Asterisk, Freepbx, iptables or fail2ban...hacked?

General discussions about Asterisk.

Moderators: Moderator, Support

Asterisk, Freepbx, iptables or fail2ban...hacked?

Postby the_anomaly » Sun Sep 13, 2015 9:19 am

Hello, since I'm new here tx for a great product.

I'm not sure where the problem lies so I have posted this in the various forums. I recently changed my SIP trunk provider, from a very secure locked down one to a less secure one. I say this because one locked out other countries while the new one allows registration from other countries.

It may be an asterisk setting, iptables issue or even fail2ban setting so please bear with me. My questions are these...(see the logs after)

1. It appears someone is attempting to access my system, is this true?
2. If so, I am behind a public dynamic IP. Rebooting my router has no effect, how does he find me everytime?
3. How does he get past the iptables? Did I set them wrong?
4. Is there an Asterisk setting I could use to stop this?
5. Is there a FreePBX setting to stop this?
6. Could this be a virus / malware on the exchange doing this?
7. I thought my iptables DROP all first would fix this, is fail2ban allowing him through (see last)?

Product in use:
Asterisk 11.18.0
FreePBX 12.0.76 - fail2ban installed, iptables installed
Raspbx on a raspberrypi

Iptables settings:
Code: Select all
# Generated by iptables-save v1.4.21 on Sun Sep 13 05:50:38 2015
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
[0:0] -A INPUT -s 0.0.0.0/32 -j DROP
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
[0:0] -A INPUT -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -m state --state$
[0:0] -A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PS$
[0:0] -A INPUT -s 105.233.8.144/32 -j DROP
[0:0] -A INPUT -s 91.236.75.157/32 -j DROP
[0:0] -A INPUT -s 192.168.1.0/24 -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -p tcp -m tcp --dport 3306 -j DROP
[0:0] -A INPUT -s 41.183.0.0/24 -j ACCEPT
[0:0] -A INPUT -s 199.102.239.170/32 -j ACCEPT
[0:0] -A INPUT -m state --state INVALID -j DROP
[0:0] -A INPUT -i lo -j ACCEPT
[0:0] -A INPUT -s 127.0.0.1/32 -j ACCEPT
[0:0] -A INPUT -s 192.168.1.0/24 -j ACCEPT


Asterisk log I'm concerned about:
Code: Select all
[2015-09-13 16:35:52] NOTICE[1460] chan_sip.c: Registration from '"710" <sip:710@105.233.8.144:5060>' failed for '91.236.75.157:5085' - Wrong password
[2015-09-13 16:36:02] NOTICE[1460] chan_sip.c: Registration from '"8300" <sip:8300@105.233.8.144:5060>' failed for '91.236.75.157:5076' - Wrong password
[2015-09-13 16:36:37] NOTICE[1460] chan_sip.c: Registration from '"4300" <sip:4300@105.233.8.144:5060>' failed for '91.236.75.157:5081' - Wrong password
chan_sip.c:4086 retrans_pkt: Timeout on 3b4ed86543a1d9c8519a9f8c82259629 on non-critical invite transaction.


Iptables -L

Code: Select all
Chain INPUT (policy ACCEPT)
target     prot opt source               destination
fail2ban-asterisk  tcp  --  anywhere             anywhere             tcp dpt:sip
fail2ban-asterisk  udp  --  anywhere             anywhere             udp dpt:sip
fail2ban-asterisk  tcp  --  anywhere             anywhere             tcp dpt:sip-tls
fail2ban-ssh  tcp  --  anywhere             anywhere             multiport dports ssh
DROP       all  --  default              anywhere
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
DROP       tcp  --  anywhere             anywhere             tcp flags:!FIN,SYN,RST,ACK/SYN state NEW
DROP       tcp  --  anywhere             anywhere             tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,SYN,RST,PSH,ACK,URG
DROP       all  --  105.233.8.144        anywhere
ACCEPT     all  --  192.168.1.0/24       anywhere
DROP       all  --  anywhere             anywhere             state INVALID
DROP       tcp  --  anywhere             anywhere             tcp dpt:mysql
ACCEPT     all  --  41.183.0.0/24        anywhere
ACCEPT     all  --  199.102.239.170      anywhere
DROP       all  --  anywhere             anywhere             state INVALID
ACCEPT     all  --  anywhere             anywhere
ACCEPT     all  --  localhost            anywhere
ACCEPT     all  --  192.168.1.0/24       anywhere
ACCEPT     all  --  41.183.0.0/24        anywhere
ACCEPT     all  --  199.102.239.170      anywhere

Chain FORWARD (policy ACCEPT)
target     prot opt source               destination

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Chain fail2ban-asterisk (3 references)
target     prot opt source               destination
DROP       all  --  91.236.75.157        anywhere
RETURN     all  --  anywhere             anywhere

Chain fail2ban-ssh (1 references)
target     prot opt source               destination
RETURN     all  --  anywhere             anywhere


Any help on this would be great. Tx :)
the_anomaly
Newsterisk
 
Posts: 2
Joined: Sun Sep 13, 2015 8:49 am

Re: Asterisk, Freepbx, iptables or fail2ban...hacked?

Postby navaismo » Mon Sep 14, 2015 11:13 am

the_anomaly wrote:Hello, since I'm new here tx for a great product.
1. It appears someone is attempting to access my system, is this true?

Yes, it is true.
2. If so, I am behind a public dynamic IP. Rebooting my router has no effect, how does he find me everytime?

They Scan the network with bots and send a massive attack for authenticate.

3. How does he get past the iptables? Did I set them wrong?

usually if you permit the connection over 5060 you are allowing people to reach your pbx.
If you dont need external access, then close the port.

4. Is there an Asterisk setting I could use to stop this?

There are few setting that can help, like alwaysauthreject, changing the external context, set secure passwords and read the http://blogs.digium.com/2009/03/28/sip-security/

5. Is there a FreePBX setting to stop this?

Same like above.

6. Could this be a virus / malware on the exchange doing this?

Nope, bots on the wan.

7. I thought my iptables DROP all first would fix this, is fail2ban allowing him through (see last)?

Im not familiar with fail2ban but many people use it and share the configs use google to find your best option. I use blockhost and daily block many IP Adressess.

My last advice is if you need the external access use a vpn.
navaismo
Salt of the Asterisk
 
Posts: 1610
Joined: Mon Dec 07, 2009 1:30 pm
Location: Mexico City, Mexico

Re: Asterisk, Freepbx, iptables or fail2ban...hacked?

Postby the_anomaly » Mon Sep 14, 2015 11:52 pm

Wow, that was a great reply. Tx

Before you replied I had tried so many things from different forums and somehow had not stumbled on that article you sited. I seemed to have resolved it by using step 1 of that article and denying the bad IP address. I will definitely apply the other points to my setup.
the_anomaly
Newsterisk
 
Posts: 2
Joined: Sun Sep 13, 2015 8:49 am


Return to Asterisk General

Who is online

Users browsing this forum: No registered users and 1 guest