Registering on Asterisk 1.8.7 without account

Hi everybody,

I would like to understand how it is possible to register on Asterisk without any account.

The environment:
I am running asterisk 1.8.7 as a personal pbx (more a hobby than a production story).
It is very convenient as it allows me to use an old smartphone as a mobile phone without any contract (with a mobile provider I mean), provided there is a wifi environment.
With the SIP protocol I can connect to asterisk at home and use my home IP phone number as a mobile phone number (I have a “classical” contract with a company which provides me with a FTTH connection for the net and an IP phone number).
By the way, my LAN-only phones are very convenient as well.

The situation:
Since last September, this system was working perfectly.
2 days ago, a bot without any account on my asterisk box,
found a way to use my box and made phone calls from the Gaza strip
to Sierra Leone.
(The originating IP address is from the Gaza strip;
the destination phone number is the Sierra Leone).
According to what I found on the net, it is not phone calls
but fax ones.
voipfraud.net/en/node/1865

To be honest, when I first set up asterisk I set up
fail2ban as well with a special jail config for asterisk.
In between, I had some problems with my ssh jail on fail2ban,
I reinstalled fail2ban and completely forget about the asterisk
jail and was running it without the asterisk jail… ;;0_p

The thing I don’t understand:
How somebody without any account can run calls through my asterisk box.

Is it a problem with running everything in the default context
in my extensions.conf?
(asterisk.org/docs, Network Security chapter)?

I really don’t understand.

It seems there is originally 216 modules in asterisk 1.8.7.
I am trying to run only what I need and have presently 167 modules
running (no other channel than sip… I can send the list of all the unloaded modules if needed).

I am not allowing guests or friends:
alwaysauthreject=yes
allowguest=no
type=peer

I have re-config my asterisk jail, changed all my passwords
(just in case), and changed my dialplan to allow
only domestic calls (according to the “number of numbers” you dial),
but I feel I am not understanding everything somehow.

I have started to re-read the o’reilly astersik book (this time full, not only the passage I need).
When I ll have finished Ill go for the full asterisk doc.

But, in the meantime, if sby could provide me with a track to look on,
it would be very keWl.

(Also, it is not directly related, but I was thinking to try to look into
vpn and ssh for my mobile wifi fon, not to become the prey of eavesdropping
scheme).

All the best.