Help? Please :)

Hello All!

I am going to be very upfront, I have absolutely NO KNOWLEDGE of VoIP systems. I am learning because I just inherited a Asterisk based phone system at work-it’s a very… “homebrew” type thing, managed by about 7 different individuals. I wasn’t really formally trained on the system.

So, I recently got our internet speed upgraded and have had problems with the phone system ever since. Our usable IP, gateway, dns, etc did change.

Our system contains:

25 extensions

25 phones (mostly Cisco SPA303’s and several Polycom’s)

3 SIP/Trunks (1 for international calling and 2 numbers from the same provider)

Linus server with Elastix running

Symptoms:

outbound calls and internal extension calls work fine

after restarting the system via the Asterisk CLI via FreePBX (2.9), inbound calls will work for approximately 25 minutes, then the calls will go to a voicemail(? nobody is even sure how this is possible).

Elastix logs (pictured) are showing a HUGE amount of congestion(?) that aren’t even ‘real’ numbers, lasting seconds and showing as answered.

I have contacted our SIP/Trunk providers and they are saying the problem is on my end. It is imperative that I get this system back up and running.

After speaking with others that have some sort of experience with the phone system, their suggestion is to upgrade the system-it’s very, very old and has been restored 100 times via very old backups. Where would I even start with this endeavor?

After poking around, I realized all the inbound “congestion” is a number that is 4 digits + the static IP
This 4 digits go up by one digit each time.

IMG_20180602_172818%20(1)1335×669 240 KB

Can somebody PLEASE help?

Your system is not well secured, and the congestion entries you see in the CDR are malicious users attempting (and failing) to gain access. It’s waaaay past end of life and ready for a well deserved retirement.

You do have a path forward. Using this script, you can migrate your settings to a new supported install:
https://wiki.freepbx.org/display/PPS/Elastix+and+PBXinaFlash+to+FreePBX+Distro+Conversion+Tool

If you need assistance, you can ask here in the forum, or paid support is available from Sangoma:

To amplify a couple of things:

Elastix is no longer a supported platform. It was an off-shoot of FreePBX and was supported by a commercial entity that has since been bought and dismantled by 3CX (IIRC).

The version of FreePBX you are on (2.9) is Several major versions old (like somewhere between 4 and 6). Newer versions of the systems have integrated Firewall Support built in, which would benefit you greatly.

I’m not normally one that throws out a suggestion to bow to our corporate overlords (just kidding - ) but this might be a good time to buy some support. Get the system up-to-date, get the configuration transferred over, and get back online. Once you are back up and running, start looking at the system and, if you have questions, come back to us and we will be able to help you understand whatever mysteries may still exist.

Paid support here is really good, so it’s money well invested, especially if the current situation is costing you money.

I agree.

Considering all three factors,

1. Your system being improperly secured and subject to continuous intrusion attempts
2. Your system being beyond end of life and support
3. You being new to VoIP systems

your best course of action is to go to Sangoma support and pay them to upgrade and secure your system.

At this point in the conversation, you should expect to get the push-back from management: “That’s too much money.” They are paying you to do it, and they want to get a return on that investment. For those of us that have been here for a while, this part of the conversation it altogether too familiar.

When confronted with this, here are a few simple facts:

• All it takes is one improperly secured extension to cost you thousands of dollars in illicit long distance charges. Spending a few hundred on technical support at this juncture will prevent that.
• Your time has value - watching and learning how to manage the system while the experts update it will be a good training example for you. It’s cheaper than sending you to Toronto for a week.
• The current system is not meeting your needs, but replacing it with anything else is going to cost (perhaps tens of) thousands of dollars, and you phones will be out for however long those experts take to install your new system.

However as a start, we can help you fix those intrusion attempts.

Let us know a bit more about your setup.

1. Is your VoIP server directly connected to the internet or behind a NAT firewall?

2. Do you have roaming remote users, i.e. people with soft clients on their cell phones registering to your phone server?

If your Elastix server is on a private network behind a NAT firewall, then there is an easy fix.
Just restrict your firewall to allow SIP traffic through port 5060 (most likely) only from the IP addresses of your voice service provider.

1. Internet -> router -> switch -> phone server

This is how it was explained to me

2. We have a few sales guys and I believe their extensions ring through to their cell phones.

Is that some kind of follow me setup where if you dial their extensions, the system also calls their cell phone numbers (10 digit number), or do they have a soft client application installed on their cell phones that registers as an extension to your phone server?

I believe it is a setup to dial the 10 digit # when you dial their extension.

That’s good.
Then look at your firewall and you will probably see port 5060 (maybe another one) being forwarded to the internal IP address of your PBX with any IP address being allowed inbound.
That means that everybody on the internet can try and register an extension to your system, if they guess an existing extension/password combination. Once they succeed they then can make calls on your dime.
That’s especially harmful if you have international calling enabled cause that gets expensive very quickly.

These “4 digits go up by one digit each time” registration attempts are automated scripts on the internet probing your system until they succeed.

1. Verify on your router/firewall that port 5060 (maybe another one) is forwarded to your internal phone server.
2. Call your SIP provider(s) (Broadvoice?) and ask them from what IP addresses they are sending SIP signaling from.
3. Then go to your firewall and restrict port forwarding to 5060 to only allow SIP signalling from your provider’s IP addresses.
4. Make plans to upgrade your system to the latest FreePBX version

Once we get the firewall problem solved, we can start looking at how the rest of the system works. This an incredibly flexible system with lots of moving part. There are at least five ways to solve the simple problems, and at least one way to solve even the most complex.

Hello, I found something more on the asterisk log. I’m not sure if this will help, but i figure it couldn’t hurt?

This is someone trying to register extension 98 to your system from IP address 69.175.42.155, but getting denied because it’s the wrong password or 98 doesn’t exist on your system.

My guess is that those are malicious attempts to exploit your server.
Are you seeing more of those?

Also, it’s a good policy to obfuscate your own public IP when posting in public forums like this.
You wouldn’t want the world to know that you have an insecure VoIP server and give them the address to reach it at.

Can you look at the port forwarding rules on your router/firewall?

Yes, I can see the port forwarding rules on the router, and I have blocked 69.175.42.155

Which ones do you have?

Port 5060 forwarded to your server?
Can you post those rules?

What router is that, and does it let you whitelist port forwarding rules, i.e. restrict inbound traffic to only specific IP addresses?

And with those screenshots, is there something more to the right which you haven’t captured, such as a destination to which you are forwarding traffic to, and which of those services are forwarded to the IP adress of your phone system?

I am not familiar with the router you have, but if those are indeed all inbound rules and it looks like it, do you have a whitelist policy in place that only allows known IP addresses in?

all of the asterisk forwarding goes to the phone server