FreePBX Security-How to stop someone from hacking into my system

How do you stop any external SIP’s from accessing my PBX. I have been getting a bunch of failed attempts email from my system. I am concerned someone may eventually break in and try and make calls.

I only use my phones internal to my network and if I use one SIP external for an extension I would only allow it through that extension. Is there just a flat way to deny all these attempts and still be able to run my system?

Please let me know what steps I can take.

Perhaps a firewall.

This is not a definitive list and I am not a expert but the following were the most recommended I have found previously.

  1. Change default Asterisk manager password.
  2. For all passwords use a password generator for random strong passwords. Mine are no less than 25 characters, no dictionary words, upper and lower case mix. This goes for endpoints as well.
  3. Use alternate ports for SSH and HTTP. See the Wiki I believe some good info is there on this process.
  4. Read up on Blacklisting and Fail2ban. I blacklist all caller I’d ranges that I see hit from unknowns, like 1000 or 100 etc. If I know I skill not be getting calls from a particular range.
  5. System admin>Intrusion Detection. Set your attempts low if you are the only person accessing. Blacklist known problem IPs if for some odd reason fail2ban doesn’t grab of, which is rare.
    There are many more people on here more knowledgeable than me but this is a good place to start. Hope it helps.

We are having issues where someone is attempting to make a sip connection using extension like 100, 1000, 202… How do you blacklist extensions?

a few other things

  1. use an rsa key for ssh authentication and turn off clear text log in
  2. set sip guest to no
  3. turn on iptables and set it up to only allow stuff from ip addresses you know - like your sip trunk provider. you might do something like use an alternate port for ssh and have iptables remap it to 22. you will need to keep port 80 open for the freepbx gui or decide to use an alternate port and remap it in the firewall.
  4. make sure fail2ban is running
  5. monitor the /etc/log/secure files. if you do this right you should see nothing in this file except for your log in attempts.
    these things will go a long way to securing your system.