Hi gang, I have a FreePBX box with a couple dozen extensions. It’s strictly VOIP trunks but I’m forced to leave 5060 and some RTP ports open to all IPs as a lot of people work from home with dynamic IPs. One of the extensions (polycom 331) in our office started getting constant calls from the number 442075005000, which apparently was used 5 years ago in a DoS attack against CitiBank. It started as we left for the night, and continued the next day until I came in the afternoon. Nothing was showing up in CDRS, or in Asterisk logs. I didn’t think to turn sip debug on, but I ended up deleting the extension altogether and set the phone up on a new one and so far so good. But I’m afraid the call gremlin might come back.
I have “Allow SIP Guests” and “Allow Anonymous Inbound” SIP Calls set to “no” Is there any other precautions I can take other than forcing everyone to get a VPN router for their house?
Simple solution, don’t use udp/5060 for sip registrations.
Newer versions of Asterisk and fail2ban with no guest or anonymous sip connections allowed are pretty effective also.
(Don’t use udp/5060 for sip invites either 
)
Using a random port for SIP is my endgame plan, right now I’m running asterisk 1.8.26.1 and fail2ban with no guest or anon SIP and it has been pretty good until this. Now to just talk 12 work at home employees into coming in on a sunday so I can reprogram all their different model phones to the new SIP port 
Thanks dicko, also I hope I didn’t get old info, but I also just added “alwaysauthreject=yes” to “Other SIP Settings” under Asterisk SIP Settings in the GUI. Didn’t know if this is on by default now a days?
I would suggest you go to asterisk 10 at least, then you can avail yourself of the increased “security” output in your log files that will, with the collusion of a properly setup fail2ban, actually identify the IP of the intruder and ban them at iptables.
12 specific nat rules would save the employees trip, possibly less if the share ISP’s. Allowing large ISP’s like Comcast or TW at the /16 network level is rarely harmful and they users will almost always remain dynamic within that subnet (sip show peers a few days in a row)