Hi, due to a very extensive project, we need to expose FreePBX to the internet. Specifically, we are concerned with the SIP and RTP ports. The purpose of this action is to allow logging into the system using softphones and configured phones without the need for VPN.

In the past, I noticed that exposing port 5060 results in numerous brute force attacks where the attacker tries to impersonate an extension that exists in the system. However, due to the lack of a password, they are unable to make a phone call. Does an attacker, without knowledge of the extension password, have the ability to make calls at the expense of the client?

Ports such as 443, 80, 22, etc., will not be exposed to the world, only the ports required for telephony.

  • WeirdOneTwoThree@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    No but they can if the system is improperly configured or the system is changed to be badly configured so a better answer is “maybe”. Just because they can’t today doesn’t mean they won’t be able to tomorrow or next week (see below).

    Exposing the SIP port to the world will quickly have them knocking on your door and twisting the door nob to see if it is locked, all night, all day, everyday, forever… consuming bandwidth and system resources.

    If you enable the “Responsive” firewall features then attackers (identified by connection attempts with the wrong credentials) get shunned (ignored, packets dropped) after a couple of login attempts for a configurable length of time which sounds good but with a recent exploit they were somehow able to turn off the firewall remotely and start exploiting systems so it’s something you have to manage carefully. Be careful when configuring the responsive firewall as it’s not uncommon for someone to lock themselves out of their own system.

    Consider installing a Session Border Controller (SBC) for more security.

    • trekologer@alien.topB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      if the system is improperly configured or the system is changed to be badly configured

      Let’s look at this part a bit closer. A default, out-of-the-box vanilla asterisk installation includes a number of demo extensions in the dialplan and (last time I checked) were enabled, with at least one of them able to access the system voicemail. If you’ve left those examples in place and customized the voicemail to be able to call out from it (a not uncommon use case), you might have not properly ensured that it doesn’t allow unrestricted calls.

      My suggestion would be that you should know which extensions are nomadic and setup your configuration such to only allow those to register from outside your network and the non-nomadic ones only from within. Make sure you are using complex passwords and different ones for each extension.

      • saygon90@alien.topOPB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        My suggestion would be that you should know which extensions are nomadic and setup your configuration such to only allow those to register from outside your network and the non-nomadic ones only from within.

        The main challenge with such solutions is the dynamic IPs of clients. Unfortunately, I cannot whitelist clients because they will be logging in from different IPs every day.

        Make sure you are using complex passwords and different ones for each extension.

        I use passwords that are generated automatically by FreePBX, and these passwords are presumably complex enough.

        • trekologer@alien.topB
          link
          fedilink
          English
          arrow-up
          1
          ·
          1 year ago

          I cannot whitelist clients because they will be logging in from different IPs every day.

          That’s fine, but you should know which extensions are going to be logging in from different IPs and make your configuration allow those while at the same time restrict for extensions that you know will always be on your local network (ie: hard phones on desks in office). You could also limit those nomadic extensions from making calls to expensive destinations.

          I use passwords that are generated automatically by FreePBX, and these passwords are presumably complex enough.

          You’d be surprised at home many organizations use the same password for all their extensions. Or maybe you wouldn’t be surprised.

    • saygon90@alien.topOPB
      link
      fedilink
      English
      arrow-up
      1
      ·
      1 year ago

      The exploit you mentioned was targeted at the REST API or the web interface, if I’m not mistaken. Both of these components will not be exposed to the network.

      Consider installing a Session Border Controller (SBC) for more security.

      Regarding the Session Border Controller (SBC), I found a very interesting project, LibreSBC.

      • WeirdOneTwoThree@alien.topB
        link
        fedilink
        English
        arrow-up
        1
        ·
        1 year ago

        Indeed but I wasn’t trying to warn you about that specific REST API exploit, rather I was cautioning you about the one that will only become known two minutes, two months or two years from now and who knows what it needs to be exposed to be exploited… perhaps one of the ports you have exposed :)