PBX Security Guide: How to Prevent VoIP Hacking & Toll Fraud

Understanding PBX Hacking

PBX hacking (also called toll fraud or VoIP fraud) occurs when attackers gain unauthorized access to your phone system to make calls at your expense. The Communications Fraud Control Association (CFCA) estimates global telecom fraud losses exceed $38 billion annually.

How Hackers Profit

International Premium Rate

Hackers own or affiliate with premium rate numbers (often in Cuba, Somalia, Latvia, or Sierra Leone). They route thousands of calls through your PBX to these numbers, earning per-minute revenue while you pay the bill.

Call Selling Services

Compromised PBX systems are used to provide cheap international calling to third parties. Hackers sell calling cards or VoIP minutes using your system as the gateway.

Wangiri Callback Fraud

Your PBX is used to place brief rings to thousands of numbers. When victims call back the missed number, they reach expensive premium lines owned by fraudsters.

Caller ID Spoofing

Hackers use your legitimate caller ID to conduct phone scams, making it appear calls originate from a trusted business. This can damage your reputation and potentially involve legal liability.

Weekend Attacks: Most attacks occur Friday evening through Monday morning when IT staff are unavailable. A hacked PBX can generate $50,000+ in fraudulent calls in 48 hours.

Common Attack Vectors

1. Brute Force SIP Registration

The most common attack. Automated tools scan the internet for SIP servers on port 5060 and attempt thousands of username/password combinations. Default or weak credentials are cracked within minutes.

Common weak credentials attackers try: 100/100, 1001/1001, admin/admin, extension numbers matching passwords, voicemail PIN as SIP password

2. Social Engineering

Attackers call your company posing as telecom support, IT vendors, or even employees. They trick staff into revealing PBX credentials, transferring calls to premium numbers, or enabling call forwarding to external lines.

3. Misconfiguration Exploitation

Poorly configured PBX systems often have:

Open SIP ports allowing anonymous calling
Unrestricted outbound dialing (no international call blocking)
DISA (Direct Inward System Access) without PIN protection
Outbound routes accessible without authentication
AMI (Asterisk Manager Interface) exposed to the internet

4. Voicemail System Abuse

Attackers exploit voicemail-to-external transfer features. They access voicemail boxes with default PINs (0000, 1234) and use transfer features to reach outside lines, bypassing normal call restrictions.

5. Web Interface Vulnerabilities

FreePBX and other web GUIs can be compromised through default credentials, unpatched vulnerabilities, or exposure to the public internet. Once attackers access the admin panel, they control the entire phone system.

Essential Security Measures

Strong Password Policy

This is your first line of defense. Every SIP extension must have a strong, unique password.

Password Requirements

Minimum 16 characters for SIP secrets
Mix of uppercase, lowercase, numbers, and symbols
Never use extension number as password
Use a password generator, not human-created passwords
Change passwords immediately if staff leave

Fail2Ban Configuration

Fail2Ban monitors log files and automatically blocks IP addresses that show malicious behavior. This is essential for protecting against brute force attacks.

Create /etc/fail2ban/jail.local:

# Asterisk/FreePBX Fail2Ban Configuration

[asterisk]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=asterisk, protocol=all]
logpath  = /var/log/asterisk/full
maxretry = 3
bantime  = 86400
findtime = 600

[freepbx]
enabled  = true
filter   = freepbx
action   = iptables-allports[name=freepbx, protocol=all]
logpath  = /var/log/asterisk/freepbx_security.log
maxretry = 3
bantime  = 86400
findtime = 600

Create /etc/fail2ban/filter.d/asterisk.conf:

[Definition]
failregex = SECURITY.* SecurityEvent="FailedACL".*RemoteAddress=".+?/.+?/<HOST>/.*
            SECURITY.* SecurityEvent="InvalidAccountID".*RemoteAddress=".+?/.+?/<HOST>/.*
            SECURITY.* SecurityEvent="ChallengeResponseFailed".*RemoteAddress=".+?/.+?/<HOST>/.*
            SECURITY.* SecurityEvent="InvalidPassword".*RemoteAddress=".+?/.+?/<HOST>/.*

ignoreregex =

Firewall Rules (iptables)

Only allow SIP traffic from trusted sources. Never expose port 5060 to the entire internet.

