Hi, due to a very extensive project, we need to expose FreePBX to the internet. Specifically, we are concerned with the SIP and RTP ports. The purpose of this action is to allow logging into the system using softphones and configured phones without the need for VPN.
In the past, I noticed that exposing port 5060 results in numerous brute force attacks where the attacker tries to impersonate an extension that exists in the system. However, due to the lack of a password, they are unable to make a phone call. Does an attacker, without knowledge of the extension password, have the ability to make calls at the expense of the client?
Ports such as 443, 80, 22, etc., will not be exposed to the world, only the ports required for telephony.
The main challenge with such solutions is the dynamic IPs of clients. Unfortunately, I cannot whitelist clients because they will be logging in from different IPs every day.
I use passwords that are generated automatically by FreePBX, and these passwords are presumably complex enough.
That’s fine, but you should know which extensions are going to be logging in from different IPs and make your configuration allow those while at the same time restrict for extensions that you know will always be on your local network (ie: hard phones on desks in office). You could also limit those nomadic extensions from making calls to expensive destinations.
You’d be surprised at home many organizations use the same password for all their extensions. Or maybe you wouldn’t be surprised.