samfiller Posted May 6, 2011 Report Share Posted May 6, 2011 It appears from the daily report log that my PBX is being hacked, now I dont know what more I can do. The fire wall on the internet connection is blocking all IPS from China, South Korea etc.. I have everything under Access Blocked except for a few IP ranges. The reason I am saying hacked is is the below call records say these two calls were made from an "account/Extension" called asterisk I do not have any such account on my system. Where could they of created this account how do I block this from happening in the future - and how do I find it to delete it. Time Dir From To Remote Local Duration 5:25 I asterisk 011442070661000 asterisk 02:31 5:31 I asterisk 011442073479999 asterisk 00:27 Any help greatly appreciated! Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 6, 2011 Report Share Posted May 6, 2011 Well, the question is if you have a trunk with no outbound proxy. Which means that trunk may come from anywhere, the whole Internet. Set the outbound proxy (or specify the associated addresses) or set the trunk to outbound only. The other thing is that you should set the password policy at least to medium. Otherwise your users can enter passwords like "1234", and those "least cost routing" tools out there in the internet will hack the account quickly. Quote Link to comment Share on other sites More sharing options...
samfiller Posted May 6, 2011 Author Report Share Posted May 6, 2011 I am using Medium Security, when you say no proxy are you referring to "Proxy Address:" Also there are thee types of trunks: Sip Proxy, SIP Gateway and SIP Registration. Do all three have the risk? And not always are we given a proxy.... But most of the trunks are set to out bound only and almost all inbound ones have an IP's in the "Explicitly list addresses for inbound traffic:" Which type of trunk should I check and anything more specific to check for. THANKS AGAIN!!! Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 6, 2011 Report Share Posted May 6, 2011 Well, the dangerous trunks allow inbound and they have neither the "Proxy Address" nor the "Explicitly list addresses for inbound traffic" set. Then when the call cannot be associated with any extension or any other trunk, the system will associate the call with this trunk. And especially if you allow redirection and specify that the PBX should "assume that the call come from an extension", then you can get into trouble: This will allow trunk to trunk calls. The proxy address used to be called outbound proxy, but is also has impact on inbound traffic as we can see right now, that is where the name change comes from. Quote Link to comment Share on other sites More sharing options...
samfiller Posted May 6, 2011 Author Report Share Posted May 6, 2011 The same would apply to a SIP Registration? and if yes I guess the registration server can be put into the "Explicitly list addresses for inbound traffic:" because where else can it come from. Correct? Quote Link to comment Share on other sites More sharing options...
Vodia PBX Posted May 6, 2011 Report Share Posted May 6, 2011 Well if you have a reasonably good password on the extensions, then it will be difficult to "hack" the system, especially when the PBX automatically blocks the IP address after a couple of unsuccessful attempts. No outbound calls without that password. I would not worry about this. You can specify the IP address from which you can accept registrations; but this feature was originally designed for endpoints that do not support authentication at all (!). So better dont touch that field and leave it empty. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.