Best practices to prevent fraud of your PBX phone system from outside.

Best Practices to Prevent Unwanted Use of Your PBX Phone System

PBX Hacking - Take the steps to stop unauthorized toll calls.

It it's not uncommon to hear of a companies' phone system breached and used to place numerous calls at the owner's expense. Most of the time, these calls are international with charges that accumulate rapidly. The whole event can occur very without warning, sometimes overnight in the hours when not much is going on. These "breach and access" fraud events usually happen in the evening when employee use is low or non-existent. As a normal "good practices" routine, it is suggested to consider someone at the company check call records paying special attention to which countries that are called (if International calling is enabled). Check for any unusual times of calls and if there are occurrences of an unusually excessive number of calls taking place in a short period of time. Keeping tabs on your companies' call records represents just a first step. Here are some tips to help avoid your PBX phone system from being used for these types of uses.

Security is an ongoing chore for administration, and best practices can evolve as new techniques are uncovered. Most breaches of fraud happen to more easy targets, because those that are looking to gain access are scanning millions of addresses for vulnerable targets. These types of PBX fraud attacks can be lessened substantially from a few good configuration settings and well-known good practices.

Mike's 10 Tips for Better PBX Security

Helpful Tips to Prevent unwanted use of your PBX phone system.

The following tips will make it much more difficult to access a PBX from an outside source.

If your company does not make International calls then request your dial tone provider to disable International calling or implement a block of International calling within your PBX (or both). If you make a fixed number request the trunk provider place a credit limit of International calling.
Disable outbound or inbound call redirects and/or extension transferring to an outside long-distance or International number.
Change default passwords for access to your PBX and then use a frequent mandatory change of passwords. Never make the password for an extension as the extension number. Use strong passwords.
Regularly delete or disable any unused phone numbers or extensions.
For VoIP systems, implement a firewall and only allow VoIP/IP access to pre-authorized known IP addresses. Use the “permit=” and “deny=” lines in sip.conf to only allow a limited range of IP addresses access. Prevent easy sip scanning by setting “alwaysauthreject=yes” in your sip configuration file. Install a SIP firewall that stops scanners who attempt to locate known SIP ports like 5060 and 5061.
Use Fail2ban or limit the number of attempts allowed when accessing the PBX, voicemail or other entrance points. When the limit of attempt requests are placed unsuccessfully, access will be denied. Use (Asterisk) IPtables to block malicious IP addresses.
Keep your system updated (firmware) and patched for the latest security updates. Linux needs to be hardened by using strong passwords and disabling unneeded services and installing updated patches.
Use non-standard ports.
Regularly check your call records and billing information for any suspicious activity.
Limit access to physical equipment and maintenance ports on the PBX.

NOTE: Here's an additional easy tip that makes good sense. Most searches for PBX systems that can be fraud targets occur looking for access, which begins with scans for well-known names, ports or protocols. Using well-known search engines for the IoT (Internet of Things) devices can be located quickly if the right information is being advertised. To limit devices and your PBX from known targeted scan searches, change the advertised name. This includes your PBX (i.e. version of Asterisk, etc.) so scans that search for specific hardware devices by name will not include your system.

PBX Fraud Prevention