PBX under attack from hackers, not sure what to do

Hi I’m a long time windows, first time linux/PBX admin.
I set up a PBX on a virtual server using FreePBX and I was able to make a receive calls from the PBX. I also set it up so Lenny answers any incoming calls (lol).

I went away from a 3 days and when I came back to check on it I’ve had 56476 calls according to the CDR reports. Here is a sample of the logs:

  • Sat, 20 Feb 2021 12:26 1613823969.302 5312 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:25 1613823949.301 5311 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:25 1613823942.300 testing4 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:25 1613823925.299 5310 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:25 1613823909.298 5309 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:24 1613823895.297 testing4 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:24 1613823893.296 5308 Congestion s [from-sip-external] ANSWERED 00:12
  • Sat, 20 Feb 2021 12:24 1613823872.295 5307 Congestion s [from-sip-external] ANSWERED 00:12

I checked my trunk provider and thankfully not a single call made it through on there end. They CDR only shows the few test calls I made.
It’s obvious someone is trying to brute force my extensions but I don’t even have password extensions set up, I’m using PJSIP with IP Auth, not passwords.

The firewall and Fail2Ban are running but they don’t seem to be doing anything at all.
I’m not very confident with my Linux/PBX firewall knowledge so I just went with the default settings.
My log folder is over 17G and there is just to much for me to dig through.
I plan on just nuking the server and rebuilding from scratch but I’d like to know what I can do in the future to prevent this from happening. I know this is not the FreePBX forum (waiting for them to OK my accout) but I’m looking for general PBX/Security advice. Not asking for “what button do I push” I just would like to know what steps I can take to prevent these people from being able to flood my PBX like this.
Thanks for reading.

For PJSIP, don’t permit anonymous matches. I believe FreePBX allows them and then routes them to dialplan which rejects the call. Make sure that endpoints intended for IP matching don’t also allow user matches.

Best practice requires that device names not be related to extension numbers, but I believe that FreePBX insists they are. Disabling user matches should avoid this issue.

If possible, run with a port number other than 5060.

Block your SIP port to all source networks other than those for which you have a business need. For many this means blocking all but the ITSP’s own servers, and your own intranet. Failing that, block all networks associated with high risk countries.

For analysing attacks, provide the security log, not a proprietary digest of the CDR logs. This may require addressing the first point.

1 Like

start by changing sip port number to something else, just by that you get 99% of attacks knocked off. for the remaining 1% you can arm your server with fail2ban