So two separate clients of mine got nailed separately during the week. In both cases the root cause was a combination of weak passwords on SIP accounts, and public Internet connectivity.
For VoIP service providers obviously public Internet connectivity is not negotiable. Often clients are able to set their own passwords. Usually you get bent over the table pretty quickly – fortunately in the latter case one can just have a disclaimer which purely serves as an income protector – it does NOT save your business relationship with your client. In the case of PABX systems usually they are behind a firewall that only allows connectivity from the local network, but we had one case now where the router “accidentally” (misconfiguration due to misunderstanding of how the router’s DMZ and port-forwarding functionality works – not configured by ULS) forwarded SIP traffic to the VoIP server (router was set up to forward all traffic instead of just TCP/22 for ssh).
So in the case of a publicly accessible VoIP service – what can be done to protect both your client and yourself?