Security Breach

Hi all,

I have been running my servers for several years without issue and today I wake up to a message from my trunk supplier that my system has been dialling some dodgy numbers.

Does anyone have any pointers on how best to track the attack and plug holes?

I have got their IP address and can see the logs but cannot work out the issue.

How does your firewall situation look like, any ports forwarded to your pbx, such as 5060?
Is it a hosted system running the FPBX firewall or is it behind a hardware based firewall?

I was just using intrusion protection. I had fail2ban running, but may not have set it up correctly after I moved servers last year…

I have just seen a firewall option in Freepbx and switched that on, as well as making sure the server is up to date…

Is your pbx on a public IP or behind a firewall on a private network?
We need more information to help you out, such as logs and a description of your current setup.

If your SIP port is open to the Internet, hacking bots will try and guess one of your extensions and password and make calls, but other attack vectors are also possible via ssh e.g., if that is accessible from outside.

I had a similar problem and I started by looking at /var/log/asterisk/fail2ban. I saw many non-existing accounts logging into my system.

This topic was automatically closed 31 days after the last reply. New replies are no longer allowed.