Skip to content

Brute-Force Attacks / Fail2ban Events

Symptom: logs flooded with SIP REGISTER attempts from random IPs. Notifications about banned IPs. Concern about toll fraud.

What's Happening

The internet is hostile. Any PBX on a public IP gets scanned constantly. UnifiedBX's Responsive Firewall + Fail2ban absorb the noise — what you're seeing in logs is protection working, not protection failing.

That said, a successful break-in does happen via: 1. Weak SIP secrets — easy passwords get guessed. 2. Default credentials — never-changed admin/admin accounts. 3. Misconfigured firewall — SIP port open to "Other" (public) zone instead of just "Internal" / "Trusted."

Diagnose

# Recent ban events:
fail2ban-client status freepbx-pbx
# Or all jails:
fail2ban-client status

# Recent banned IPs (last 24h):
grep "Ban " /var/log/fail2ban.log | tail -50

# Are there successful unauthorized registrations?
asterisk -rx "pjsip show endpoints" | grep -v "<your-known-ext>"

# Run weak password report:
# (UnifiedBX GUI: Reports → Weak Password Detection → Scan)

# Check CDR for unexpected outbound activity:
mysql -u root cdr -e "
  SELECT calldate,src,dst,duration,disposition
  FROM cdr
  WHERE calldate > NOW() - INTERVAL 1 DAY
    AND duration > 60
  ORDER BY calldate DESC LIMIT 50"

Fix

  • Ensure firewall posture: System Admin → Firewall → Services — verify SIP is Trusted + Internal, not Other. Web Admin should be Trusted only.
  • Run Weak Password report: Reports → Weak Password Detection → reset any flagged credentials.
  • Strong SIP secrets: every extension should have a 16+ char auto-generated secret, NOT something memorable.
  • Strong AMI secrets: System Admin → UnifiedBX Manager Users — same standard.
  • Strong admin passwords: System Admin → Administrators — 12+ chars, password manager.
  • Disable unused extensions: User Attributes → Extensions → → Disable = Yes.
  • Whitelist your office IP in fail2ban so a typo doesn't lock your team out.

If you suspect a successful breach (unexpected outbound calls in CDR):

  • Disable affected extension immediately.
  • Check trunk Maximum Channels — set hard cap.
  • Audit all admin accounts; rotate all SIP secrets.
  • Check Trunk Attributes → Outbound Routes for unauthorized routes.

When to Escalate

Carrier reports unusual call volume / cost spike. That's already costing money. Disable outbound routes immediately, contact carrier to dispute charges, then investigate.