Only remote extensions getting random brute force calls

Hey everyone,
I remember when originally setting up my FreePBX box, I read of people with an issue of extensions getting calls from random numbers all night and day, and it being because brute forcers sending calls on 5060. To prevent this, I blocked 5060 except for a small list of approved IP addresses that have remote extensions, and disabled both SIP Guests and Anonymous SIP calls in “Asterisk SIP Settings”. Yet a few extensions continue to be bombarded with these calls. There is a possible pattern though, when I do a “sip show peers”, the problematic extensions seem to have 5060 as their remote port. Could brute forcers be hitting these phones directly, and not through the actual FreePBX server?

UPDATE: Confirmed it’s only the extensions with their ports showing as 5060 that are getting the calls. Is there a way to have freepbx(asterisk) force the extension to use a port other than 5060? Or is it a local device config only?

Yes that means people are sending the calls right to the device and not through asterisk. Are these all remote devices and do you have port 5060 opened on a firewall to them?

I’m starting to read into this and these script kiddies. The ones with problems are all remote extensions, and they show they are connected to FreePBX via port 5060. The extensions at the other offices using 5061 or other random ports dont have the issue. The remote offices have bupkiss for firewall, basically whatever Comcast set them up with (Gateway)
I didn’t think they could make the phones ring via a direct call without port fowarding being set up? Learn something new everyday

If you are using Endpoint Manager or another means of auto-provisioning the extensions, just change the local port on all of them to something other than 5060.

If you originally configured the phones manually, you’ll probably have to change the port manually for each one.

If the extensions have qualify=yes and/or are using a short registration expiry, you shouldn’t need to forward any ports.

Thanks everyone, I was able to fix this issue buy setting extensions never to use 5060 as their local port