# Allow SIP from your SIP trunk provider (IPComms example)
iptables -A INPUT -p udp -s 208.67.60.0/24 --dport 5060 -j ACCEPT
iptables -A INPUT -p udp -s 66.212.71.0/24 --dport 5060 -j ACCEPT

# Allow SIP from your office IP
iptables -A INPUT -p udp -s YOUR.OFFICE.IP.HERE --dport 5060 -j ACCEPT

# Allow RTP media ports
iptables -A INPUT -p udp --dport 10000:20000 -j ACCEPT

# Drop all other SIP traffic
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A INPUT -p tcp --dport 5060 -j DROP

# Block AMI from external access
iptables -A INPUT -p tcp --dport 5038 -j DROP

Pro Tip: Use iptables-persistent or firewalld to ensure rules survive reboots. Test rules carefully before applying - you can lock yourself out!

Asterisk/FreePBX Specific Hardening

PJSIP Security Settings

Configure your endpoints to require authentication and restrict access:

; /etc/asterisk/pjsip.conf - Secure endpoint template

[endpoint-secure](!)
type=endpoint
context=from-internal
disallow=all
allow=ulaw
allow=alaw
direct_media=no
trust_id_inbound=no
trust_id_outbound=no
send_pai=no
send_rpid=no
auth=auth-template
aors=aor-template

[auth-template](!)
type=auth
auth_type=userpass
; Always use strong, randomly generated passwords

[aor-template](!)
type=aor
max_contacts=1
remove_existing=yes
qualify_frequency=60

Disable Guest Calls

Never allow unauthenticated calls. In /etc/asterisk/pjsip.conf:

[global]
type=global
allow_unauthenticated_registrations=no

FreePBX Intrusion Detection

Enable the built-in Intrusion Detection module in FreePBX:

Admin > System Admin > Intrusion Detection
Enable "Intrusion Detection"
Set ban time to 86400 (24 hours) or longer
Set max retry to 3
Whitelist your office IP and SIP provider IPs

Restrict Outbound Dialing

Create outbound route restrictions to limit damage if compromised:

Block international by default - Only enable for users who need it
Block premium rate numbers - 900, 976, and international premium prefixes
Set concurrent call limits - No extension should make 50 simultaneous calls
Time-based restrictions - Block international calls after hours

DISA Warning: If you use Direct Inward System Access (dial-in for outbound calls), require a strong PIN and restrict which numbers can be dialed. Better yet, disable DISA entirely and use a mobile softphone instead.

Network Security Best Practices

VPN for Remote Users

Instead of exposing SIP to the internet, require remote phones to connect via VPN. This eliminates external SIP port exposure entirely.

Network Segmentation

Place your PBX on a separate VLAN from general network traffic. Limit which devices can communicate with the phone system.

Use TLS/SRTP

Encrypt SIP signaling (TLS on port 5061) and media (SRTP). This prevents eavesdropping and man-in-the-middle attacks.

Disable Unused Services

Turn off AMI if not needed. Disable HTTP/HTTPS management interfaces or restrict to internal IPs only. Remove unused protocols (IAX2, SCCP, H.323).

Session Border Controller (SBC)

For enterprise deployments, consider placing an SBC between your PBX and the internet. The SBC acts as a security proxy that:

Hides your PBX topology from external attackers
Normalizes SIP messaging to prevent protocol exploits
Provides call rate limiting and anomaly detection
Handles NAT traversal without exposing the PBX

Monitoring and Detection

Early detection is critical. Set up monitoring to alert you before a small breach becomes a massive phone bill.

