-
Type:
Improvement
-
Status: Closed
-
Priority:
Minor
-
Resolution: Fixed
-
Affects Version/s: 2.11
-
Fix Version/s: 12
-
Component/s: Core, System Admin (Commercial)
-
Labels:
-
Environment:
Latest FPBX Distro 5.211.65.6
-
ToDo:
-
Asterisk Version:11.7.0
-
Distro Version:5.211.65.6
-
Distro:FreePBX Distro
On some systems it's impossible to statically secure and firewall the SIP port from unwanted traffic: road warriors, remote endpoints with dynamic IPs, to allow SIP to SIP or ENUM calls, etc. make it difficult if not impossible.
With port 5060 open to Internet, "Allow SIP Guests" and "Allow Anonymous Inbound SIP Calls" enabled, systems are subject to continuous dial-through attempts, where extension "100" or "200" - claiming to be at the public IP of the PBX - tries to make outbound calls.
With the current set-up it's impossible to catch these attempts and ban the offending IP, as it's not logged anywhere, but adding a "Log" line to a FreePBX-generated context we can catch this case in point with another line crafted in the Fail2Ban rules.
The problem is that I can't find a function in extensions.class.php to create a "Log" line in a dynamically compiled context by FreePBX.
Here's where I need some help to implement this feature.
As a proof of concept, I'm attaching two files:
- an "extensions_override_freepbx.conf" where the "ext-did-catchall" context includes the additional "Log" line to expose the true IP of the attacker;
- a revised "asterisk-security.conf" where the exposed IP is caught and banned by Fail2Ban.
The new rule in Fail2Ban is easy to patch in, but the "Log" line in the context isn't, without an "ext_log" function in extensions.class.php.
Help? Please?
