Flooded by INVITE requests

Hi there,

I have noticed recently that my VItalPBX instance is flooded with INVITE requests that seem to be attempting brute force to find a working extension.

image

the intrusion detection didn’t seem to pick them up so I added them to the ban list by doing the below commands.

fail2ban-client set asterisk-vpbx banip 149.56.23.113
fail2ban-client set asterisk-vpbx banip 143.244.57.120

The IPs now show I the ban list on the VitalPBX Firewall page, I have also tried to DROP the connections in iptables, as the firewall won’t block anything that is already connected. that being said I have restarted the server instance too for good measure. and the attempts still persist.

I have seen a forum post here where similar activity was reported and it was suggested to install the geofirewall, I have done this now also and blocked where these ips are reported to be coming from on the abuseipdb website, and yet the connections persist.

https://forums.vitalpbx.org/t/firewall-not-blocked/595/11

Is there anything that can be done to block this kind of activity?

How is your firewall setup? Do you allow any traffic? What is your find and ban time?

Finally, one big misconception. Even if you drop everything in iptables, you will still see SIP attempts in sngrep. To see if they are actually dropped, open the dialog and see if there’s a response. If there’s no response, then the IP is blocked.

Want to see it for yourself. Take a bare Linux install (make sure it does not have any service that listens for 5060) and expose it to the WWW. Open sngrep and give it an hour…

Hi @PitzKey,

Thank you I have included my EC2 firewall configuration and a screenshot of my VitalPBX Firewall settings. I have enabled the GEO firewall and allowed only the UK, as these connections are coming from France and Canada apparently.

Type Protocol Port range Source Description
Custom UDP UDP 5060 - 5063 0.0.0.0/0 PJSIP UDP - Open port(s)
Custom TCP TCP 5060 - 5063 0.0.0.0/0 PJSIP TPC - Open port(s)
Custom TCP TCP 8088 - 8089 0.0.0.0/0 Webrtc
Custom UDP UDP 10000 - 20000 0.0.0.0/0 RTP - Open port(s)
HTTPS TCP 443 0.0.0.0/0 HTTPS - Open port(s)
Custom TCP TCP 3000 0.0.0.0/0 VPBX HTTP Dashboard - Open port(s)
Custom TCP TCP 3005 0.0.0.0/0 VPBX HTTPS Dashboard - Open port(s)
HTTP TCP 80 0.0.0.0/0 HTTP - Open port(s)
All traffic All All 3.212.223.16/32 VitalPBX Push Server - US
All traffic All All 35.176.110.61/32 Sessiontalk Push Server - UK1
All traffic All All 35.178.12.139/32 Sessiontalk Push Server - UK1
SSH TCP 22 $$.$$.$$.$$/32 SSH from the Office
All traffic All All $$.$$.$$.$$/32 SIP TRUNK - Signalling UDP port 5060 - Fully Open egress/ingress
All traffic All All $$.$$.$$.$$/32 SIP TRUNK- Media UDP ports 6000 - 40000 egress/ingress - Fully Open

image

This is a snipit of just a few minutes on sngrep, as you can see they are sequentially trying to do something. :thinking:

image

If I go into one of the attempts on sngrep, all that is there is an invite and nothing else:

INVITE sip:+6498899893@...:5060;transport=UDP SIP/2.0
Via: SIP/2.0/UDP 93.12.128.8:5060;branch=z9hG4bK-524287-1—qwjvy3c19ska2ci0
Max-Forwards: 70
Contact: sip:16536@93.12.128.8:5060;transport=UDP
To: sip:+6498899893@**.**.**.**;transport=UDP
From: sip:16536@**.**.**.**;transport=UDP;tag=mt2akhip
Call-ID: yARtLrgZRY4Y3iiZw8Zupn…
CSeq: 1 INVITE
Content-Type: application/sdp
User-Agent: Z 3.14.38765 rv2.8.3
Allow-Events: presence, kpml, talk
Content-Length: 284

v=0
o=Z 0 0 IN IP4 93.12.128.8
s=Z
c=IN IP4 93.12.128.8
t=0 0
m=audio 8000 RTP/AVP 18 3 110 8 0 97 101
a=rtpmap:18 G729/8000
a=fmtp:18 annexb=no
a=rtpmap:110 speex/8000
a=rtpmap:97 iLBC/8000
a=fmtp:97 mode=30
a=rtpmap:101 telephone-event/8000
a=fmtp:101 0-16
a=sendrecv

I have had this instance up for about three-4 months now, and this is the most activity I have seen, so far everything is blocked by the intrusion detection and it stops pretty quickly, this, has stuck around for a few days and the intrusion detection didn’t pick it up, I manually added to fail2ban and attempted to drop it in iptables. When you suggest opening the dialogue, which dialogue are you referring to exactly I am interested to learn more.

Digi

Do you see any response? If not, then the IP is blocked.

Can you post a screenshot of the SIP dialogue?

Also, you seem to allow SIP and RTP from anywhere, yet you also have a couple of other addresses allowed. It’s kinda duplicate.

Try the following and let us know the results.

firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 0 -p udp --dport 5060 -m string --string "YOUR_DOMAIN.COM" --algo bm -j ACCEPT
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 1 -p udp --dport 5060 -m string --string "INVITE sip:" --algo bm -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 2 -p udp --dport 5060 -m string --string "REGISTER sip:" --algo bm -j DROP
firewall-cmd --permanent --direct --add-rule ipv4 filter INPUT 3 -p udp --dport 5060 -m state --state ESTABLISHED,RELATED -j ACCEPT

To apply the rules, do a firewall reload.

firewall-cmd --reload

You can remove the flag “–permanent,” if you want to avoid the rule being persistent after a reboot.

Hi @PitzKey

My PBX is meant for use by remote workers so there have to be some pots that are open to the world so that their various mobile dives and desk phones can work. Are you able to suggest refinements at all? Also here is a screenshot of one of the offending INVITES

image

Hi @miguel

Thank you, I have tried the commands as you have suggested and replaced YOUR_DOMAIN.com with the FQDN of my instance, was I meant to do anything with the INVITE sip: and the REGISTER sip: entries, as I have not seen any change, there are still at least 100 invites a minute coming in.

Cheers

Piece a Kamailio in front of the PBX, there you can do domain security, UA security and much more to secure your PBX.

As you can see, there’s no response, which indicates that this IP is blocked.

Again, you have to look in the dialogue if Asterisk is sending a response. If not, then it’s blocked.

2 Likes

Hi @PitzKey

Amazing! I seek and crave understanding of things, this all makes sense. Thank you. I will look into the Kamilio Idea too.

Thank you all

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.