Security Alert: Is port 5060 open on your router?

1 post / 0 new
jperry999
jperry999's picture
Security Alert: Is port 5060 open on your router?

Alert: Your system is likely under attack to hijack your phone system to make calls if you have port 5060-5061 open on your broadband router (that is the SIP port).
There is someone out there who has gotten quite active at finding any system with port 5060-5061 open on the router, and finding what extensions the system has, and using trial-and-error to find the passwords (which might only take minutes due to the speed of computers).

Hijackers out there are ramping up finding systems with this port open, and using them to make calls using your system to "phish" for credit-card/ATM-card info. Note that since this comes from your phone system and your Caller-ID, you might have some legal liability, so this is more than just the cost of the phone-calls to consider.

If you believe that because you did not give out your IP address, and there are "so many IP addresses out there, they will never happen on my system", or similar logic, let me tell you that happened to me and others:
Here are three individual hijack threads in just this forum in just recently. There are probably many more undetected and unreported.

http://www.freepbx.org/forum/freepbx/development/security-too-easy-for-intruders-to-use-your-phones-to-make-calls

http://www.freepbx.org/forum/freepbx/tips-and-tricks/voip-hijack

http://www.freepbx.org/forum/freepbx/users/hijacked-phone-systems

If you do not have adequate and extensive security measures in place, or do not fully understand how anyone can hijack your system, I strongly recommend you immediately close port 5060-5061 in your broadband router.

Note that in many cases you really do not need to have it open.
With most VOIP providers, your system sends a "register" command out, and thus the port does NOT need to be open (if I understand this correctly).

You would only need to have the port open to receive anonymous SIP calls or to have remote extensions, or similar things.

If you do need to have port 5060 open, I cannot stress enough how important it is to have extremely strong passwords for ALL your extensions. Even then, you should seriously consider fail2ban and further security measures.

Please see the above threads for good suggestions by experienced people on this subject.