LIMIT ACCESS TO SIP SERVICE AUTHENTICATION!!!

FREEPBX SERVER SECURED CONFIGURATION

Change your passwords

Administrator and other users should have strong, alphanumeric password, using both upper and lower case, combined with random chars. There are various web-based and software tools for password generation. Use password manager like KeePass (free open source) which helps you to store and get it in a secure way. Passwords should not be the same as the username or based on the user’s extension. This recommendation for all FreePBX services http, ssh, sip, iax, sql, ftp etc.

Securing SSH Access

First, it is recommended to change the default SSH port (22) to a different one – editing sshd_config + reload service. If you have additional firewall the new port should be open for remote access Use public and private key pairs for authentication instead of passwords. You can use ssh-keygen tool for this purpose. On the other hand, you can disable remote ssh login (from internet or other networks) and keep it opened only from local network access.

Integrated FreePBX Security

Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to IPtables – generic firewall included with Linux. IPTables is a great add-on to a larger security solution. You can add static rules for every potential source or build more strong rules against bots and scanners like: “-A INPUT -m string –string “friendly-scanner” –algo bm -j drop”. Additional tool for secured configuration is FreePBX server built-in Firewall that created by security professionals, with deep understanding of the issues SIP pbx servers, other VoIP protocols and spread pbx server hardware

Perimeter Security

Place your server on local network behind firewall with Network Address Translation (NAT). NAT gives private IP Address and makes it much more difficult to gain access to from the internet. Restrict remote access to your FreePBX server to specific IP addresses (SIP providers, branch offices, remote workers etc.). Also we recommend setup VPN service for remote access – you can ask your hosting provider or configure it on local Network. Hardware firewalls typically provide much more security than software firewalls that cannot be just as effective and much cheaper or free.

Keeping your SIP trunk data safe

These are the basic rules for popular Asterisk/Freeswitch distributions:

· Set “alwaysauthreject=yes” in sip.conf to prevent brute force attacks.

· Enable the “IP Settings” option in your sip-systems.com portal account.

· Implement a strict iptables and firewall policy on your gateway side.

· Consider installing an autoban script in addition to iptables and firewall.

· Add permit/deny entries to each “SIP Device” description.

· Run scripts to check if iptables is running and is not down. Ensure it loads on startup.

· Always access your system using HTTPS. do not use self-signed SSL certificates.

· Disable all unused contexts in your Asterisk system to prevent context hijack attacks.

· Explicitly block countries that nobody in your organization calls.

· Maintain your own reasonable channel limits for each peer or device.

· Keep in mind that even in European countries like Switzerland and Germany, there are certain premium area codes that cost insane amounts per minute.