Calls generated from non existent extension to strange numbers

Hi all,
I successfully configured freepbx with 4 extensions that can be accessed both via LAN and remote.

For some kind of problems I had with remote extensions (that I solved thanks to this forum) I initially put asterisk server on DMZ in our router so all ports problems went out.
I left this situation for 2 days and I find some calls from 1011 extension (non existent extension on our pbx) to some numbers out, strange numeration.
Fortunately we have no credits on our VOIP so the calls dropped with the message of the carrier that informs the zero credit situation.

My question is: I have freepbx firewall active and no firewall on router, is it possible for an hacker to access via ssh or via other method?
Exten 1011 doesn’t exists in my dialplan, how can generate a call? I tried to generate call on asterisk cli, via ssh, and I successfully generate call between extension or between extension and external number but how can an intruder generate a call without knowing ssh password and freepbx admin access?
Am I forgetting something? Have I left something open?

After these 2 days I fixed all ports on router (5060/5061/10000-20000) from external to asterisk server and now it seems that these calls disappeared.
Could the DMZ generate this security-leaking situation?

PS: below you can find Call Log Stats screenshot


Without more information, it looks to me like someone is trying to construct a call that appears to be from extension 1011 but is failing, probably because Anonymous calling is turned on.

Be sure in your advanced configuration settings that Anonymous calling a Guest calling are both disabled. Also, limit access to port 5060 to only people that will be using it. For example, your ITSP and anyone that is connecting from the outside. Limit all of connectors to 5060 by blocking all and only letting trusted hosts connect. If you have phones outside your address control (roamers at McDonald’s for example) you should also turn on the Adaptive Firewall.

Leaving ports 10000-20000 open and pointed at the PBX through the firewall will allow callers into your PBX (through regular DID interaction) to be heard and to hear, so you might want to consider leaving those open.

Hi cynjut, thanks for your reply.
I’m a bit confusing regarding ports 10000-20000. Aren’t they used randomly for RTP UDP packets?

Yes, I think that someone tried to make call from inexistent extension. The call duration was 12 seconds, and was exactly the time of hearing the message of ITSP announce of zero credit and the auto-hang-up of the ITSP. So, I don’t think that anonymous calling save me if I have credit on ITSP.
By the way, anonymous calling is turned off but only for inbound calls. Where do I find the config to turn anonymous off for outbound calls?

Two days ago I put asterisk server out of DMZ and allow only specific traffic from remote:
5060 (traffic from ITSP), 5160 (traffic from/to remote clients), 10000-20000 (RTP UDP traffic from/to SIP clients) and the “unwanted” calls disappeared. I don’t know if it’s because of putting out of DMZ or because the attacker understand that we have no credit.

On Advanced Config both Anonymous calling and Guest calling are off.
How can I limit access on port 5060? On server firewall? FreePBX firewall?
Remote clients connects from home network and most of them are dynamic IPs. Our adaptive firewall are turned on for CHAN_SIP extension.

I think that allow access on ports 10000-20000 was mandatory. Isn’t it?

Yup, that was the point of my post. Ports 5060 and 5061 are both required to set up and control the call, but the RTP traffic “comes in hot” and may or may not be directed correctly if you don’t have these set up.

Good. This will prevent a lot of bad things.

You answered your own question. Yes and yes. The only people that need access to ports 5060 are your ITSP and people connecting phones to your service from the outside. The current “best” solution for phones connecting is to use a VPN so that your phones are always “sort of” local. To be clear - the only time you need to open these ports to the Internet is when people are contacting your server, so PSTN calls (which come from your ITSP) and “local” phones that aren’t local should be the only things that ever need to reach out to this port.

Thanks cynjut, really helpful clarifying!

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.