I have an issue where someone is dialing into our system at night and making calls to international numbers, I assume to get us to pay for the calls. The first instance they dialed in and changed two extensions that any incoming calls got forwarded to their international numbers. I had another instance last night where they called in and grabbed a random extension. This extension is set to go straight to an employee’s cell phone so the employee received tons of calls over and over again as the culprit couldn’t figure out why the call wasn’t going through. It looks like they were eventually able to make some odd calls though. I am looking for any advice or best practices to stop this from happening in the future. I can attach any logs if requested as well.
Firewall against SIP (I assume this is SIP, not ISDN) from networks that will never genuinely originate SIP to you (i.e. your ITSP and any home workers).
Use VPNs for home workers.
Use a non-standard port number.
Use strong passwords on your local devices.
Ensure that the context used by your ITSP cannot make chargeable calls.
Using device names that are not extension numbers also helps.
Install fail2ban to block sources when they make their initial wrong guesses.
Make sure allowguest, or the pjsip equivalent, is not set.
Don’t use type=friend.
Make sure that you never use insecure= on any device that is allowed to make chargeable calls.
Great info David! I will look into these solutions. Luckily any users will be on site so I don’t have to worry about remote employees. I did find some posts regarding allow callers to transfer outside so I made some adjustments (Disable *2 and ##). Looking at the logs they basically hit us with a bunch of random DTMF tones to see what worked.
This info will help greatly if I ever run into the same issue. It’s amazing how people are always up to no good