PBX Hacked and Scheduling when calls are allowed


On a different but related note, allowing “*” to be dialed in voicemail is still a bad thing security wise correct?

(Luke C) #42

In the Advanced Settings this should be set to = YES

Disallow transfer features for inbound callers

Disallow transfer features (Normally ## and *2) for callers who passthrough inbound routes (Such as external callers)


yep, that’s set to “YES”

I was referring to “Disable (*) in Voicemail Menu” in the extensions > Voicemail page


I have noticed that almost all of the hack attempts involve extension 1000 or 1001. So I created a dialplan that allows them to connect, but no matter what they dial, it goes to a recording of a woman screaming bloody murder and a man cussing them out in Hindi.

I laugh my butt off listening to the resulting recordings.
They are always in the Mid East, usually Pakistan.

So while all the previous advice is true, also lock down outbound calling from 1000-1001.


Are you listening on UDP/5060 for your SIP INVITES? If so how are you protecting yourself from crazy Hindi Ladies?

(Tom Ray) #46

When the provisioning side has been compromised and configs where pulled, the listening port is academic as they would know the port to use. It is in the config they got.


absolutely nothing allowed on 5060. we are pjsip now, and tls, all the good stuff. I have multiple routes from the edge firewall that allow SIP traffic from my preset know ranges from my provider. The rest are treated as garbage.

If you even send one packet on 5060 my edge firewall will block your subnet for 1 year. (fail2ban)

Yes, there were some problems getting all my friends and family to NEVER attempt to connect on SIP, but we got there.


I can pretty well assure anyone that if you are listening on UDP/5060 you are chasing a rabbit down a hole, how about just not doing that? (that is not academic , just pragmatic)


Not connecting on SIP by any means is counterproductive, (no calls) . On what protocol/port are the Hindi ladies connecting to you? If using only using SIPS on the port of your choice, by default 5061, you might have to suspect your cert has been compromised


Port 5061, and what Hindi ladies?
I’m not understanding.

We switched to PJSIP years ago.


I thought I read that you are now only allowing TLS?

we are pjsip now, and tls, all the good stuff.

was I confused?


my post was disjointed and not clear.

Legit traffic is on secure ports.
However, I allow insecure traffic too, and it is routed into a “walled garden” where hackers spend hours trying to make calls and get frustrated when they don’t work.

I have recordings of these. In one, i can here the guy’s radio playing while he is trying to dial out from my system. I can hear talking from his end in Farsi.

It is my mission to mess with these people to the absolute limits of my abilities. It is my calling in life.


These guys will mess with you way better than you can ever mess with them, because they are almost certainly ‘way cleverer’ than you.

If you want to take my advice, just disable UCP and TCP after TLS is working

Just a point of correction ‘Farsi’ is a language that Persian/Iranian people speak, Hindi on the other hand is one of the many languages spoken by the Ladies (and Gentlemen) of the Indian sub-continent, (no matter how excited they get)


OMG, I have a girl from Tehran on my team, I know what Farsi is.
The recording in Hindi is for the Indian telemarketers, completely different subject. Jesus.

As for them being better than me, NO. Just no. I got into Asterisk 15 years ago JUST FOR THIS purpose.


I knew a girl from Mumbai once, we often spoke about the price of bacon going up ;-).

You really spent 15 years trying to stop spam?

Gotta say that so far you have failed miserably :slight_smile: Stick with TLS, it works


Thanks for the tip!
Just sayin, all my users are TLS. Currently 1.2, working on getting them to 1.3 now. To deliver an outside call you need to be on VPN with 2-factor.

Security is my day and night job. hence the great-dane in my avatar. We take it extremely seriously.


No problem with security belt on top of belt and braces,

I don’t think my clients would accept 2fa for a simple phone registration though.

How many bad actors have you bought to justice so far in 15 years?


More importantly what’s your procedure for getting TLS to work reliably?

(system) closed #59

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.