Random calls from phantom internal extension

I’ve just setup my first FreePBX installation, and I seem to be getting a lot of calls from phantom internal extensions. The Caller ID shows up as 1000, and there is about 5 seconds of silence and then it disconnects.

The Master.csv call log, shows the following:
"",“1000”,“5”,“from-did-direct”,""“1000"” <1000>",“SIP/PUB.LIC.IP.ADD-00000002”,“SIP/5-00000003”,“VoiceMail”,“[email protected],b”"""",“2012-11-23 04:18:51”,“2012-11-23 04:19:06”,“2012-11-23 04:19:20”,29,14,“ANSWERED”,“DOCUMENTATION”,“1353644331.2”,""

Any ideas? Anything else I can post to help diagnose?

You don’t need to post anything. You system either has a public IP or you have SIP and RTP forwarded to your PBX. You are getting hacked and probed.

I suggest you increase your security.

Thanks. I do have a public IP.

I’ve been playing around with the security of my FreePBX installation which is hosted on a public IP address.So for example, port 80 is only accessible from 2 IP addresses - home and the office. Ports 5060 and 5061 are only accessible to 3 IP addresses - home, the office and our VOIP provider (voicemeup). All of my passwords are secure.

While this appears to have worked in stopping others getting access to our system, it obviously greatly reduces the flexibility of a VOIP installation. For example, it would now be impossible for me to log in to my extension from a mobile device, or on a softphone at a public hotspot.

Any suggestions on somewhere I can learn more about this? I’ve been looking all morning, but can’t seem to find much about security settings on a public IP addresses.

Would changing the ports from their defaults provide much benefit? So moving http off of Port 80, and voip traffic off of 5060, since ‘hackers’ wouldn’t be probing those ports?


You don’t need port 80 for voice service, take that off the table. If you need remote admin access change the SSH port to something other than 22 and only allow login from one account with a secure username and password. Once in you can SUDO to root. You can turn that up a notch by requiring a preshared certificate.

Once logged into SSH you can access FreePBX (and other http aps) using the web proxy built into putty.

As far as SIP, there are a ton of articles. Our distro includes fail2ban, a useful tool that blocks IP addresses after 3 failed SIP auth events. You can also put a SIP proxy in front of Asterisk and let it take the abuse.

Personally I think that fail2ban + a stateful software firewall such as my favorite the apf firewall (easy install on CentOS). Lastly use a geo-block on countries that you don’t need to access your system (I also block all Amazon cloud server netblocks).

Thanks - that is really helpful.