-
Type:
Improvement
-
Status: Closed
-
Priority:
Major
-
Resolution: Won't Fix
-
Affects Version/s: 12, 13
-
Fix Version/s: None
-
Component/s: Fail2Ban, System Admin (Commercial)
-
Labels:
-
ToDo:
-
Asterisk Version:Asterisk 11.21.0
-
Distro Version:FreePBX 12.0.76.2
-
Distro:FreePBX Distro
Recently I had a misuse of my freepbx online. I discovered that one of the extensions were placing too many calls and definitely was the extension owner.
investigating I discovered that some one was trying to pull information from tftp server as I have endpoint manager installed.
there was a robot trying to guess mac addresses and they did found one
Attack example fragment:
[code]
Feb 14 03:25:03 pbx in.tftpd[20252]: RRQ from 5.11.41.148 filename spae05fb981e219.xml
Feb 14 03:25:03 pbx in.tftpd[20252]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20280]: RRQ from 5.11.41.148 filename spae05fb981e21b.xml
Feb 14 03:25:03 pbx in.tftpd[20280]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20281]: RRQ from 5.11.41.148 filename spae05fb981e21c.xml
Feb 14 03:25:03 pbx in.tftpd[20281]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20308]: RRQ from 5.11.41.148 filename spae05fb981e21d.xml
Feb 14 03:25:03 pbx in.tftpd[20308]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20311]: RRQ from 5.11.41.148 filename spae05fb981e21e.xml
Feb 14 03:25:03 pbx in.tftpd[20311]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20339]: RRQ from 5.11.41.148 filename spae05fb981e21f.xml
Feb 14 03:25:03 pbx in.tftpd[20339]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20368]: RRQ from 5.11.41.148 filename spae05fb981e220.xml
Feb 14 03:25:03 pbx in.tftpd[20368]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20372]: RRQ from 5.11.41.148 filename spae05fb981e221.xml
Feb 14 03:25:03 pbx in.tftpd[20372]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20378]: RRQ from 5.11.41.148 filename spae05fb981e222.xml
Feb 14 03:25:03 pbx in.tftpd[20378]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:03 pbx in.tftpd[20386]: RRQ from 5.11.41.148 filename spae05fb981e223.xml
Feb 14 03:25:03 pbx in.tftpd[20386]: sending NAK (1, File not found) to 5.11.41.148
Feb 14 03:25:04 pbx in.tftpd[20387]: RRQ from 5.11.41.148 filename spae05fb981e225.xml
[/code]
The solution I found was simple. I only added a new rule to fail2ban to handle too many Not Found against port 69.
As the rule will be erased on updates I would suggest including it in official distro to improve security as soon as possible as this would benefit everyone
Here are the rules I used.
on jail.local I inserted
[tftpd]
enabled = true
filter = tftpd-hpa
action = iptables[name=tftp, port=69, protocol=udp]
sendmail-whois[name=tftpd, dest=destination@host.com, sender=root@host.com, sendername="sender name"]
logpath = /var/log/messages
maxretry = 20
bantime = 604800
and I created the file filter.d/tftpd-hpa.conf
# Fail2Ban filter for tftpd-hpa
[INCLUDES]
# Read common prefixes. If any customizations available – read them from common.local
before = common.conf
[Definition]
_daemon = in.tftpd
failregex = ^%(__prefix_line)ssending NAK.*to <HOST>$
^%(__prefix_line)sRRQ from <HOST> filename.*$
ignoreregex =
