FreePBX hardening ...

BraswellJay

We're planning to go live with our first FreePBX instance this weekend at one of our sites. I was reviewing to see if there was anything we may have missed and I came upon some questions related to hardening of the system, in particular where toll fraud issues are concerned.

I found this thread in the FreePBX forums from a few years ago that discusses an attack where abuse of attended transfer resulted in fraudulent calls.

https://community.freepbx.org/t/hacker-makes-international-calls-through-my-freepbx-ivr/34334/9

It appears that as currently set up, our FreePBX instance would suffer from this same kind of attack.

What are best practices or things to consider regarding preventing this kind of abuse?

Thanks

IRJ

How about using fail2ban to put these IPs in jail?

IRJ

https://www.fail2ban.org/wiki/index.php/Asterisk

JaredBusch

@IRJ said in FreePBX hardening ...:

How about using fail2ban to put these IPs in jail?

That's not how this works.

JaredBusch

@IRJ said in FreePBX hardening ...:

https://www.fail2ban.org/wiki/index.php/Asterisk

FreePBX already has fail2ban implemented by the way.

JaredBusch

@BraswellJay said in FreePBX hardening ...:

It appears that as currently set up, our FreePBX instance would suffer from this same kind of attack.

I would love it if you can prove this.

Because this was patched 3 years ago.

JaredBusch

So I tested.

The codes do appear to work on an inbound call, contrary to what that patch shows.

I cannot make it transfer in such a way as my inbound call stays on the call though.

But I can make the recipient side, such as my extension, be connected to some random number, potentially causing toll charges.

1. Call DID
2. Press *2 or ##
3. Hear "transfer" and then dialtone.
4. Dial a valid number
5. Call is connected.

I would expect that *2 attended transfer could be abused like this, but I could not get it to talk.

marcinozga

@IRJ said in FreePBX hardening ...:

How about using fail2ban to put these IPs in jail?

Do you know that IP blocking is completely ineffective? I can have different IP in a matter of minutes, perhaps even seconds.

IRJ

@marcinozga said in FreePBX hardening ...:

@IRJ said in FreePBX hardening ...:

How about using fail2ban to put these IPs in jail?

Do you know that IP blocking is completely ineffective? I can have different IP in a matter of minutes, perhaps even seconds.

It can definitely stop automated attacks.

marcinozga

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

IRJ

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

I don't know Free PBX, but I would assume the attack in that thread was automated. Fail2ban probably isn't the right solution for this particular circumstance. If it were useless as you said, it wouldn't be used at all with freepbx.

JaredBusch

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

It is absolutely automated. The abusers don't manually dial this shit.

@IRJ said in FreePBX hardening ...:

Fail2ban probably isn't the right solution for this particular circumstance.

Because this is exploiting something during a call.

scottalanmiller

@marcinozga said in FreePBX hardening ...:

@IRJ said in FreePBX hardening ...:

How about using fail2ban to put these IPs in jail?

Do you know that IP blocking is completely ineffective? I can have different IP in a matter of minutes, perhaps even seconds.

It's pretty effective. Avoiding the best technology for security because it can't stop every possibility is bad logic. Being forced to generate a new IP every few seconds...

1. Makes most attacks impractical.
2. Slows attacks to the point of being ineffectual.

The secret to good security is making the cost of attack greater than the value of success. Fail2ban tends to do that extremely well.

scottalanmiller

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

Dashrender

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

Skyetel

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

Typically bots will call international Toll Free numbers where fraudsters can charge insanely high per-min rates. Toll Fraud (its official name) can be insanely expensive (like $100k phone bill expensive). We are pretty insane with our fraud prevention to avoid this.

Edit - we describe the kinds of fraud we've seen here: https://skyetel.atlassian.net/wiki/spaces/SUG/pages/243761174/High+Cost+Calling
It also describes how our fraud prevention works.

scottalanmiller

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Skyetel

@scottalanmiller said in FreePBX hardening ...:

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Or sell illegal calling cards. Thats really common too.

scottalanmiller

@Skyetel said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@Dashrender said in FreePBX hardening ...:

@scottalanmiller said in FreePBX hardening ...:

@marcinozga said in FreePBX hardening ...:

@IRJ The scenario described above doesn't look like automated attack, and it's rather unlikely bots would be exploiting PBX to make international calls.

Actually that's exactly what is done. Bots setting up calls.

I'm curious - to what end? what's the benefit to them?

It's big money. Huge money. If you hack a phone system and get free calling to high cost places, then sell that to people making calls at low rates, you can undercut other phone carriers, and pay nothing. So the profit on it is huge.

Imagine being able to run a whole phone company, at essentially zero cost.

Or sell illegal calling cards. Thats really common too.

yeah, I imagine that that is the main way of selling that kind of service.

Skyetel

Another really common type of Fraud is actually Inbound. Some companies will actually pay people to deliver calls to Toll Free numbers. (This is because Toll Free carriers give kickbacks to the parties who send calls to them). This makes it so that if a party calls a Toll Free number, they'll get a (very very small) per-min kickback. If they call enough Toll Free numbers and keep them on the line for a long time, they can make a lot of money.

So if you have any Toll Free numbers, make sure they go to an IVR or a Voicemail box that has a timeout :).