I have experienced the most expensive lesson in my life.
Getting into to the topic.
I have FreePBX installed in my office, also connected with GSM card and fonet.dk that provides me a number.
I have two IP phones set up with FreePBX everything was working fine till today. It started when number “000” called twice on my phone. To get know what the fuck is going on I went to “Call Logs” in FreePBX.
What I saw was very wierd. It was many calls made buy diffrent caller IDs that I dont have. I was very worried that someone called from my PBX and I wasnt wrong. I found out that my bill is 1000Euros higher then it supposed to be.
All calls was made from this GSM card number.
Please help me to secure this system.
What version of FreePBX were you on?
Do you have easy to guess passwords?
Do you allow anonymous or guest SIP connections?
Do you have a strict firewall policy that only allows trusted hosts in on SIP?
Have you explored fail2ban?
This list is probably close to the top four mistakes made.
My password is not easy. It has number, symbols and is 18 characters long.
It is set to NO.
Couple ports was open probably for all devices. But I disabled ports forwarding to PBX and after connecting it into a network I have strange logs in the CDR Logs “from-sip-external”.
Yes, I have installed fail2ban-0.8.11
Thank you for your respond.
Is there a way to disallow all calls from my pbx, so I can connect it to the network?
I have found out that “Allow SIP Guests” was on YES. I switched it to NO. And no stragne calls for now.
If you have no external devices, I.E. Softphones that need out of your local network access. You can shut down ports 5060 - 5061, this stopped a lot of crap trying on my systems.
Closing 5060 - 5061 will keep out the kiddies, but you should tighten down your firewalls too. Others may tell you different, but for me, right now I do not see anything weird in my logs and have not for many, many months.
If you are unsure of what you need to do, Freepbx has some great paid support that can help you out.
It appears that Allow SIP Guests default is yes?
I have no idea, but in my case “Allow SIP Guests” was on YES. That was the problem.
I moved 17 posts to a new topic: Security/Firewall Discussion