Securing FreePBX from attacks

EddieJennings

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Other oddity. Both redacted IP addresses are the same.

Open another tab in chrome or whatever browser and type
What is my IP to confirm the expected IP.

Heh. Yes, I've confirmed the IP of the client machine mentioned is the IP I'm using, which is the IP that's assigned to the Trusted zone.

zachary715

@eddiejennings said in Securing FreePBX from attacks:

Other oddity. Both redacted IP addresses are the same.

I think I had this happen when I set up mine. Everything seemed to work fine, but the error message was still there. I can't remember if it was a simple reboot that fixed it, a firmware upgrade, or what.

EddieJennings

As a test, I added one of my remote end user's IP addresses to the System Admin > Intrusion Detection Whitelist to see if that would prevent them from being blocked by the Responsive Firewall. Alas, I return from lunch and they're once again blocked. Since I'm still in a testing mode, I'm thinking of blowing away this PBX, rebuilding, and seeing if the problem replicates.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

As a test, I added one of my remote end user's IP addresses to the System Admin > Intrusion Detection Whitelist to see if that would prevent them from being blocked by the Responsive Firewall. Alas, I return from lunch and they're once again blocked. Since I'm still in a testing mode, I'm thinking of blowing away this PBX, rebuilding, and seeing if the problem replicates.

I'm curious to find out - since I'm having the same issue!

EddieJennings

New PBX is now installed, configured, and updated. Let's see what happens.

SmithErick

Might be time to play with the built-in OpenVPN server. I have RF enabled on my remote FreePBX with 90% of endpoints being Yealink and have not had any issues.

Dashrender

I wonder what Eddie and I are doing differently than JB that's causing our issues?

JaredBusch

Assuming you have reinstalled and the problem exists, open a support case with Sangoma. The cost is minimal compared to the time you are spending.

EddieJennings

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

JaredBusch

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?

Dashrender

@jaredbusch said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?

Both softphones and deskphones are causing my issue.

EddieJennings

At the moment, that appears to be the case: Yealink phone users are unaffected. However, there's one user I'm watching before I can verify that to be 100% true.

EddieJennings

Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.

Are those Yealink phones only in locations that are specifically listed a trusted sites?

In my case, I never added their IP as a trusted site and they worked fine for over 2 weeks. Then one day, they started being blocked. The day they started being blocked was the first time they tried using UCP from that location.

Adding the IP to the Trusted Sites list did provide a work-a-round, but really, they shouldn't have been getting blocked for any reason I can tell.

EddieJennings

Two of my phones are in the office, which is a trusted network for the PBX. Two are at users's homes, whose networks aren't explicitly trusted. Linphone was giving me problems on my Korora machine on Friday, so I installed Zoiper when I was at home. My IP was rate limited once, but never made it to the blocked list.

I have a good bit of menial tasks this morning. I intend to get an external softphone user back on line after noon or so EST so I can see if I can replicate this problem (making 100% sure credentials, etc. are right).

black3dynamite

@eddiejennings said in Securing FreePBX from attacks:

Two of my phones are in the office, which is a trusted network for the PBX. Two are at users's homes, whose networks aren't explicitly trusted. Linphone was giving me problems on my Korora machine on Friday, so I installed Zoiper when I was at home. My IP was rate limited once, but never made it to the blocked list.

I have a good bit of menial tasks this morning. I intend to get an external softphone user back on line after noon or so EST so I can see if I can replicate this problem (making 100% sure credentials, etc. are right).

Are you using the latest version of linphone from their website or the one from the repo?

EddieJennings

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:XXX@2.2.2.2:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:XXX@2.2.2.2:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

What you don't mention is if any of the IPs associated with these phones are in the trusted list. Just for FYI reasons.

EddieJennings

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:XXX@2.2.2.2:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

What you don't mention is if any of the IPs associated with these phones are in the trusted list. Just for FYI reasons.

The phones in the office are, since the IP of the office is on the trusted list. The phones outside the office are not, as they're whatever IP the user's ISP gives them.