I’ve had bad luck in the past, with a server I didn’t set up. I am interested in using Security Onion to monitor for intrusions, but haven’t gotten to that point yet.
With my new FreePBX 17 server, I am having requests to use mobile phone apps to connect. Currently the server is whitelist only, but that becomes an issue with mobile phones. I’ve searched hardening posts under a year old and not found much, so I was hoping maybe someone could give me some tips/tricks. I’m using non-standard ports 5 digits long, but I know SIP likes to use a huge range, so I don’t know what actually has to be open. Big goal is to not make toll fraud calls.
It isn’t likely Responsive Firewall is to blame for that. If you actually have toll fraud then you should immediately shut off the PBX from the outside world and investigate what’s going on. There are a dozen things you should do urgently, including: Ensure Fail2Ban is unforgiving, strenthen your extension passwords, change the default 5060/5160 ports, and ensure Asterisk SIP Settings > General SIP Settings > Allow Anonymous Inbound SIP Calls = No and Allow SIP Guests = No.
You should also check the contents of extensions_custom.conf and make sure that is either empty (because you haven’t used it) or that it only contains whatever custom dialplan you put there.
If you find stuff in extensions_custom.conf and you didn’t put it there…that’s a red flag.
It is also possible that the fraudulent calls were made by abusing attended transfer or the attacker gaining control of a device, for example to set up call forwarding.
Please paste the complete Asterisk log for a fraudulent call at pastebin.com and post the link here.
I manage about 80 PBXs, all with SIP wide open on UDP 5060 and TCP 5160 and the only time we ever got hit with toll fraud was 15 years ago when some dummy used “changeme” as a password for a test extension.
We have always used fail2ban, and have done geoblocking on our outside firewall for the past couple of years (only accepting traffic from North America, where we are, has cut down on fail2ban notifications a lot.) I don’t know what Responsive Firewall is, I guess something on the distro.
We do not use the distro so have a bit more flexibility with this than most, but we also run the FreePBX admin entirely separately from the UCP stuff. Different user, different PHP pool, different Nginx vhost. This is maybe overkill, but the important part is that the admin stuff is not accessible from a public IP.
If you want to do this properly, you need to be (or hire) a Linux systems administrator with lots of networking, security, and telephony experience. Anyone can make phone calls after clicking around on a web interface for 20 minutes. No one should start a business after clicking around on a web interface for 20 minutes.
My firewall which stands alone in front of the PBX restricts access / forwards only a defined couple of CIDRs to the PBX-ports eg. 5160 and 10000-10099 (50 calls possible at the same time). Therefore it’s less than a GEOIP restriction, but you need to know the CIDRs of ISPs your staff usses with their mobiles. Therefore GEOIP restriction is to manage simplier if it is supported by your firewall software. …would be a nice feature addon for the free-PBX firewall…but would need: deny-all, allow-only xxx.