I was looking at my logfiles for another issue I was working out and I noticed that a strange IP was trying to register to a SIP account (one that doesn’t exist on my account). Then I noticed it has been attempting many different SIP accounts. I have just set this system up. It’s my first one. Is this something that fail to ban would stop, or how else can I prevent this from happening? I’m using FreePBX distro for the Raspberry Pi. Right now I’m adding that IP address to be denied by my extensions. The IP address was from France (I’m in the US).
I had port forwarding set up to be able to access it from home. I am not at that point yet in my set up so I shut that off and that seems to have stopped it for now. I’ll have research security a little more before I make that step.
Fail2ban should ban an IP address, that tries to register with false password or extension.
What ports do you have open?
When forwarding ports you should always only allow IP addresses that you know (whitelisting) through your firewall.
What firewall are you using?
Banning certain IPs (blacklisting) is not enough. There are plenty of machines out there just scanning your firewall for open ports and you will again see unwanted registration attempts from unknown IP addresses.
The best security practice for managing your PBX remotely is not to forward ports at all, but run a VPN server that you connect to.
Please read the two links below about recommended security practices with Asterisk and FreePBX. http://nerdvittles.com/?p=580
If you have a typical setup where your server only needs to talk to your VOIP provider, you should firewall those ports so only the VOIP provider can connect. Internally, your phones on your LAN will be fine as they dont go through the firewall.
5060 should not be open to the internet unless you absolutely need that.