Jump to content

Hacked Extensions


Recommended Posts

It appears from the daily report log that my PBX is being hacked, now I dont know what more I can do.


The fire wall on the internet connection is blocking all IPS from China, South Korea etc.. I have everything under Access Blocked except for a few IP ranges.


The reason I am saying hacked is is the below call records say these two calls were made from an "account/Extension" called asterisk I do not have any such account on my system.


Where could they of created this account how do I block this from happening in the future - and how do I find it to delete it.


Time Dir From To Remote Local Duration

5:25 I asterisk 011442070661000 asterisk 02:31

5:31 I asterisk 011442073479999 asterisk 00:27


Any help greatly appreciated!

Link to comment
Share on other sites

Well, the question is if you have a trunk with no outbound proxy. Which means that trunk may come from anywhere, the whole Internet. Set the outbound proxy (or specify the associated addresses) or set the trunk to outbound only.


The other thing is that you should set the password policy at least to medium. Otherwise your users can enter passwords like "1234", and those "least cost routing" tools out there in the internet will hack the account quickly.

Link to comment
Share on other sites

I am using Medium Security, when you say no proxy are you referring to "Proxy Address:"


Also there are thee types of trunks: Sip Proxy, SIP Gateway and SIP Registration. Do all three have the risk?


And not always are we given a proxy.... But most of the trunks are set to out bound only and almost all inbound ones have an IP's in the "Explicitly list addresses for inbound traffic:"


Which type of trunk should I check and anything more specific to check for.



Link to comment
Share on other sites

Well, the dangerous trunks allow inbound and they have neither the "Proxy Address" nor the "Explicitly list addresses for inbound traffic" set. Then when the call cannot be associated with any extension or any other trunk, the system will associate the call with this trunk. And especially if you allow redirection and specify that the PBX should "assume that the call come from an extension", then you can get into trouble: This will allow trunk to trunk calls.


The proxy address used to be called outbound proxy, but is also has impact on inbound traffic as we can see right now, that is where the name change comes from.

Link to comment
Share on other sites

Well if you have a reasonably good password on the extensions, then it will be difficult to "hack" the system, especially when the PBX automatically blocks the IP address after a couple of unsuccessful attempts. No outbound calls without that password. I would not worry about this.


You can specify the IP address from which you can accept registrations; but this feature was originally designed for endpoints that do not support authentication at all (!). So better dont touch that field and leave it empty.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...