Think I'm being hacked

watsonbrm · August 12, 2015, 3:21am

I have a VPS with FreePBX on it through CyberLynk and I think my PBX is being hacked. I just noticed there are hundreds of outbound calls daily that are failing all to international locations. It appears they never leave the PBX, I have no international dialing plan configured, and my SIP Station trunk is not authorized for international even if they try to leave. But it is causing congestion on the occasional call because I only have two channels and blocks one of the actual calls trying to be placed.

They appear to be coming from extensions that aren’t built, the only extensions I have built are 101, 102, 201, 301. I have what I consider is a very strong password, 10+ characters, uppercase, lowercase, numbers, symbols. It is the only admin user I have for the PBX, and I have disabled logging in via UCP for the 4 extensions. Not sure where these calls are coming from or how to prevent them.

Anyone have an idea, I have attached some screenshots of the CDRs, the search was for today only and over one thousand results, there’s less than 10 real calls per day placed through this PBX right now.

Overkill · August 12, 2015, 3:26pm

Disable “Allow SIP Guests”

watsonbrm · August 13, 2015, 2:31am

I’ve set it to no. That sounds like it should resolve the issue, I will check the CDRs later and make sure. For anyone that comes across this in the future the setting was at Settings > Asterisk SIP Settings > chan_sip settings > at the bottom of the page.

When I set this to no and chose submit it gave me an error and forced me to put the public IP from CyberLynk in the override external IP field because NAT was set to yes and IP type was set to static. Not sure if I could have avoided this by just setting IP type to public or not?

watsonbrm · August 15, 2015, 7:10pm

This did resolve the issue for anyone that comes across this thread in the future.

dicko · August 15, 2015, 9:48pm

Just know you are still being hacked, add an IDS like Fail2Ban to your system.

watsonbrm · August 15, 2015, 11:01pm

Fail2ban is installed and running. Should it have been preventing this?

dicko · August 15, 2015, 11:30pm

Only if you turn off allowing SIP guests and your regexes are all current and effective, that’s a trust thing. .

Marbled · August 15, 2015, 11:57pm

Hi!

Where are your extensions? Are they all behind the same (hopefully static) IP(s)?

Could you set up a firewall and only allow traffic from your extensions and trunk(s)?

Have a nice day!

Nick

watsonbrm · August 16, 2015, 2:51am

Well SIP guests is off what are regrexes? How do I make them current and active?

And unfortunately my extensions are all remote locations with an external DHCP address so I can’t setup a firewall. The PBX is hosted in a data center so everything is remote.

dicko · August 16, 2015, 3:05am

regexes are “regular expressions” that are used to match bad guys against your log files, at your level you have no control over that and need to rely on your provider, however your claim that you can’t deploy a firewall is wrong, you just probably are not at that level yet though, so you will have to wait for your “distro” to do that for you, PIAF and even Elastix do that (I don’t recommend the latter though.)