling out to?
Thanks
Check all computers in your lan for something like:
https://threatpost.com/hackers-pushing-sipvicious-voip-tools-malicious-attacks-083111/75601/
One of my customers with freepbx using ISDN lines and no open ports to
the web has been hacked by a malware
the malware then call premium numbers.
Le 18/10/2017 21:52, londonnet a écrit :
--
Christian Zeler,
Landline 0490203541
Mobile 0689816533
run wireshark on your network to see all that is happening...
Hi, I had a similar event recently although I do have three sip trunks defined. However, the problem has gone away since I upgraded the Framework module which did have some vulnerability as mentioned in one of the posts in freepbx forum a couple of weeks ago. https://wiki.freepbx.org/display/FOP/2018-05-15+Information+Disclosure+CVE
I did try to trace using Wireshark but the problem is if the attacker is using my providers connection then unless you set up the Wireshark filters to only display SIP Request via Address packets it is unlikely that you are going to pick it up. However, in OP's case he has no SIP trunks so the possibility that the attacker is using the same provider to hack is not a likely scenario.
The other thing I did was to increase the fail2ban ban time to a larger number than the default value as this then reduces the frequency of attack and hopefully will encourage the attacker to go else where.