Uploaded image for project: 'FreePBX'
  1. FreePBX
  2. FREEPBX-15521

FreePBX Appliance: Issues with fail2ban and iptables

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Rejected
    • Affects Version/s: 13
    • Fix Version/s: None
    • Component/s: Fail2Ban, Firewall
    • Labels:
      None
    • Bug Tracker:
      Customer Issue
    • ToDo:
    • Asterisk Version:
      13.15.0
    • Distro Version:
      10.13.66-18
    • Distro:
      FreePBX Distro

      Description

      In this case, a user is trying to set up fail2ban and FreePBX's firewall.

      He noticed that simulating some sip attacks having the intrusion detection module enabled and the Firewall setup as shown in the attached pictures, in some cases the sip attacks are being shown in Asterisk's CLI.

       

      iptables v1.4.7
      firewall | 13.0.45
      ysadmin | 13.0.74.4 

      PBX Firmware: 10.13.66-18
      PBX Service Pack: 1.0.0.0

      logs
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password
      [2017-08-07 11:12:16] NOTICE[2983] chan_sip.c: Registration from '"333" <sip:333@189.109.35.10>' failed for '195.154.231.2:5191' - Wrong password

       

      With the help from Chris Dolese the SIP Attacks were mitigated, but when the customer simulates SSH attacks, these attacks are being shown in the file /var/log/secure but the originating IP is not being blocked.

       tail -f /var/log/secure
      Aug 7 18:45:35 pbxbp sshd[20184]: pam_unix(sshd:auth): check pass; user
      unknown
      Aug 7 18:45:35 pbxbp sshd[20184]: pam_unix(sshd:auth): authentication
      failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.153.19.139
      Aug 7 18:45:35 pbxbp sshd[20184]: pam_succeed_if(sshd:auth): error
      retrieving information about user je
      Aug 7 18:45:37 pbxbp sshd[20184]: Failed password for invalid user je from
      180.153.19.139 port 41294 ssh2
      Aug 7 18:45:38 pbxbp sshd[20186]: Received disconnect from 180.153.19.139:
      11: Bye Bye
      Aug 7 18:45:41 pbxbp sshd[20205]: Invalid user jean from 180.153.19.139
      Aug 7 18:45:41 pbxbp sshd[20206]: input_userauth_request: invalid user jean
      Aug 7 18:45:41 pbxbp sshd[20205]: pam_unix(sshd:auth): check pass; user
      unknown
      Aug 7 18:45:41 pbxbp sshd[20205]: pam_unix(sshd:auth): authentication
      failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.153.19.139
      Aug 7 18:45:41 pbxbp sshd[20205]: pam_succeed_if(sshd:auth): error
      retrieving information about user jean
      Aug 7 18:45:42 pbxbp sshd[20205]: Failed password for invalid user jean
      from 180.153.19.139 port 43071 ssh2
      Aug 7 18:45:43 pbxbp sshd[20206]: Received disconnect from 180.153.19.139:
      11: Bye Bye
      Aug 7 18:45:46 pbxbp sshd[20233]: Invalid user juan from 180.153.19.139
      Aug 7 18:45:46 pbxbp sshd[20234]: input_userauth_request: invalid user juan
      Aug 7 18:45:46 pbxbp sshd[20233]: pam_unix(sshd:auth): check pass; user
      unknown
      Aug 7 18:45:46 pbxbp sshd[20233]: pam_unix(sshd:auth): authentication
      failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=180.153.19.139
      Aug 7 18:45:46 pbxbp sshd[20233]: pam_succeed_if(sshd:auth): error
      retrieving information about user juan

       

      Is this a bug between Intrusion Detection and Firewall? The end user is making a comparison between Issabel/Elastix fail-to-ban and FreePBX.

       

       

        Gliffy Diagrams

          Attachments

          1. 1.PNG
            1.PNG
            44 kB
          2. 2.PNG
            2.PNG
            77 kB
          3. 3.PNG
            3.PNG
            62 kB
          4. 4.PNG
            4.PNG
            73 kB
          5. 5.PNG
            5.PNG
            101 kB
          6. 6.PNG
            6.PNG
            122 kB

            Issue Links

              Activity

                People

                • Assignee:
                  lgaetz Lorne Gaetz
                  Reporter:
                  gbarajas Gerardo Barajas
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  4 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:
                    Feedback Requested:

                    NextupJiraPlusStatus

                    Error rendering 'slack.nextup.jira:nextup-jira-plus-status'. Please contact your Jira administrators.