Who are the ‘outside’ people? If they are branch offices, teleworkers, etc., set up your firewall to allow only those IP addresses. If you need to allow arbitrary addresses e.g. app connecting via mobile data, can you use SIP over TLS or at least TCP?
If the above is unworkable, do the authorized requests have your domain name (rather than just your IP address), or can you arrange that? If so, set up iptables rules to drop SIP packets that don’t contain the name.
Can you put your SIP on a random port, instead of port 5060 (you will have to set all your clients to use the new port)?
Thanks for your reply. Can you expand a bit on why TLS or TCP would help on my situation?
The third option seems good, but if the scanner did switch to the domain instead of IP, wouldn’t this be rendered moot? What are the chances?
Finally, I was worried this could be an exploit on the FreePBX system itself, since it shouldn’t be accepting such a strange call. Can I rest those worries then?
99.9% plus are UDP
99.9% plus are to port 5060
99.9% plus are to your IP not your domain
Do the math with those three rules, but realise that you will never be able to filter ALL SIP calls if you listen to the whole internet with just those rules in place.
I got that, I understand you can’t be 100% bulletproof with just the firewall efforts or more. The part that actually worries me is:
Why did FreePBX ever accept this call, am I dealing with a bug here? Did I get the configuration wrong somewhere? For what I know about security practices, changing the port and such won’t really solve the issue.
Asterisk (less correctly, FreePBX) didn’t accept the registration, the negotiation failed :-
Request ‘REGISTER’ from ‘“2001” <sip:2001 @179.35.1.75>’ failed for ‘185.35.64.142:6949’ (callid: vfrooihajxogvjyvitqfumynnhylpeynnywcjehkfpeiqvdvfy) - Failed to authenticate