Cases of having SIP ports open resulting in hack/damage/fraud

The issue of “open SIP ports” comes up frequently on this forum and I want to put some facts on the topic.

I see three concerns with un-firewalled SIP ports on FreePBX; please add more if you know of them.

  1. Hacking/unauthorized use/fraud due to someone imitating legitimate SIP devices on your system and making calls.

  2. Log noise and unwanted traffic from scanners testing your system.

  3. Unwanted incoming calls or fraudulent outbound calls due to dialplan misconfiguration

Of these, situation #2 is the one I see referenced here most often, and while it is a nuisance, it is otherwise harmless – except that I have seen some log files filled up due to the large volume of this kind of traffic.

Situation #3 is the result of having “Allow anonymous SIP” enabled without setting up inbound routes well, or because scanners guess your extension numbers.

#1 is obviously the most concerning. By using the randomized passwords generated by FreePBX and not keeping an open, unsecured provisioning system (open TFTP for example), it should be very hard to crack.

I would like to see some evidence of #1 - if this happened to you, how did it happen? Could you share your story and lesson learned? Also for #3.

My goal in starting this thread is to make clear what the real risks are of allowing SIP traffic so that there’s more technical fact than mystery. Elsewhere you can find scary statements like “didn’t use firewall” … “big phone bill.” As an engineer, I don’t care about those kinds of scare statements. Since we are dealing with technology, I want to know the technical details that can lead to fraud.

2 Likes

Neither one of the three points above but a different hack happened to us.
Came in Monday morning, people saying they couldn’t reach us on one of our DIDs and I went to our SIP provider’s online portal and found that someone had forwarded incoming calls to that DID to a number in Palestine.
Luckily we had international calling disabled at the provider end and didn’t suffer damage, but we could have.
Happened again a while later even though we had a very long password in place.

Someone hacking into your SIP provider’s online portal and making changes, stealing trunk credentials or something like that is also a possibility.
Two factor authentication protects you against that.

I’ve never dealt with any level of SIP fraud caused by anything except comprised credentials.

Credentials being compromised due to poor security around boot files.

I have occasionally seen portscans that look for ‘fingerprints’ that match open ports , sip, html and manager, these cause a little while later more directed attacks from one or more machines , often in the same subnet.

It is possible to change dialplans not just by account compromise of extensions, but also through the web interface and TCP/5038 , protecting your SIP ports is a good start (never use UDP/5000-5999 for example) but not adequate.

If you run a port scan from outside your network, a good firewall will start dropping you after a few connection attempts using ‘Connection Tracking’.

Every open port you allow through your firewall needs protection.

netstat -tulpn

will show what you would accept, any attempt to other than those show at least someone being nosy.

Use ‘secure’ versions of everything where possible.
Only accept connection requests to your URL, never to your bare IP address,

1 Like

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.