Securing FreePBX from attacks

JaredBusch

Assuming you have reinstalled and the problem exists, open a support case with Sangoma. The cost is minimal compared to the time you are spending.

EddieJennings

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

JaredBusch

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?

Dashrender

@jaredbusch said in Securing FreePBX from attacks:

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Yeah. I'm probably going to have to do that. It just doesn't make sense for these Linphone users to successfully register, then be rate-limited, then be blocked as attackers.

Only your soft phones are doing this?

@EddieJennings this.. Do you not have a deskphone at one of these locations causing the same problem?

Both softphones and deskphones are causing my issue.

EddieJennings

At the moment, that appears to be the case: Yealink phone users are unaffected. However, there's one user I'm watching before I can verify that to be 100% true.

EddieJennings

Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Ok, it appears that my two external Yealink phone users' phones are staying registered. I'm going to install Linphone at home and see if I can replicate this problem.

Are those Yealink phones only in locations that are specifically listed a trusted sites?

In my case, I never added their IP as a trusted site and they worked fine for over 2 weeks. Then one day, they started being blocked. The day they started being blocked was the first time they tried using UCP from that location.

Adding the IP to the Trusted Sites list did provide a work-a-round, but really, they shouldn't have been getting blocked for any reason I can tell.

EddieJennings

Two of my phones are in the office, which is a trusted network for the PBX. Two are at users's homes, whose networks aren't explicitly trusted. Linphone was giving me problems on my Korora machine on Friday, so I installed Zoiper when I was at home. My IP was rate limited once, but never made it to the blocked list.

I have a good bit of menial tasks this morning. I intend to get an external softphone user back on line after noon or so EST so I can see if I can replicate this problem (making 100% sure credentials, etc. are right).

black3dynamite

@eddiejennings said in Securing FreePBX from attacks:

Two of my phones are in the office, which is a trusted network for the PBX. Two are at users's homes, whose networks aren't explicitly trusted. Linphone was giving me problems on my Korora machine on Friday, so I installed Zoiper when I was at home. My IP was rate limited once, but never made it to the blocked list.

I have a good bit of menial tasks this morning. I intend to get an external softphone user back on line after noon or so EST so I can see if I can replicate this problem (making 100% sure credentials, etc. are right).

Are you using the latest version of linphone from their website or the one from the repo?

EddieJennings

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:[email protected]:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

Dashrender

@eddiejennings said in Securing FreePBX from attacks:

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:[email protected]:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

What you don't mention is if any of the IPs associated with these phones are in the trusted list. Just for FYI reasons.

EddieJennings

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:[email protected]:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

What you don't mention is if any of the IPs associated with these phones are in the trusted list. Just for FYI reasons.

The phones in the office are, since the IP of the office is on the trusted list. The phones outside the office are not, as they're whatever IP the user's ISP gives them.

JaredBusch

@dashrender said in Securing FreePBX from attacks:

@eddiejennings said in Securing FreePBX from attacks:

Alas, no change. Unless there's a log that shows dropped packets, I'm at a loss.

All users' extensions have Max Contacts set at 3.

User 1:

• Yealink phone in the office that has their extension and User 2's extension registered on it. - Zero problems
• Yealink phone at their home that has their extension on it. - Zero problems

User 2:

• Yealink phone in the office that has their extension and User 1's extension registered on it - Zero problems.
• Yealink phone at their home that has their extension on it. Extension registers, and is listed in Chan_PJSip enpoints; however, afer a few minutes, the IP address is blocked by the Responsive Firewall, and this appears in the Freepbx log.

[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Contact XXX/sip:[email protected]:5060 is now Unreachable. RTT: 0.000 msec
[2017-10-03 11:51:38] VERBOSE[2735] res_pjsip/pjsip_configuration.c: Endpoint XXXis now Unreachable

User 3:

• Linphone softphone on Windows computer. 100% correct server setting and extension credentials. Same behavior as User's 2 at home Yealink phone with the IP block.

What you don't mention is if any of the IPs associated with these phones are in the trusted list. Just for FYI reasons.

He did list this information. scroll back a couple posts.

AdamF

I just had this issue with 2 users. Both were using the Grandstream Wave app softphone. Then they tried to register using the Bria app. Worked instantly. Strange behavior