I have a VPS with FreePBX on it through CyberLynk and I think my PBX is being hacked. I just noticed there are hundreds of outbound calls daily that are failing all to international locations. It appears they never leave the PBX, I have no international dialing plan configured, and my SIP Station trunk is not authorized for international even if they try to leave. But it is causing congestion on the occasional call because I only have two channels and blocks one of the actual calls trying to be placed.
They appear to be coming from extensions that aren’t built, the only extensions I have built are 101, 102, 201, 301. I have what I consider is a very strong password, 10+ characters, uppercase, lowercase, numbers, symbols. It is the only admin user I have for the PBX, and I have disabled logging in via UCP for the 4 extensions. Not sure where these calls are coming from or how to prevent them.
Anyone have an idea, I have attached some screenshots of the CDRs, the search was for today only and over one thousand results, there’s less than 10 real calls per day placed through this PBX right now.
Disable “Allow SIP Guests”
I’ve set it to no. That sounds like it should resolve the issue, I will check the CDRs later and make sure. For anyone that comes across this in the future the setting was at Settings > Asterisk SIP Settings > chan_sip settings > at the bottom of the page.
When I set this to no and chose submit it gave me an error and forced me to put the public IP from CyberLynk in the override external IP field because NAT was set to yes and IP type was set to static. Not sure if I could have avoided this by just setting IP type to public or not?
This did resolve the issue for anyone that comes across this thread in the future.
Just know you are still being hacked, add an IDS like Fail2Ban to your system.
Fail2ban is installed and running. Should it have been preventing this?
Only if you turn off allowing SIP guests and your regexes are all current and effective, that’s a trust thing. .
Where are your extensions? Are they all behind the same (hopefully static) IP(s)?
Could you set up a firewall and only allow traffic from your extensions and trunk(s)?
Have a nice day!
Well SIP guests is off what are regrexes? How do I make them current and active?
And unfortunately my extensions are all remote locations with an external DHCP address so I can’t setup a firewall. The PBX is hosted in a data center so everything is remote.
regexes are “regular expressions” that are used to match bad guys against your log files, at your level you have no control over that and need to rely on your provider, however your claim that you can’t deploy a firewall is wrong, you just probably are not at that level yet though, so you will have to wait for your “distro” to do that for you, PIAF and even Elastix do that (I don’t recommend the latter though.)