I noticed that I received an email from my sip provider that my account had experienced a low balance and because I had a maximum amount set for a 24 hour period this threshold had been met. I became very concerned and when I downloaded the logs from my sip provider I discovered that someone had gained access to my freepbx 15 and was making several outbound calls that were depleting my sip fund balance.
My question:
There must be several ways that a sip expert can compromise a system but any suggestions on how I can determine how this was done so I can prevent other systems from experiencing the same unotherized access? Thanks for any help!
Make sure you have a properly configured / enabled firewall. The software firewall in FreePBX is more than adequate if you are not behind a NAT, but it’s important to set it up right, specifically making sure the outside interface isn’t in the Trusted zone and that you don’t have any privileged services in the “Internet” zone. (i.e. TFTP, Web Admin, SSH, etc.) I do not recommend changing the default service settings unless you really know what you’re doing.
Keep your system updated. Auto updates are OK but it’s probably a good idea to also have some kind of maintenance plan to ensure you are routinely checking the system over. Personally I prefer to update systems manually but on a schedule, and pay attention to security notifications so that important security updates can be installed promptly.
Make sure you’re monitoring the system and getting email notifications. Sudden changes in system performance can tip you off if there’s an issue that needs attention.