I have several FreePBX distro’s configured on VPS environments. Each of them have different phones and gateways installed on them. I have been noticing what I believe to be hacking or fraud attempts on my PBX configurations. I am running the most current patches on all systems (FreePBX 188.8.131.52) and patch regularly. I am not running adaptive firewall and each PBX is set to allow only the specific remote customer network to access them (and my office network for system management). The issue I have been seeing has happened both to a digital extension (i.e. VoIP phone like the VVX 4410) and an extension defined as one port on a Grandstream gateway (gxw4008). The issue I am having is as follows.
Occasionally, I discover that the phone or gateway extension has been forwarded to *720112250100345 and in every case the originator is 6313387799 (but I suspect this is spoofed?). Some how they are setting the same extension to call forward with *720112250100345 and then they call the extension in an attempt to have the PBX connect the overseas call. Fortunately my current system is configured to allow ONLY domestic calls so in this case the fraud is prevented.I am baffled as to how they keep setting the same extension to call forward to the number above? I have changed the password to the extension 3 times but they still manage to set it to call forward all calls to the overseas number. I now check every AM that NO lines are call forwarded. I have since just disabled *72 (dont need it) but I am baffled as to how they did this on a gateway extension and a specific VoIP extension on 2 different PBX systems? In one case they were able to set call forwarding within only a few hours of setting up a new server! My VoIP phone user says he could see the 011 calls coming in as well and when he answered it no one was there (phone would ring, 011 was displayed, he picked up, no one was there).
I suspect there is some process where they may have gleamed the MAC address of the extension/phone and are using TFTP to download the config and parsing it? (could explain why its always the same devices? out of 100 phones/gateway ports, its always the same 2) Any suggestions?
- How do you password protect TFTP on freePBX? I read text on protecting FTP and HTTP but not TFTP?
- On a standard Distro, running the regular install script, are there any internal passwords one much change when setting up a new system? I only changed the root and admin passwords as prompted in the install.
- I want to open up locations by enabling adaptive firewall but I am worried, I cant seem to keep the closed system secured, let alone something open to any IP address.