don't have the webinterface exposed to the Internet.

+1

I will try to hide FreePBX behind an SBC like LibreSBC.

Don’t allow 5060/UDP.

Here is the crux of the matter. The provider registers with the PBX, unlike the usual scenario where the PBX registers with the provider. Consequently, I cannot close or change this port. If I do, the telephony will stop working altogether.

Also, can you configure an external firewall? (Router if local or cloud firewall)

Currently, the router only allows traffic on port 5060/UDP-TCP from a specific IP address. It's safe enough, but only until we open the ports to the entire internet.

One of the reasons I posted this question here is, among other things, an attempt to filter out fake calls from CDR Reports. Even if a call doesn't go through, the attempt will be recorded in the report. So instead of 100 records a day, it could be even 10,000, and that's exactly what I don't want.

Is this script actively developed and updated, or are you using your own solution?

My suggestion would be that you should know which extensions are nomadic and setup your configuration such to only allow those to register from outside your network and the non-nomadic ones only from within.

The main challenge with such solutions is the dynamic IPs of clients. Unfortunately, I cannot whitelist clients because they will be logging in from different IPs every day.

​

Make sure you are using complex passwords and different ones for each extension.

I use passwords that are generated automatically by FreePBX, and these passwords are presumably complex enough.

The exploit you mentioned was targeted at the REST API or the web interface, if I'm not mistaken. Both of these components will not be exposed to the network.

Consider installing a Session Border Controller (SBC) for more security.

Regarding the Session Border Controller (SBC), I found a very interesting project, LibreSBC.