the intrusion detection didn’t seem to pick them up so I added them to the ban list by doing the below commands.
fail2ban-client set asterisk-vpbx banip 149.56.23.113
fail2ban-client set asterisk-vpbx banip 143.244.57.120
The IPs now show I the ban list on the VitalPBX Firewall page, I have also tried to DROP the connections in iptables, as the firewall won’t block anything that is already connected. that being said I have restarted the server instance too for good measure. and the attempts still persist.
I have seen a forum post here where similar activity was reported and it was suggested to install the geofirewall, I have done this now also and blocked where these ips are reported to be coming from on the abuseipdb website, and yet the connections persist.
How is your firewall setup? Do you allow any traffic? What is your find and ban time?
Finally, one big misconception. Even if you drop everything in iptables, you will still see SIP attempts in sngrep. To see if they are actually dropped, open the dialog and see if there’s a response. If there’s no response, then the IP is blocked.
Want to see it for yourself. Take a bare Linux install (make sure it does not have any service that listens for 5060) and expose it to the WWW. Open sngrep and give it an hour…
Thank you I have included my EC2 firewall configuration and a screenshot of my VitalPBX Firewall settings. I have enabled the GEO firewall and allowed only the UK, as these connections are coming from France and Canada apparently.
Type
Protocol
Port range
Source
Description
Custom UDP
UDP
5060 - 5063
0.0.0.0/0
PJSIP UDP - Open port(s)
Custom TCP
TCP
5060 - 5063
0.0.0.0/0
PJSIP TPC - Open port(s)
Custom TCP
TCP
8088 - 8089
0.0.0.0/0
Webrtc
Custom UDP
UDP
10000 - 20000
0.0.0.0/0
RTP - Open port(s)
HTTPS
TCP
443
0.0.0.0/0
HTTPS - Open port(s)
Custom TCP
TCP
3000
0.0.0.0/0
VPBX HTTP Dashboard - Open port(s)
Custom TCP
TCP
3005
0.0.0.0/0
VPBX HTTPS Dashboard - Open port(s)
HTTP
TCP
80
0.0.0.0/0
HTTP - Open port(s)
All traffic
All
All
3.212.223.16/32
VitalPBX Push Server - US
All traffic
All
All
35.176.110.61/32
Sessiontalk Push Server - UK1
All traffic
All
All
35.178.12.139/32
Sessiontalk Push Server - UK1
SSH
TCP
22
$$.$$.$$.$$/32
SSH from the Office
All traffic
All
All
$$.$$.$$.$$/32
SIP TRUNK - Signalling UDP port 5060 - Fully Open egress/ingress
All traffic
All
All
$$.$$.$$.$$/32
SIP TRUNK- Media UDP ports 6000 - 40000 egress/ingress - Fully Open
I have had this instance up for about three-4 months now, and this is the most activity I have seen, so far everything is blocked by the intrusion detection and it stops pretty quickly, this, has stuck around for a few days and the intrusion detection didn’t pick it up, I manually added to fail2ban and attempted to drop it in iptables. When you suggest opening the dialogue, which dialogue are you referring to exactly I am interested to learn more.
My PBX is meant for use by remote workers so there have to be some pots that are open to the world so that their various mobile dives and desk phones can work. Are you able to suggest refinements at all? Also here is a screenshot of one of the offending INVITES
Thank you, I have tried the commands as you have suggested and replaced YOUR_DOMAIN.com with the FQDN of my instance, was I meant to do anything with the INVITE sip: and the REGISTER sip: entries, as I have not seen any change, there are still at least 100 invites a minute coming in.
