There has been an increase in the number of Asterisk IP PBX's being hacked for the purposes of placing free phone calls via those hacked IP PBX's, and in turn through the voip account that is used from that IP PBX, causing customers' accounts to be charged without their knowledge.
Please note that TelecomsXChange is not responsible for preventing unwanted physical or remote access to your Asterisk IP PBX. If your Asterisk IP PBX is compromised then you will be responsible for any damage caused.
The compromise of the IP PBX's we have seen all appear to have been caused by these common issues:
- The IP PBX not being fire-walled, and being open to the entire Internet for extensions on that IP PBX to register to it.
- Weak passwords on the IP PBX's extensions which allowed automated brute force attacks to find the password for 1 or more extensions.
- We've seen an increase of this with our own customers, anecdotal evidence of it happening more frequently at some of our competitors, as well as anecdotal evidence of automated bot-nets being used to locate and automatically attempt to hack IP PBX's.
Asterisks has throttling mechanism to limit the number of autorecharge transactions and loss to a customer that can occur on an account if a customer's equipment/software should be compromised, but for security of your Asterisk IP PBX server; we recommend you the following changes;
- Change the 5060 default sip port of your server to a different one and make sure to configure the extension clients accordingly as well.
- If you don't have any remote extensions, allow access to your servers for local user extensions only. You can find here (http://www.voip-info.org/wiki/index.php?page=Asterisk+sip+permit-deny-mask) an example to limit SIP traffic to and from a peer to a certain IP or network
- If you have remote extensions, change the passwords with stronger passwords for these extensions
- If you are an advanced user, use tools to protect your server from random password attacks like Fail2Ban. Fail2ban scans log files and bans IP addresses that make repeated, unsuccessful password attempts.
- Update your server to latest version for security fixes.