Unfortunately our PBX has been compromised and I’m trying to figure out how they did it. More importantly how to stop it happening again.
I have a freepbx 2.6.0.2 Asterisk 1.4.23.1 supporting several clients. Recently our system was compromised by using an extension to dial out to various destinations. I think they were using one of our test routes with a prefix 900. I have attached a log that hopefully maybe useful. I’m not an expert and hope that I have given as much info as possible.
Any help is appreciated.
An example of dialled number using Ext. 202 is 90037127691116.
Sorry to take so long in replying. Yes it is connected to the Internet. We use a web hosting company and have a virtual server. I assume it’s open to all unless I can controll which port can be used with in the server.
If you run a system open to the internet, you are begging to have this happen.
If you run a system with an older version of Asterisk (current is 1.8.x) or an older version of FreePBX (current is 2.10), you are also begging for this to happen.
Use The FreePBX Distro.
If you are going to run a hosted installation, you must learn how to configure IPTables.
All seems to be ok but when I test it by trying to connect to the pbx with the wrong password it does not ban me. My ip address is not in the accept rule. When I run iptables -L –v it shows the correct output. I have tried to change the log path from /var/log/asterisk/full to /var/log/secure but it still does not look like it’s working. I assume if I check in /var/log/asterisk/fail2ban.log it should show references to drop ip address.
kibs - Not sure how this relates to FreePBX. We include a working fail2ban in our distro.
You may have better luck in the fail2ban mailing list?
If you are hoping someone here knows and is willing to help you need to make it easy on them and tell them what type of PBX if running an ISO distro (such as PBX In a Flash, Elastix etc.), need OS version and all config and jail files need to be organized and neatly posted (use the [code]tags[/code]