securing a PBX

A

alphabanks

n00b
Joined
Oct 31, 2012
Messages
62
I would like to discuss securing PBX servers I'm mainly speaking from the network side of things. For example, do you guys simply forward sip back to your pbx or do you use some sort of proxy? I would assume that you all create firewall rules that only allow specific ip addresses to connect. Anyway I'm new to all of this so I'm trying to figure out the best way to protect a PBX server.
 
It depends on specifically what you are needing to expose to both the internal LAN as well as the internet.
1) Will you be having remote extensions connecting over the public internet?
2) Are you utilizing VOIP trunks to the public PSTN?
3) Access to voicemail website from the public internet?
4) Any other services the PBX will be providing?
 
Basically right now I have a few test DID's from Anveo, Callcentric, and IPKALL. I have configured a few extensions in my test lab. However, I would like to play around with having remote extensions and accessing voice mail. Right now I will be using some Android phones for testing the remote extensions.
 
Make sure there is no way to get an outside line from the outside. Ex: if I call to the IVR I should not be able to hit a combination to get a line then be able to dial out.

Hackers use this to make free overseas calls. $$$$$$$$
 
i have absolutely 0 FW rules for any of my PBXs...

any communications out to ITSPs is internally initiated...

remote extensions, we use yealinks and one of the beautiful things about them is that they have openvpn clients, i configure openvpn client for it and it connects securely via vpn and then SIP...
 
^ That's the way to do it for permanent deskphones. No Games.

Otherwise Fail2Ban is an absolute must.
 
If you use asterisk/freepbx you really should consider incrediblepbx. It requires no open firewall rules for anything. If you use remote (not local/routable lan) clients you handle it via vpn built into the device or the router the client is behind.
 
Speaking as an ITSP/Internet/Phone Provider.

Firewall as much as you can. Our general rule of thumb is if it doesn't need to talk to the outside. It either gets an Internal IP, Or has it's ass firewalled off.

Second Rule of thumb. Unusual SIP peer names. And strong passwords.

Instead of SIP peer names like 101. Use something to identify the customer "marysflowershop1". And strong (Letters, Numbers, Symbols, >8 char) passwords.

Finally, Non-auto replenishing accounts. If it's a pre-pay type SIP account from the carrier, Don't let it automatically re-fill itself by hitting your credit card. It's more work for you. But if anyone ever gets in, And runs up the bill. It stops as soon as you run out of balance (100 bucks or so). I've seen customers get hit for thousands because their account just kept charging more money automatically. Your carrier may also have a way of detecting fraud. And sending you alerts. If they see things, Like strange destinations you're calling. Or a huge spike in usage.
 
Nate7311 said:
^ That's the way to do it for permanent deskphones. No Games.

Otherwise Fail2Ban is an absolute must.
Click to expand...

Yup, I remember being logged in to the console on one of my PBXs for some maintenance one time and seeing a huge number of SIP authentication attempts on some generic extension numbers trying to brute force a password from an IP in the UK....
Never again
 
I run a lot of VOIP stuff for small businesses. We deal with Anveo and Voip.ms mainly. Our firewalls deny all traffic by default, and then exceptions are made for the provider endpoints. In addition to that, keeping the servers updated (asterisk in most cases) and requiring authentication is a must. We've never had a compromise on our VOIP servers and the bills are audited pretty regularly.

VOIP stuff is fairly easy to secure because it's pretty rare to not know where your voip packets are going to/coming from.
 
You must log in or register to reply here.
Back
Top