Open 5060 UDP to FreePBX - how to make secure?

I’ve been using OpenVPN to connect remote offices to FreePBX for clients, but its such a pain to configure.

Also, for IPhone/Android softphone app like ZoIPER, VPN doesn’t work because the VPN won’t stay open after the phone screen is locked etc.

So I’m thinking about forgetting all these OpenVPN tunnels and just opening 5060. With 12+ character extension passwords that consist of uppercase and lowercase alpha, numbers, and special characters, what is the risk really?

As far as I know, there’s no way the password will be brute forced or dictionary broken (I play around with GPU password cracking as a hobby)

So what’s the risk? DoS from bruteforce attacks? How can I mitigate any risk of opening 5060 UDP to FreePBX

Thanks

Using UDP for cell-phones will always cause high battery usage, use TCP.

Passwords are not the only vulnerability of SIP, investigate the “SIP Vicious” scripts to see what else is hammered at often resulting in DOS.

If you use 5060 for SIP you are always more vulnerable than if you use another port , you have a little less than 64k choices, be original don’t choose 50600 or 50nn anything etc. it just reduces the risk by 99.99% or so and of course have your firewall in front of your PBX detect and drop port scanners.

1 Like

dicko,
Thanks for help!
Okay so i need to update the freepbx bindport, but then I have to update all the ports for extensions in freepbx , (easy enough with BAT i guess…) but then I have to update all my phone configs too…

I guess I can do that.

I have another general SIP port question though —

Lets assume Im still using 5060.

I have 5060 udp open to the freepbx at public IP 1.1.1.1

I then have remote office at external IP 2.2.2.2

remote office has 3 phones.

They can’t all use 5060 to register right? Because theyre coming from the same IP. In which case would I need to open 5061 for ext 2, and 5062 for ext 3? in this example

5060 is for the registration server the actual port used should be set uniquely for each extension

so unique for each extension and then port forwarded to freepbx?

Also, If I change the bindport will it break my SIP Trunks to the ITSP

Ypou shouldn’t need to port forward on the remote end if your router is setup correctly. (no ALG’s as ever)

It shouldn’t if you are using registration. If you are using IP based you will need to port translate that connection.

No port fwd on remote end,

But i meant on the freepbx server end, ill need to fwd extension reg ports?

Unfortunately it is IP based, and i think the company said they can only send to 5060 . I will talk to them to see if they can change the port they send to

No forwarding other than from the internet to the server/bindport/RTPports on your LAN should be necessary if that router is also well behaved, just like you probably do right now but not 5060. The connections should be built dynamically.

On your firewall add an exception and just PNAT your VSP’sIP/5060 to your server’s bindport.

Dicko

So youre saying i only need to forward the freepbx bindport from internet to freepbx? And remote extensions can still register with different port numbers

Yes, They probably do already.

rasterisk -x ‘sip show peers’

Hmmm

I am learning alot here thanks for your patience

dicko

Just want to run this by you before I make these changes to the production network:

In order to support remote sites safely I am going to do this —

At Client HQ (Main Site w FreePBX server):

  • Change FreePBX bindport to, for this example, 9500
  • Change all internal extensions on FreePBX extension settings to register to 9500 instead of 5060
  • Change all internal phone configurations to register to 9500 instead of 5060
  • Change remote site 1 extensions to register as 9500, 9501, and 9502 in FreePBX extension settings
  • On main site router, port forward 9500, 9501, and 9502 from internet to FreePBX server

At remote site 1:

  • Change phone configurations so that

Phone 1/ext 1 registers to 9500
Phone 2/ext 2 registers to 9501
Phone 3/ext 3 registers to 9502

and also hopefully my ITSP will still work, if not I will have to talk to them and see if they can send to main site on port 9500 instead of 5060

Unless you have weird stuff, for example old Linksys phones or god forbid active SIP ALG’s anywhere, (poorly configured routers), all phones should register to your registration port, that’s what “registration” is all about. The connections generated and Asterisk’s SIP/NAT should sort it out,. Do you not do that right now for 5060 ?

We have Cisco/Linksys SPA514Gs, but they seem to have very good SIP firmware without any issues doing NAT properly etc.

Also, high end/new Asus consumer routers that have good firmware with no SIP ALG issues.

The SIP registration server will do it’s best to register the individual extensions on appropriate ports it is cleverer than you thought :slight_smile: .

None of the following is needed. Just have your remote phones register to 9500…


None of this is needed:

Change remote site 1 extensions to register as 9500, 9501, and 9502 in FreePBX extension settings
On main site router, port forward 9500, 9501, and 9502 from internet to FreePBX server
At remote site 1:

Change phone configurations so that
Phone 1/ext 1 registers to 9500
Phone 2/ext 2 registers to 9501
Phone 3/ext 3 registers to 9502

Reilly,

I found that leaving the PBX on the public internet it got smashed pretty much straight away. Changing the port is a good idea, as is tightening up the firewall.

Something that has worked well for us it to use DNS for a bit of extra obscurity. You can have iptables only accept SIP packets that are either from an established session, or that include a REGISTER string with your particular DNS name in them. That way, the attacker would have to guess your DNS name to even get a response.

Something like this might work.

-A INPUT -i eth0 -p udp -m udp --dport 9500 -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9500 -m string --string “REGISTER sip:pbx.myawesomephones.com” --algo bm --to 65535 -j ACCEPT
-A INPUT -i eth0 -p udp -m udp --dport 9500 -j DROP

Just another layer to the defense, and no particularly restrictive to users, except they have to configure a DNS name on their VoIP client, and can’t use an IP address.

Spida,
Thanks for the reply, that looks pretty solid. What is working for me right now is

  • Changed the SIP BindPort to a random port for example 40500
  • Changed the SIP BindAddress to my local FreePBX server address, 10.1.1.5
  • Updated all phone configs to register with proxy like so, 10.1.1.5:40500
  • Port Forwarded 40500, TCP and UDP, to 10.1.1.5

I also set up SIP TCP on the port to save battery on remote softphone cellphone clients

  • Added tcpenable=yes to Asterisk SIP settings
  • Added tcpbindaddress=10.1.1.5:40500
  • amportal restart
  • Updated the remote extension settings in FreePBX to accept TCP only, and qualify:no
  • Updated softphone clients to register to for example sip.myHQpbx.com:40500 TCP

To make things a little more interesting, I also have a remote office setup with another FreePBX server and its own SIP ITSP, lets call it RemoteOffice1 and HQ.

RemoteOffice1 has a phone that registers line 1 to its own FreePBX, but then also registers line 2 to HQ’s FreePBX
(proxy: sip.myHQpbx.com:40500 UDP)

Then HQ phone has line 1 registered to its own pbx, and line 2 registered to sip.myRemoteOffice1pbx.com:40600

To make this work, I had to port forward RTP and SIP on both routers suchas

HQ Router forwards:
40500 TCP/UDP -> 10.1.1.5
10000 - 20000 UDP -> 10.1.1.5

RemoteOffice1 forwards
40600 TCP/UDP -> 192.168.5.5
10000 - 20000 UDP -> 192.168.5.5

Without the RTP forwards at both routers, I would get no way audio when calling from one office that is registered to the other office.

I am happy with the security of this configuration so far, it was a pain to figure out some of it, but everything is working great now.

I also should mention that I received a TON of support from other forum members, especially @dicko, everyone here is super helpful and responsive. To make up for all the time I drain from other members with my questions, I try to give back by replying to posts that I can help others with.

1 Like