1. The Threat Model for Outbound SIP Trunks

Toll fraud on VoIP systems follows a predictable pattern: attackers scan for SIP registrars on port 5060, brute-force weak credentials, register a phantom extension, and immediately originate calls to premium-rate numbers in high-cost jurisdictions — typically West Africa, Eastern Europe, or Pacific Island destinations. A single compromised extension can generate thousands of dollars in per-minute charges in a few hours.

For FreePBX deployments connected to a flat-rate SIP network like UnlimCall, the financial model is different — there are no per-minute charges to inflate. But a compromised outbound trunk still creates problems: carrier-side fraud detection blocks your trunk, your caller IDs get flagged, and your SIP registration credentials may be used to attack other systems.

The security measures below apply regardless of your billing model.

2. IP Authentication Over SIP Registration

The single most effective security measure for outbound trunks is IP authentication — your FreePBX server is identified by its IP address rather than a SIP username/password pair. There are no credentials to steal.

UnlimCall's network supports IP authentication as the default trunk authentication method. To configure:

1. Register your Asterisk server's public IP on your UnlimCall account (via the portal)
2. In FreePBX, create a PJSIP trunk with no username or secret in the Authentication section
3. Set the SIP Server to your assigned UnlimCall SIP proxy
4. Confirm pjsip show contacts shows the trunk as reachable via IP auth

If your server is behind NAT with a dynamic IP, IP authentication is not suitable — use SIP registration with a strong credential. Dynamic IPs change, requiring credential-based identification. In this case, implement the other hardening steps below.

See FreePBX PJSIP trunk setup for the full trunk configuration.

3. Firewall Hardening for SIP Ports

Your FreePBX server should accept SIP traffic only from your carrier's SIP proxy IP ranges. Using iptables or firewalld:

```

Allow SIP from UnlimCall SIP proxy (replace with your assigned proxy IP range)

iptables -A INPUT -p udp --dport 5060 -s <unlimcall-proxy-cidr> -j ACCEPT iptables -A INPUT -p tcp --dport 5061 -s <unlimcall-proxy-cidr> -j ACCEPT

Allow RTP media ports from your carrier

iptables -A INPUT -p udp --dport 10000:20000 -s <unlimcall-proxy-cidr> -j ACCEPT

Drop all other SIP traffic

iptables -A INPUT -p udp --dport 5060 -j DROP iptables -A INPUT -p tcp --dport 5061 -j DROP ```

Block port 5060 from the public internet entirely. Attackers cannot register phantom extensions if they cannot reach your SIP listener.

For RTP, scope the allowed source range to your carrier's media server IPs — available from your UnlimCall account. If your carrier uses a broad IP range, consider allowing the entire ASN and blocking everything else.

4. fail2ban Configuration for SIP

Even with firewall rules, any SIP port exposed to the internet benefits from fail2ban. FreePBX includes a fail2ban jail for Asterisk by default; verify it is active:

`` fail2ban-client status asterisk ``

If not running, enable the jail in /etc/fail2ban/jail.local:

`` [asterisk] enabled = true filter = asterisk action = iptables-allports[name=ASTERISK,protocol=all] logpath = /var/log/asterisk/full maxretry = 5 findtime = 21600 bantime = 86400 ``

This bans any IP that generates 5 SIP authentication failures within 6 hours for 24 hours. Adjust maxretry down to 3 for high-security environments.

5. Outbound Call Restrictions in FreePBX

Limit which destinations your outbound trunk can reach. In Admin > Advanced Settings, configure:

• International Calling Disabled: If your campaigns only dial US and Canada, disable international calling entirely. An attacker who compromises an extension cannot dial internationally if the route does not exist
• Dial Patterns Whitelist: Use restrictive dial patterns in your outbound routes. Instead of +. (match everything), pattern match only the specific country codes and formats your campaigns dial
• Max Concurrent Calls per Trunk: Set a concurrent call limit on your PJSIP trunk that matches your expected peak — see max_channels in the PJSIP endpoint configuration. A compromised extension spawning 200 simultaneous international calls is rate-limited to your configured maximum

In /etc/asterisk/pjsip.conf or via the FreePBX GUI's Advanced trunk settings:

`` [unlimcall-us] type=endpoint ... call_limit=150 ``

6. Monitoring for Anomalous Outbound Activity

Configure AMI-based alerting for unusual outbound patterns. A simple monitor script checks concurrent call count every 60 seconds:

``bash #!/bin/bash ACTIVE=$(asterisk -rx "core show channels" | grep "active call" | awk '{print $1}') THRESHOLD=120 if [ "$ACTIVE" -gt "$THRESHOLD" ]; then echo "Alert: $ACTIVE active calls at $(date)" | mail -s "FreePBX call spike" [email protected] fi ``

Run this via cron every minute. Tune the threshold to 20–30% above your expected peak concurrent call count. A spike above threshold during off-hours is a strong indicator of unauthorized use.

For call centers using a predictive dialer, integrate the dialer's own call volume monitoring into your alerting stack — the dialer has more context about expected concurrent call ranges than a generic Asterisk channel count.