Background info:
I’ve been running FreePBX for just over a year now and it has been incredibly stable with SIP trunks (no POTS). There are no ports forwarded as I am using SIP registration. Established/related traffic is allowed for time/system/firmware updates etc. Otherwise everything is on a private LAN behind a firewall.
Question:
This week I have been asked to connect a POTS line so that anyone who calls this legacy number will still get through until the contract runs out. Previously we were just using one separate phone. During testing the system connectivity between the SPA-3102 and the PBX, everything is fine. As soon as I connect the POTS line to the SPA-3102, I am receiving IPS messages from my firewall (current Unifi USG). This has occurred twice, both times about 10 minutes after connecting the SPA to the line. Since I have started using FreePBX, there have been no other IPS hits so this is new behaviour.
This is my IPS message:
Message: IPS Alert 2: Misc Attack. Signature ET TOR Known Tor Relay/Router (Not Exit) Node Traffic group 276. From: 193.224.163.43:11371, to: mypbxaddress:48860, protocol: TCP
As far as I know port 48860 is not in use for anything so I’m puzzled as to what this could be (it could also just be a false positive!). Any input would be greatly appreciated. Thanks.