On a similiar note, does anyone have a good set of firewall rules for iptables thats suitable for pbx's?
Thanks
Frank

just curious is the sip username and the sip password the same on those pbx's? There's scripts out there that brute-force sip extensions, that's the big security changes in 1.4.24 -> 1.4.26.3. There was a vulnerability that would produce a different error if they got the password wrong on a legit extension versus a non legit thus giving them an extension to throw a dictionary attack at.

yes i have iptables rules that work.

so
1. make sure you update their asterisk version to fix the sip vulnerabilities.
2. figure out which sip account was used and change its secret.. change any secret who doesnt use a good alpha-numeric password
3. if you dont have remote handsets or soft phones, tighten down the firewall rules to only allow traffic to and from the providers netblock (a whois of their ip should give you a netblock)
4. fail2ban can be effective but you must be trained on using it because a misconfigured phone/softphone will generate failures quick enough to trigger a ban and thus you'll ban a valid ip. Knowing how to look for this and how to unban will be necessary.

Erik;
Thanks for the feedback. The pbx in question has remote phones connecting to it, so the firewall rules would have to take that into account. They would be greatly appreciated to say the least. Yeah, I'm an asshole all right. I got snagged with phones with the same password as the extension. What an amateur'ish move that was.
Thanks
Frank