I’m having a lot of records in my PBX comming from extensions that i have not made.
They don’t seem to be able to call out, but they clutter up the CDR records, and i’m not too keen on them beeing there in the first place.
A screenshot can be found here: https://dl.dropboxusercontent.com/u/697024/FreePBX.png
Have i made a misconfiguration at some point, or is there other things i can do to make them go away?
I have not looked at the screen-shot, but you most likely is being probed by one of the shady outfits that offer a cheap phone calls from USA to 900 code countries. Now that the outfit knows that you are on the internet with SIP server, they will continue to try different passwords and prefixes in attempt to login as one of your users and make an outbound call from your server, using your trunks. Once they figure out how, they will use you as a gateway to place the most expensive international calls. And you will be liable to pay for those. Such outfit can rack-up several hundreds dollars worth of cals in just one day. Most of respectable service providers will detect ubnormal usage and disable international calling on your trunk and notify you with some email, but by that time you might be on the hook for a couple of hundred dollars in call charges.
to check this theory, try to firewall the external access to you r server for a few minutes and see if the “unknown user” goes away. Alternatively, you can see your firewall logs is available in your particular case. In all cases create an confusing outbound rules for international calls such as long prefixes and/or pin codes. Also make sure that your sip passwords are at least 8 character long mixed case alpha-numeric nonsense. The exploiters looking for victims that have their PBX open and use extension numbers for passwords, or something easy to figureout.
They are in deed comming from IP’s all around the world.
The problem i face is my co-employees are also around the world some times, so i cannot disable IP ranges.
But I am curious on to why they are within my CDR log.
I feel that they get too close to having infiltrated/hacked us.
Or if everyone has the same amount of attacks, what can i do to exclude them from the CDR? They clutter up the shemas and reports.
thanks!
I had when my shemas get cluttered.
May I suggest you start in the wiki on security.
It has Fail2Ban enabled and aggressively turned on by default and it will help with these calls - you are actively being probed. Also, I agree with Scott - look at the wiki on Security and learn it.
Right now, under “Asterisk SIP Settings”, you need to turn off “Allow SIP Guests” and “Allow Anonymous Inbound SIP Calls” - most likely “Allow SIP Guests” is already turned off, but “Allow Anonymous Inbound SIP Calls” is turned on because you are seeing them in your logs.
But this is not the solution - it will just reduce the logging - you are still getting probed, and Fail2Ban along with strong secrets for the extension is the answer.
Finally, Sonicwall has GeoIP Isolation which we like LOTS - If you have no one in Germany, why would you take ANY traffic from Germany? Putting an Asterisk behind a Sonicwall that will only allow traffic from the countries you are actually in will add DRAMATICALLY to your overall security.
Greg
Thanks all.
Having enough feedback to go forward.
I could see the the inbound calls was off, so now i turned it on.
I’m leaning towards the solution of GEO disabling IP ranges.
Thanks again!
Hi sofus, please see my guide on securing Asterisk with IPTables, posted in an earlier thread here:
http://www.freepbx.org/comment/227962#comment-227962
Hope it helps!
