Asset 19
Securing FreePBX with Properly Configured iptables
VoIP and SIP
By Savoy
Date: October 2024

Introduction

Recently, a client's FreePBX system was being attacked by a hacker, and it was causing major connectivity issues. Due to an improperly configured iptables setup, not only was the attacker being blocked, but so was the client's SIP provider, leading to service disruptions. In this post, we’ll walk through how we identified the attack and how the issue was resolved by properly configuring and saving iptables rules.

Identifying the Attack

The client reported issues with their SIP provider being unable to connect. I ran a sip set debug command to investigate further. The results showed a large number of registration attempts from unauthorized IP addresses, which was a clear indication that the system was being attacked by a hacker attempting to exploit the system by brute force. 

sip set debug on
The debug logs revealed the following: 

REGISTER attempts from multiple unknown IPs...
These attempts were flooding the system, which not only blocked the attacker but unfortunately also blocked the SIP provider, as the system's iptables rules were not set up properly to allow the legitimate traffic.

Resolving the Issue by Setting Up iptables Properly

To resolve this issue, I configured the iptables rules correctly to block the attacker's IPs while ensuring the SIP provider could connect successfully. Here's the process I followed:

Step-by-Step Guide to Add and Save iptables Rules

First, we added a rule to allow traffic from the SIP provider's network: 

# Allow traffic from SIP provider network (example: 192.168.1.0/24)
iptables -A INPUT -s 192.168.1.0/24 -j ACCEPT
After adding this rule, we saved the iptables configuration to ensure it persists across reboots: 

# Save iptables configuration
service iptables save
To block the attacker's IPs, I used iptables to drop any traffic from the suspicious IP addresses: 

# Block traffic from attacker IP (example: 203.0.113.100)
iptables -A INPUT -s 203.0.113.100 -j DROP
After this, I saved the configuration again: 

# Save updated iptables configuration
service iptables save

Conclusion

By properly configuring the iptables rules, we successfully blocked the attacker's IP address while ensuring that the SIP provider could reconnect and restore the client's services. If you're managing a FreePBX or similar system, it's essential to ensure your iptables rules are properly set up to allow legitimate traffic while blocking unauthorized access attempts. Don't forget to save your rules to maintain system protection even after reboots!
For more IT tips and solutions, follow my blog or reach out if you're looking for expert managed IT services.
 
Share on Facebook
Share on Twitter