Email on any change to PBX configuration

Is it possible to be emailed if anything like an extension, trunk, ring group, etc. is added?

Someone beat me out of $51 for calls to Zimbabwe. Calls don’t appear in my CDR, but they added an extension called asdasd.

I was periodically getting my Outbound Routes wiped out. I looks like they were accessing via asteriskuser. I added asteriskuser in Admin and gave it a password. Thing is, they added the extension and made the calls after I did this.



Why is your phone system exposed to the Internet?

How was this system installed?

It’s a FreePbX 2.7 Asterisk 1.4. At a colo. Cat-5 delivering public IP plugged directly into the Eth 0/1. Running CSF and Webmin for firewall.

There are a lot of things I find puzzling about this whole situation. Not doubting that it happened, but I don’t see how FreePBX could have been involved, since it won’t even let you create a non-numeric extension. And if they are going outside the FreePBX interface, then the e-mails would not do you a bit of good, since it sounds like they aren’t doing anything that would cause a noticeable change in your FreePBX configuration.

What I also wonder is, if the calls didn’t appear in your CDR, how did you even discover that they had created an extension called asdasd? And did this extension actually appear in the FreePBX extensions?

Anyway, if you know what you are doing, the best thing you can do is tighten your firewall. You should have it set up so that only YOU can get to things like Webmin, SSH, the FreePBX GUI, etc. You should definitely be running fail2ban.

But because you are already compromised and because you sound like you’re not sure how they are getting in, and maybe aren’t experienced enough to know how to keep the bad guys out, my suggestion would be that you head over to the PBX in a Flash site and take a look at that distribution and the so-called “Incredible PBX” add-on. Whatever else you can say about that distribution, they are (if anything) almost at the point of being overly paranoid about security. If you wipe your current installation and reformat the hard drive (which will happen automatically if you install PiaF or the Incredible PBX from an ISO you’ve burned to a CD) then however your system is currently compromised won’t matter (any rogue software will be wiped out), and the Incredible PBX security model ought to keep the bad guys out as long as you don’t mess with the firewall settings.

You will want to save your current settings for extensions, trunks, etc. Extension and Inbound Route settings can be saved using the Bulk Extensions and Bulk DIDs modules (save to a CSV file) and I’d just take screenshots of everything else (the Firefox ScreenGrab add-on is useful for this purpose). Under normal circumstances I’d suggest using the FreePBX Backup & Restore module but since you may not know exactly how you’ve been compromised, that module could bring something unwanted back in (maybe — if a FreePBX developer tells you differently, take their word for it, not mine — and by the way, the guy using a copyrighted comic strip character as his avatar is NOT a FreePBX developer, just so you know).

If I’m guessing wrong about your level of experience then please feel free to ignore the above advice. I know that wiping out and rebuilding a system is not a task to be undertaken on a whim, and I ONLY make the suggestion because it sounds like you need a much tighter security model, and “Incredible PBX” will at least give you that. But if you don’t want to go that route, then make sure that ALL the ports are your firewall are closed to the outside world except the ones that you absolutely need to be open (and if you are the only one that needs to access them, then they should only be open to YOU).

Oh, and to answer your question, at present there is no way I know of to send an e-mail notification on a specific type of FreePBX configuration change, or ANY type of configuration change, as far as I know. Maybe the logic to do that could somehow be tied into an “orange bar” reload if enough people wanted it, but you’d have to make a feature request, and as I pointed out above, it wouldn’t even help at all if they are making changes outside of the FreePBX GUI.

Thank you, michigantelephone. I will post my port settings later today. With the way I have CSF set up, only addresses on the csf.allow can access SSH. In my ports, I have tcp 80 open, so anyone can access the gui. In advance of posting my port settings, if I do not open 80 then only people in csf.allow will be able to access any Web GUI, including ARI?

What about UDP 5060 and 10K-20K. Don’t I have to leave those open to the world?

I’m not familiar at all with CSF (never heard of it until you mentioned it). I believe most of us use iptables as our firewall, and that’s the only one I’m familiar with (and I’m certainly no expert in that) so I’m not going to be able to help you with specific settings related to CSF, though perhaps someone else can.

