So the company I work for has asked me to help with our phone system. I have some (but not a lot) of experience with FreePBX and VOIP in general. The issue we’re having right now is during some days, we just can’t make outbound calls. The phones return a busy message. If you try to make a call over and over, you might get lucky and get out after 20 tries or so.
When I look in our CDR, I see a lot of what you see in this image:
This number, and others like it, our hitting our systems thousands of times per day. That one instance at 08:14:25 goes on for 3 pages! Can anyone tell me what it is this guy is trying to do? (I have some idea, but I’d like to hear what the experts think). More importantly, how can I stop him? I’ve tried blocking the phone numbers he uses, but he just uses another one, usually almost instantly.
Can anyone help me? Thanks in advance!
Looks like you are being scanned in an attempt to hack into your system.
Can anyone help me understand howbhe is doing this?
Is he connecting via ip, or is he just calling into our system from an outside phone line?
I am planning on implementing some more security tonight or tomorrow night, such as turning off anonymous sip calls, and only allowing certain ip’s to use the 5060 port on our firewall.
Will this stop what is happening? Or do I need to come up with a way to block certain outside calls?
It’s probably an automated attack. I say “probably” but I don’t know how a human would physically make that many attempts within the same millisecond.
Set Allow Anonymous Inbound SIP Calls to “No”.
And/or, since you can’t really make any phone calls anyway, maybe start by disabling the incoming ports at the firewall. Then from that point you can move forward in bringing the system back up one step at a time allowing only known IP or however you see fit for your environment.
Pay attention to firewall logs and Asterisk logs during this process and monitor them moving forward.
Close your firewall ports for 5060 - 5061. Mine are closed and has not seem an attack since, they are only needed if you use external devices anyway. As MKEbrew mentioned, also close Anonymous inbound Sip.