Freepbx Security

There is a security hole in FreePBX < 13.0.188. Freepbx is vulnerable to Remote command execution due to insufficient sanitization of user input fields.

For more details checkout this link.

Its important to keep your free-pbx secure. Once the hacker gets access to your system, they can make thousands of dollar of calls to expensive areas all over the world. Freepbx is free software, but it comes with lot of responsibility. We see lot of people get attracted towards free software but they dont spend enough tough in learning the software and almost no time in how to keep it secure.

If you dont have enough expertise and if you are a small company, please do yourself a favor and consider using hosted phone service.

Check out SIP Trunking Pricing for Freepbx.




Troubleshooting SIP Service with ngrep

If you are using VoIP (Voice over IP) then at some point you must have to troubleshoot the call flow to find where the problem is. There are many tools you can use. To teach you exactly how to use a protocol analyzer is beyond the scope of this material; however, we will give you some tips on analyzing SIP and RTP packets. Bear in mind these tools can do much much more than what I illustrate here. I will be using these tool just to capture VoIP traffic.

Most common used tool are: Ngrep, Wireshark, TCPdump.

We often use ngrep to monitor our VoIP services, because it is very simple and light. If you don’t have it installed, then you can download it from this link

This command will capture everything on SIP port (I know this can capture any network activity, but I am using it for VoIP on SIP ) and dump the data on the screen. Easiest way to know how your system in interacting with your vendor or client.
See everything on your system on SIP protocol.

ngrep port 5060

If you want to filter the traffic based on phone number
ngrep ‘9498859944’ port 5060

If you want to filter traffic based on IP address
ngrep ‘IPAddress’ port 5060
ngrep ‘’ port 5060

Other important options
-t     Print a timestamp in the form of YYYY/MM/DD
-T     Print a timestamp in the form of +S.UUUUUU, indicating the delta between packet matches.
ngrep  -t ‘9498859944’ port 5060
ngrep  -T ‘9498859944’ port 5060

As I said there are lot more options read man pages ‘man ngrep’, but this is good enough to see the call flow on your system.

VoIP Provider,

Is your Asterisk system under heavy attack

This week one of our customer was attacked by more than 10000 Unique IPs. These hackers try to register on your system using some random username and easy to crack password. Few week back I wrote few tips on securing your asterisk servers.

Even if you took all the steps to secure your asterisk, still you dont want these attackers to flood your system with dummy registration requests. Use iptables and easy to implement shell script to block these attackers. You can easily block flooding traffic to your system. Iptables, can be used to filter IP traffic, provides high level packet filtering. Use the shell script below and setup a cron and have a good night sleep. The script will automatically block the IPs flooding your Asterisk system with failed registration requests.

Monitor Asterisk’s Log for Failed Registrations

In most cases of a sip flood attack, the host tries to register on your Asterisk. All the failed attempts from these hosts are identified in the Asterisk log (/var/log/messages or /var/log/full if you are using Asterisk Based PBX  as “No matching peer found.” The following script scans /var/log/full for these patterns, strips the IP address of attacker, and block it.

Script reads the log file and use IPTABLES to block any further attempts. While reading the log file it always set a check in and check out flag. So that next time it can start from last check out position.

Copy the code and save in /usr/local/bin/check_sip_attack
chomod 755 /usr/local/bin/check_sip_attack
#########Start from Next line  ##########

# Script Donated by
#crontab -l
# make an entry in Crontab
#01-59/2 * * * * /usr/local/bin/check_sip_attack

BINDIR=dirname $0; echo $BINDIR | grep ^/ > /dev/null || BINDIR=pwd/dirname $0
arch=”uname -muname -s

# echo “BINDIR= ”  ${BINDIR}
cd /var/log/asterisk
if [ ! -r ${log} ]; then
printf “could not read error file (${log})n”
start=”grep -n -e CRON: start ${log} | tail -n -1 | sed s/:/ /g | awk '{print $1}'
stop=”grep -n -e CRON: stop ${log} | tail -n -1 | sed s/:/ /g | awk '{print $1}'
if [ “$start” = “” ]; then start=0; fi
if [ “$stop” = “” ]; then stop=0; fi
if [ “$start” -le “$stop” ]; then
error=”tail -n +${stop} ${log} | grep -i Registration | grep -i Failed | tail -n +1
if [ ! ( “x$error” = “x” ) ]; then
printf “nnCRON: start — sending info — datenn” >> ${log}
ccc=printf "%s" "$error" | wc -l | awk '{print $1}'
if [ $ccc -gt 0 ]; then
printf “EXCERPT FROM ASTERISK LOG FILE ${log}:nn%snnDONE.nn” “$error”
printf “%s” “$error” > /tmp/sipappatck.tmp
for ip in cat /tmp/sipappatck.tmp | awk '{print $11}' | sort | uniq | sed s/'//g ; do
echo “iptables -I INPUT -s $ip -j DROP”
/sbin/iptables -I INPUT -s $ip -j DROP
printf “nnCRON: stop — info sent — datenn” >> ${log}

exit 0

# end
#########Stop here ##########

Final step is to schedule the script with cron. Add a line in cron.

01-59/2 * * * * /usr/local/bin/check_sip_attack
This will run the scrip for every two minutes (Of course you can change the timings) and have a good night sleep.

Any questions or comments are very welcome.