Hi, due to a very extensive project, we need to expose FreePBX to the internet. Specifically, we are concerned with the SIP and RTP ports. The purpose of this action is to allow logging into the system using softphones and configured phones without the need for VPN.
In the past, I noticed that exposing port 5060 results in numerous brute force attacks where the attacker tries to impersonate an extension that exists in the system. However, due to the lack of a password, they are unable to make a phone call. Does an attacker, without knowledge of the extension password, have the ability to make calls at the expense of the client?
Ports such as 443, 80, 22, etc., will not be exposed to the world, only the ports required for telephony.
No, but password strength matters and you’re 1 weak password away from thousands of dollars in fraudulent calls. So, make sure all passwords are long and strong.
Use a random port, not the default or one of the common alternatives. This is not security and will not keep a determined attacker out, but it will cut down on all the noise from blind internet scans.
Enable a firewall and use fail2ban or similar to ban brute-force attempts.
Enable call limits, such as prohibiting international calls and limiting the number of calls per hour an extension can make.