I know how frustrated you feel. I know that feeling very well. Lucky you that is ‘just’ a pbx: ransomware is boiling everywhere.
My few cents to mitigation.
-
About sip provider. I have a low amount per refill (actually just $30 or any amount that meets your daily use) with a limited number of refills per day (just one): if this number is exceeded I will receive an mail notification, I will know that
a) One of my users was hacked and his extension is being used for calls or
b) The PBX was breached.
c) Business is doing great!! increase the refill amount. -
SSH: I have SSH with no password, only SSL key. Not difficult to setup and very effective. To stop the infinite login attempts, limit port 22 to a few familiar know IPs or networks.
-
HTTP: same as above. Limit who can do it.
-
SIP/PJSIP ports: Why more than a couple of password attempts? I block the IP after the second failure. No exceptions. Ahh you are blocking a legal user? get your IP from any get your ip web and manually remove the lock. 99.9% of the user leave the password on the app or phone, so only a hacker will ‘try’ different options.
-
MYSQL: only access from 127.0.0.1 Note: this is a VERY easy way to access your PBX.
-
Use a virtual machine for your PBX, even an small one. take frequent checkpoints: if you are in trouble, just go back to the last good one. Checkpoint after every change. Before you go back, inspect (or save) the logs for the autopsy.
-
Use Fail2Ban is very effective and default rules accomplish a lot.