Am i being hacked - OR is this normall

Hi,

We have a new install of FreePBX running Asterisk 1.8. All updates have been applied and the system is working fine.

We use a combination on ISDN BRI lines for some incoming calls ( historical ) and mainly SIP lines via Gradwell ( we are based in the UK ) for outbound and some inbound calls.

When I check the CDR report there are 100’s of entries for 0 or 1 second for numbers that do not correspond to any of our extensions, groups or Queues. Not only are these worrying but they are a real pain when trying to find actual data that we need.

We used to get this before on an older version of Trixbox and then the internal phones even rang hence why we upgraded. The phones no longer ring but there CDR reports show it looks like it is still happening.

Unfortunately due to Gradwell settings for SIP trunks we have to have - Allow Anonymous Inbound SIP Calls set to YES

The PBX is setup on a private IP rage behind a “Good / Commercial” firewall with only a SIP & RTP rule’s configured to send traffic to the PBX.

Any thoughts ?.. even if it just to put my mind at ease…

Thanks…

People are trying to make free calls on your SIP port. If they are succesful is up to your security planning. Does this good/commercial firewall support geo blocking? Surely you don’t have to open SIP to the entire world?

Hi Scott… thanks for the reply… just what I thought… hopefully with the reports showing either 0 or 1 second it means they are unsuccessful at the moment.

Not really sure what Geo Tagging is but will look into it. Our Firewall is a Watchguard 520 running all sorts of polices. I just manage the phone system so know I have the SIP and RTP rules in place.

I will also speak to the guys at Gradwell to see if they have any idea’s as we are hoping to resell this solution so I need to make sure it’s right and not open to the nasty’s out there.

Thanks

You could perhaps enable security logging in your Asterisk and watch that log either manually or with a well written script (perhaps fail2ban) to identify and preempt access from suspicious IP’s.

You should be able to get a list of IP’s from Gradwell and only open up the firewall to those source addresses.

I said geo blocking not geo tagging. Geo blocking let’s you block geographic regions.