What to Monitor

Metric	Alert Threshold	Why It Matters
Failed registrations	> 10/minute	Indicates brute force attack
Concurrent calls	> normal + 50%	Unusual spike suggests compromise
International calls	Any after hours	Fraud often happens overnight
Calls to premium destinations	Any	High-cost fraud destinations
Single extension call volume	> 5 concurrent	One compromised extension

Log Analysis Script

Create a simple cron job to alert on suspicious activity:

#!/bin/bash
# /usr/local/bin/pbx-security-check.sh

# Count failed auth attempts in last hour
FAILED=$(grep "SecurityEvent=\"InvalidPassword\"" /var/log/asterisk/full | \
    grep "$(date -d '1 hour ago' '+%Y-%m-%d %H')" | wc -l)

if [ "$FAILED" -gt 50 ]; then
    echo "ALERT: $FAILED failed auth attempts in last hour" | \
    mail -s "PBX Security Alert" admin@yourcompany.com
fi

# Check for international calls (adjust country codes as needed)
INTL=$(asterisk -rx "core show channels" | grep -E "011|00" | wc -l)

if [ "$INTL" -gt 5 ]; then
    echo "ALERT: $INTL international calls active" | \
    mail -s "PBX International Call Alert" admin@yourcompany.com
fi

CDR Analysis: Regularly review Call Detail Records. Look for calls to unfamiliar country codes, especially high-fraud destinations like Cuba (+53), Somalia (+252), Latvia (+371), and Sierra Leone (+232).

What to Do If You've Been Hacked

Time is Money: Every minute counts. A compromised PBX can generate hundreds of dollars in fraudulent calls per hour. Act immediately.

Immediate Steps

Disconnect from the network - Pull the ethernet cable or disable the network interface. Stop the bleeding.
Contact your SIP provider - Call IPComms support immediately. We can disable your trunk to stop outbound calls.
Document everything - Screenshot active calls, save logs, note timestamps. You may need this for insurance or law enforcement.
Change all passwords - Every SIP extension, admin interface, AMI, SSH, and database password must be changed.
Review CDRs - Identify which extension(s) were compromised and what numbers were called.

Recovery Process

Apply all security measures from this guide before reconnecting
Consider a fresh install if the system may have been rootkitted
Implement Fail2Ban and firewall rules before enabling SIP
Enable TLS/SRTP for all connections
Set up monitoring and alerts
Document the incident and update your security policy

Dealing with the Bill

Unfortunately, you are generally liable for fraudulent calls made through your system. However:

Contact your carrier immediately - Some providers offer fraud protection limits
File a police report - Required for insurance claims and may help with carrier negotiations
Check your business insurance - Some policies cover toll fraud losses
Document your security measures - Demonstrating reasonable security may help negotiations

IPComms Security Features

As your SIP trunk provider, IPComms includes multiple layers of security to protect our customers from toll fraud and unauthorized access.

IP-Based Authentication

Your trunk only accepts calls from your registered IP addresses. Even if credentials are leaked, attackers cannot use them from other locations.

Fraud Monitoring

Our systems monitor for unusual call patterns 24/7. We proactively alert customers and can suspend trunks when fraud is detected.

Spending Limits

Set daily and monthly spending caps on your account. Once the limit is reached, outbound calls are blocked, limiting your exposure.

International Call Blocking

Block international destinations by default. Enable only the countries you actually need to call, dramatically reducing fraud risk.

TLS/SRTP Support

Full encryption support for both signaling and media. Prevent eavesdropping and man-in-the-middle attacks on your calls.

24/7 Support

Security incidents do not wait for business hours. Our support team can disable your trunk immediately if you suspect fraud.

Hosted PBX Alternative: If managing PBX security sounds overwhelming, consider IPComms Hosted PBX. We handle all security hardening, updates, and monitoring. You get enterprise-grade phone features without the security burden.