Someone hacking an extension?

I have a FreePBX 13 system with about 18 extension, local and remote, that runs just fine. It sits on the same LAN as all my other computers and hardware. It’s subject to the usual hacking attempts, but FreePBX’s firewall handles all of them without problem.

Lately, a single extension (a Grandstream GXV3275) will show an incoming call that does not come from FreePBX (I’ve checked the logs and there’s nothing) and does not generate a ring. The CID shows as a three digit number that, over time, has worked its way up from 100, i.e. 101, 200, 201, 300, etc. Clearly, this looks like a hack. I’ve captured the IP stream to the phone and I think I’ve identified an IP address from which it originates. The problem is, I have no way of stopping it. My router uses dd-wrt and I can’t figure out a way to block an IP address or range.

I can’t imagine this will pose a real problem, as the extension is just an extension and does not connect directly to a trunk; the hacker will never “get in” to the phone and shouldn’t be able to place calls. However, it’s really annoying.

Any ideas?

on your pbx…

/sbin/iptables -I INPUT -s {IP-HERE} -j DROP
/sbin/iptables -I INPUT -s -j DROP

If the phone is remote (not co-located with the FreePBX) it could be a scan directly on the remote IP. This type of port scan does not go through the PBX (hence the lack of CDR) and heads directly for the IP of the remote phone. I have seen this many times especially with certain types of consumer (home) router/firewalls.

The phone is local, not remote. Also, I’m unclear what blocking the IP in FreePBX would accomplish. According to the Asterisk logs, this “call” is not coming through FreePBX – it’s being routed directed to the phone from my router.

Could be the same scenario. A port scan passing through your firewall/router and hitting the phone directly. If you can block it with the dd-wrt do that; I have no direct experience with that firewall software, but I can tell you Tomato or PFSense will block those types of scans.

Setting on your phone to block anonymous connections?

Nevermind this >>> Why not do: Connectivity --> Firewall --> Zones–> Blacklist --> add offending IP?

DD-WRT Wiki page has information on setting up blocking rules for DD-WRT. Note that DD-WRT uses IP-Tables as their firewall, so @jfinstrom was correct. The following, in your DD-WRT firewall should do the trick:

This is a good case for limiting incoming connections by IP. DD-WRT has information on doing this, but it is easier with Tomato.

The obvious problem is that if your remote phones are on dynamic addresses, when those change you can have a problem. Especially if the ISP tends to change the IP addresses wildly. If they don’t change much, you can use CIDR to limit incoming connections to a limited range (helpful).

With Tomato you can use FQDN as the source address, and then you can setup the end-users router with DDNS. Tomato still requires a refresh when the IP changes, though.

Another alternative is setting-up remote users with a VPN.

Leaving 5060 open to everyone seems like an invitation to hackers, though.