Is it possible to completely ban a certain IP from getting through one of my nodes? My PBX server is under attack from 144.202.59.42
Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer
Theme by Danetsoft and Danang Probo Sayekti inspired by Maksimer
Likely.
It would be helpful to know the host OS of the PBX or
if there is a router between the PBX and 144.202.59.42, then
its OS, make, model,...
e.g. I run a PFSense firewall/router here and it will route by IP address.
HTH, Chuck
The PBX is FreePBX running on a Raspberry PI OS 5.4.51-v7+
The Raspberry PI is connected to a Microtik HAP Lite, mesh version 3.22.6.0 which is tunneled over the Internet.
The HAP lite is connected to a home router, a D-Link DIR-859 which doesn't seem to have any way of blocking certain IP addreses. ( https://ftp.dlink.ca/ftp/PRODUCTS/DIR-859/DIR-859_REVA_MANUAL_1.00_EN.PDF )
Is it possible to block IP's at the hap lite level?
I know that firewall software exists for the Raspberry PI. I've tried fail2ban and UFW in the past. They tend to block more than I want blocked.
I added a rule to UFW in \etc\ufw\user.rules
### tuple ### deny any any 0.0.0.0/0 any 144.202.59.42 in
-A ufw-user-input -s 144.202.59.42 -j DROP
I enabled it. We'll see what happens. I'd rather hve this filtered out before the traffic hits the PBX.
Here are all the rules:
To Action From
-- ------ ----
Anywhere DENY 216.245.203.98
Anywhere ALLOW 10.177.158.224/29 22/tcp
Anywhere ALLOW 10.95.79.33/28 22/tcp
80 ALLOW Anywhere
443 ALLOW Anywhere
53/tcp ALLOW Anywhere
53/udp ALLOW Anywhere
10000:20000/tcp ALLOW Anywhere
10000:20000/udp ALLOW Anywhere
Anywhere DENY 195.154.241.73
Anywhere DENY 213.248.112.39
Anywhere DENY 119.90.53.137
Anywhere DENY 144.202.59.42
If so, your best bet would be to block it at your router. Since that does not seem to be possible with your router - a little surprising that the NAT rule in the router can't filter it - filtering it in the hAP or the RasPi is your only options. I don't speak enough linux to help with either of those.
Technically the path would be {tunnel1} or {tunnel2} > Internet (via tunnel) > Router > Hap Lite > Raspberry PI PBX
Turning on the UFW firewall on the Raspberry PI will solve the problem temporarily. But it looks like long term I need to upgrade my WAN router to get something that can actually block select IPs.
I really don't care about "{tunnel1} or {tunnel2}".
I do care about "Internet", by any means, > ... > Raspberry Pi PBX.
Why are you granting (everything and everyone on the) internet access to your local AREDN PBX server?
Chuck
As I recall you have your PBX set up so that it can be accessed both from the internet and from the AREDN network. And further, I assume that the RasPi PBX only has an IP on the AREDN mesh, so internet traffic to the PBX must be port forwarded in your router to the IP of the hAP WAN port and then also explicitly port forwarded in the hAP (bottom of the Port forwarding, DHCP and services page) to the LAN IP of the RasPi. Presumably that means that you are forwarding whatever IP ports that hit your router from the internet to get to the hAP WAN IP. This is not entering via the tunnel. If that second assumption is incorrect and the RasPi also has a second network connection that gives it internet access (presumably directly via your home LAN), then this whole discussion is moot - your router needs to do the firewalling.
The PBX has only one IP address - 10.95.79.35.
I used to forward port 5060 from the outside wan to the HAP LITE, but after being attacked previously, I shut that off.
On the HAP Lite, I do have "share WAN with others" checked. Perhaps that should be shut off since it's only a tunneling device anyway?
Also on the HAP lite, I have port 5060 forwarded to the PBX. I believe I did that so that others could direct dial the PBX. I'll test removing that and having somebody try to dial the PBX direct.
+1 with Jim K6CCC.
Chuck
The PBX server is an advertised service to surface the web server on PORT 80, which is the inteferace to the PBX admin.
At the moment I have turned off port forwarding on the HAP lite and I've enabled the UFW firewall to block the offending IP address. And since I did that I've had no issues from that IP address.
If anyone could call my PBX at 10.95.79.35 and leave a message on extension 2000 or extension 5000, that would be appreciated and would verify that turning off port 5060 forwarding on the hap lite has no effect.
Thanks everyone!
---mark, KM6ZPO
"In the current scenario, port 5060 was not forrwarded from the outside WAN router. "
Of the offending internet/outside address, 144.202.59.42, what is the port that is reaching the PBX?
Chuck
"Of the offending internet/outside address, 144.202.59.42, what is the port that is reaching the PBX?"
All of the offending entries looked like this:
Hi, Mark:
"If anyone could call my PBX at 10.95.79.35 and leave a message on extension 2000 or extension 5000, that would be appreciated and would verify that turning off port 5060 forwarding on the hap lite has no effect."
AFAIK, the PBX should be expecting 'registered' phones to dial 'extensions'.
AFAIK, the PBX should not be accepting SIP calls from unregistered extensions (phones).
AFAIK, registered phones call a PBX's extensions, not a PBX directly.
AFAIK, unregistered phones should NOT have any relationship with a PBX.
-----
"At the moment I have turned off port forwarding on the HAP lite"
Why was the WAN side of your hAP playing any part of your PBX service?
Chuck
@nc8q
I'll try setting Allow Anonymous Inbound SIP Calls to "no"
And Allow SIP Guests to "no"
There was a reason I set those to yes, but I have forgotten why.
UPDATE: Outside dialing in (from VOIP number) and outbound dialing (via VOIP number) are still working. So it looks like locking down anonymous calls has no affect on that functionality. HOWEVER, by limiting anonymous and disallowing guest callers, I lose the functionality of people being able to dial my PBX directly via 10.95.79.35. That's why I had allow guest and allow anonymous enabled. Is there a workaround?
There was a time that I wanted to be able to use my PBX from the Internet side (with Linphone) to be able to make / receive calls from people on the mesh. That's why I had 5060 open on the WAN side. But that hasn't been open for a long time. The attacks came from within the MESH.
"(from VOIP number)"
"(via VOIP number)"
Hi, Mark:
What is a "VOIP number"?
-----
What does your PBX do with an anonymous inbound SIP (port 5060) connection?
Do you have an 'Interactive Voice Response (IVR)' to re-direct the call or does it ring a phone or a 'group' ring?
-----
POTS Plain Old Telephone System
PSTN Public Switched Telephone System
I have 2 VoIP accounts configured on my local AREDN PBX.
1 SIP and 1 IAX2 trunk. Each from a separate VoIP company.
Folks can 'dial-in from 'PSTN' and select a registered extension to ring.
Registered extension can 'dial-out to PSTN'.
My PBX does not do anything for unregistered/unauthenticated SIP or IAX2 circuits.
Chuck