I am considering exposing my PBX extensions to the internet to allow offsite-colleagues to remotely register their softphones and make&receive calls.
The PBX is running in our small office, which uses a router (specifically AVM FritzBox) to connect to the internet. To make extensions accessible, I would need to create a port forwarding for SIP registration (port 5060) and RTP (e.g. 10000 - 10250).
At the same time, I am concerned about being hacked/hijacked and would appreciate feedback on the following:
- Fail2Ban seems like a must to slow down and prevent brute force attacks. However, with port-forwarding, will fail2ban not block my router rather than the actual intruder’s IP?
- would it be advised to also change the default 5060 port to the outside world, e.g. rather than 5060 (router) to 5060 (pbx) use 5555 on the router, but leave 5060 on the pbx? Is that a good or a bad idea?
- I would perhaps want to block outgoing calls to cost-intensive numbers (e.g. premium numbers, certain countries, …). Is there a way to configure call routes so that these numbers can be dialed, but require a pin code to authorize?
- I would not expose my admin UI or ssh to the internet
Any other suggestions for added security?