Hi,
Solved when finding out the ports in SIP SETTINGS for PJSIP tls changed from what we had to 5061. The assumption is an update changed the ports.
This is quite strange. I have 2 separate phones here. One is desktop and one is bria softphone. Neither can register to the FreePBX server. Each phone is on completely separate subnets. IPTABLES on FreePBX is disabled temporarily to debug this.
Neither public ip addresses of the phones are in our router firewall block lists in the data center router.
Using web browser on pc in same subnet as desktop phone and in smart phone not connected to any wi-fi can login to FreePBX and can ssh to the FreePB server without issues.
However as mentioned in subject line, cannot register any extension to this FreePBX server. Watching CLI, pjsip set logger on and sip set debug on, show no attempts from either phones.
tcpdump shows the phones connecting but there is no conversation, no register attempts from either phone.
Don’t follow you. FreePBX server has same IP address for years and has public facing IP connection. No RFC1918 addresses. Phones are thousands miles away and never have I experienced this before.
This is even stranger. All the extensions are set to go to port 5161 TLS. Now looking at extension in FreePBX its saying port 5061 TLS. Ok no one has access to the FreePBX server but me and I know I did not change the ports in sip settings since this server was built a few years ago.
There’s no code or update that is going to change a configuration directive as important as this one.
I suspect your running an older FreePBX16 server. The rumor mill is that the “customized” version of CentOS used for the FreePBX 16 distro has not gotten the newer CentOS security updates for many months, now. They could have got in via an Apache2 vulnerability.
If it was me I’d assume the PBX was compromised since you obviously have it publicly accessible. PBXes are high value targets. If you (wisely) had your trunk provider block international calling they probably got in, discovered there’s nothing here they couldn’t get from a burner cell phone, and got out then forget to change the port back on the way out. Most people use 5060 and don’t go to the trouble of turning on tls on their phones so a cracker can muck about with the tls port as part of probing a PBX and most PBX admins wouldn’t know it.
With me I don’t put high value targets on the Internet I make the end users access them via VPN. But that’s a personal decision.