I have a test Asterisk 11 server that has live access to PSTN termination providers (trunks). About a week ago I noticed that periodically one of the extensions would show as registered even though as a test server the correct device never would have registered to this server (the sip.conf is the same as for my production server). Then I noticed that calls started originating through this extension and going to the termination provider (costing $$). I changed the passwords on the extensions to something unguessable (15 random alphanums and punct) yet the b($#%^)rds still are registering and making calls. The extensions are type=peer. Authname is not used. guests are disallowed (allowguest= no). AlwaysAuthReject = yes. I have firewall rules that block repeated attempts to access the SIP ports and DenyHosts to otherwise protect the server.
The server itself is secure. It is a virtual machine with only one purpose and there are no other signs of breach.
How are they registering and making calls through these extensions despite having secure passwords and disallowing calls without registration? Am I missing something?