As for the ports you mentioned, which are needed to allow SIP communications, the best scenario is that they are only open to those that need to access them. If your users all are on static IP address, then those ports should be open only to them. If they are on dynamic IP addresses, there are various techniques for dealing with that (I posted an article about one I happen to like at but it may not be appropriate in all situations, because for one thing it opens all ports to “trusted” users, though that could be modified with a little additional code). If you must leave those ports open to the world (and some people apparently feel they must), then you need to use very strong passwords on all your extensions and trunks, and you need to make sure that there’s absolutely no way an attacker can get into your system and add extensions, as apparently happened in your case. And even then I wouldn’t absolutely guarantee that there’s no way they can do any damage.

Someone did indeed add the IAX Ext. asdasd123123 to three of my PBXs. I have been the victim of someone nuking my outbound routes over the past two months. It looks like they were writing things to the PBX through asteriskuser. It was recommmended to me to create a user asteriskuser, give them only access to FreePBX Status, and give it a strong password. Did that.

Need to look at my CSF settings. How could a person delete the outbound route settings through port 80 (or other) if they did not have access to get into the GUI? Possible?

The FreePBX GUI is on port 80 by default, therefore unless they somehow compromised your password I don’t think they could get in that way. I wonder if perhaps you have left SSH exposed. An attacker basically has the “keys to the kingdom” if they can make a SSH connection, and if you only use password authentication and don’t run fail2ban and don’t use VERY good passwords, they will run password cracking programs against you until they break in (which won’t take all that long), and then they can do ANYTHING they want to, and I mean ANYTHING. fail2ban will stop them after a few failed attempts, so they can’t just run a password cracking program against you day and night until they get in. If your SSH password could be found in a dictionary then it’s very likely that’s how they got in, and once in, if they know how to access the MySQL database then they can delete routes or trunks at will without using the FreePBX GUI.

The thing is, if they did manage to crack your SSH password, then there is a good chance your system is already so compromised that at this point the only way to be absolutely sure they can’t get back in is to reformat the hard drive and reinstall from scratch. I say that because once they get in, especially if by SSH, they can do ANYTHING (or at least anything they know how to do), and that includes (for example) setting up a background program that will simply e-mail them any passwords you may change, or re-open your firewall if you close it. If you are a true Linux geek you can probably figure out if such a process is running, but judging from the tone of your previous messages I suspect you are not that Linux-savvy (don’t feel bad, neither am I).

If I had discovered that someone had broken into my system, that system would not be online. The power would be turned off until I had a chance to reformat the hard drive. Seriously, once a system has been compromised, it’s kind of like toxic waste. If you are an EXPERT you may be able to clean it up, but if you’re not you may make things worse and spread the contamination further. So you changed a password AFTER an attacker got in and now you feel secure? How do you know they didn’t leave behind a software payload of some kind that’s effectively a ticking time bomb?

I KNOW you don’t want to go through the pain of reformatting the hard drive and reinstalling the software and then spending days getting the system back to the way it was (not to mention figuring out how to enhance security so it doesn’t happen again, which is why I made the suggestion of “Incredible PBX” above — they pretty much start out with the idea that every hacker on earth has made it their mission in life to crack YOUR system. Well, maybe I exaggerate slightly, but not much). I sympathize with you, really, but fixing the firewall at this point is nothing but false security. Sure, you might get lucky — maybe they didn’t leave anything behind. Or maybe they are just biding their time until you think you’ve secured the system, and then you’ll get a $100,000 phone bill surprise. Do you REALLY want to take the chance?

By the way, I forgot to mention that “Incredible PBX” is based on Asterisk and FreePBX, so it’s not like you’re moving to completely different software.

It’s your system and it’s entirely up to you what you do, but I’d just hate to see you repeatedly victimized.

If you really have to have access to port 80 (http) use firewall rules to redirect it from some other port.

Your internal IP of the system:
Your external IP od the Firewall:

On you firewall set up incoming TCP port something like 23145, and redirect it to port 80 on

So you can access your system from the net via

but I don’t see how FreePBX could have been involved, since it won’t even let you create a non-numeric extension

it will if you turn javascript off in your browser, there is no checking on the server side.