I have installed FreePBX and everything is working correctly. I would like to set up the FreePBX Firewall as they are constantly trying to brute force my server.
Since unfortunately I have a dynamic IP address in my home connection, I wanted to set up a proxy on a VPS server so that my VOIP phone (Snom D710) connects to PBX through the proxy, and if my local IP changes, the phone can still connect to PBX since the proxy IP remains the same.
What kind of proxy should I install on my VPS server? An HTTP Proxy or do I need a specific proxy? I was looking into SIP Proxy but I didn’t quite understand which type of proxy is required.
You would want a SIP Proxy or an SBC. With that being said, if they aren’t properly configured that can cause more damage than good.
Kamailio & OpenSIPs are known good proxies. You can google how to set up a relay proxy, but you’ll generally want to do domain auth, UA verification etc.
Additionally, you can also add API Ban to your server to prevent drive-by attack noise.
My idea was to install the firewall to block all requests except those in the Whitelist including the IP of the SIP proxy with which I would connect my VOIP phones. I was taking a look at Kamailio but there is no guide on how to configure it
If all the good guys in the world are on your whitelist then that is fine but a lot of work, but if the blacklist is just a subset of all the hosts in the world using UDP:5060, you shouldn’t feel too warm and fuzzy, If you ask around for folks that don’t get much bad-shit most all will be using TLS, those with almost zero will be using TLS with a cert where the name is not leaked by any other un-secure connection open on the same IP
As to kamailio well, that’s not quite true about the documentation, originally Siremis was the go-to gooey, but also not quite what some need, that is why I recommended dSipRouter it gets closer to a curated set of options to hook-up endpoints then leave, If the endpoint is a B2BUA it doesn’t care.
My personal solution is haproxy running locally, handling ALL http/https.TCP.TLS connections wil as many front ends and back ends to cover each service proxied, each front end only forwards by domain:port to backends listening insecurely to the redirected port on 127.0.0.1,
Every service uses a different bizarrely named domain bought for a few bucks a year at namecheap except of course the public facing ‘Main site’ and less public UCP server.
haproxy further handles all cert verification using Neil Pang’s acme.sh automatically updating using DNS-01 protocol using a DigitalOcean API token to access their excellent (and free) DNS servers
All servers are monitored but we haven’t seen a connect attempt that bypassed haproxy in over 6 months since I last effed up but because that stood out like a sore thumb it was fixed PDQ.
I see that you are hampered by a changing IP, can you say how often it changes,
randomly? how often?
periodically ? on what period?
event driven? what events?
I say this because per my last post, DO’s doctl scripted API can propagate a new ip with a TTL of 60 seconds, of course in the real world, unless using digitalocean’s nameservers it might take an hour or two to globally propagate to google, cloudflare, comcast, . . …
Of course to counter that , increase your bill with DO to $5/mo and have them host it with a public static IPv4 (they don’t sell domains, but give away the name-server and api to reply for and script them programatically)
Hi, maybe you didn’t understand / I didn’t explain myself well. The problem is that my home IP changes randomly.
I have FREEPBX on DigitalOcean, but my VOIP phones are on a Vodafone home network that changes IP randomly. I wanted to enable the FreePBX firewall to accept connections only from a whitelist, but if I were to whitelist my IP, it wouldn’t work because, since it’s not static, it would always need to be updated. That’s why I wanted to connect my VOIP phones to FreePBX through a proxy, so I can whitelist the proxy’s IP and it remains unchanged!
IP’s and firewalls are not as effective as a reverse proxy and restrictive transport to allow only devices that know each of your PBX’ name for each service offered. For that I recommended haproxy on DO it is quite likely already running on your droplet.
Proper voip segmentation really needs to have an SBC for both SIP and Webrtc traffic. All traffic should be restricted in as many reasonable ways possible.
Here are some checks you would want to consider,
DNS name match (webrtc doesn’t support this yet)
Header identification so you drop traffic that isn’t your user agent type.
Rate of authentication checks to block based on too fast of rate attempts.
Require Certificates
I do like the ingate Seperator product. Its however gotten Very expensive to use them for webrtc session support.
I wish we had a way to force multi factor authentication on sip and webrtc session but that would be a giant pain in how this works today.
but because that stood out like a sore thumb it was fixed PDQ.