Hi, due to a very extensive project, we need to expose FreePBX to the internet. Specifically, we are concerned with the SIP and RTP ports. The purpose of this action is to allow logging into the system using softphones and configured phones without the need for VPN.

In the past, I noticed that exposing port 5060 results in numerous brute force attacks where the attacker tries to impersonate an extension that exists in the system. However, due to the lack of a password, they are unable to make a phone call. Does an attacker, without knowledge of the extension password, have the ability to make calls at the expense of the client?

Ports such as 443, 80, 22, etc., will not be exposed to the world, only the ports required for telephony.

  • pksml@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    If it were me, I’d require TLS and do it on a non-standard port. Don’t allow 5060/UDP. Also, can you configure an external firewall? (Router if local or cloud firewall)

    • saygon90@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      Don’t allow 5060/UDP.

      Here is the crux of the matter. The provider registers with the PBX, unlike the usual scenario where the PBX registers with the provider. Consequently, I cannot close or change this port. If I do, the telephony will stop working altogether.

      Also, can you configure an external firewall? (Router if local or cloud firewall)

      Currently, the router only allows traffic on port 5060/UDP-TCP from a specific IP address. It’s safe enough, but only until we open the ports to the entire internet.

      One of the reasons I posted this question here is, among other things, an attempt to filter out fake calls from CDR Reports. Even if a call doesn’t go through, the attempt will be recorded in the report. So instead of 100 records a day, it could be even 10,000, and that’s exactly what I don’t want.