Attacks and Hacks

Is there a place, or should there be a specific category to talk about hacks and attacks on FreePBX?

I frequently find some mysterious abuses of my FreePBX instance on AWS. They come in bursts where it appears someone has figured out how to make calls through the SIP trunks to the PSTN appearing to be one of my legitimate extensions. When I notice it I am able to lock them out, but it sometimes takes a few hours and they have already racked up fees. I have the firewall in place and all the protections I can create and still allow my clients to function. It almost seems that somehow someone is able to guess the auto-generated user password for the extension. Since there is relatively little probing traffic (certainly not enough to brute force those passwords) I am wondering if the FreePBX password algorithm is somehow compromised or if there is some way that someone has seen the password being sent.

Does anyone else experience this? Does anyone have a solution to it? Does anyone have any insight into how this is actually being done?

There is a security category, I’ve moved the thread.

If the exploit vector is definitely via the extension SIP secrets, and they are long and unique, then I don’t think it’s a successful brute force. I suspect you have phone provisioning files exposed to untrusted traffic without requiring credentials. Having tftp exposed to untrusted traffic is the most likely culprit, but also http(s) provisioning services without apache creds can also leak local extension SIP secrets if you don’t restrict access.

What IPs are these calls sourcing from? Are they public IPs or IPs that might be from the same subnet or ranges of AWS’s internal IPs?

If there is an actual firewall that is setup properly then you shouldn’t see these requests at all. The fact you are seeing these requests either means the firewall isn’t configured like it should be or they are coming from behind the firewall.

Thank you. Leaking credentials from provisioning files seems to fit the circumstances. The server uses the commercial EndPoint Manager with the config files in /tftpboot. tftp is NOT running for sure. I know this may be a case of RTFM, but I don’t recall instructions on securing the EPM. I don’t recall a lot of transparency in how the EPM works so it makes it hard to think through a solution. Any references or suggestions? Thank you.

You don’t secure EPM you secure services. See firewall vid:

I had a tricky one to figure out once where someone managed to call forward an extension to a 900 number somehow and then they just kept calling that extension through the IVR. So maybe check Settings > Extension Settings and compare extension settings.

Some other things to check. Do you have public access to port 2206 disabled? Have you changed the Fpbx admin password and checked there are no other admin users? Has your Fpbx admin password stopped working recently by some chance?

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.