IMO blocking IP addresses or ranges of IP addresses is rarely a useful security technique.
- It requires a great deal of administrative effort. You are essentially playing a game of whack-a-mole.
- It causes trouble. For example, an associate traveling in Europe fails to connect via mobile data or hotel Wi-Fi.
- It is ineffective; a VPN server in your country circumvents it easily.
A proper firewall denies all traffic by default, allowing only authorized traffic to pass. Attacks against PBXes fall into three categories:
-
Made by automated tools probing every IPv4 address on the internet, looking for vulnerabilities.
-
Made by an adversary targeting your organization specifically, e.g. a competitor seeking to obtain your customer list or to disrupt your operation.
-
Made by someone with knowledge specific to your system, e.g. a disgruntled employee or former employee.
Nearly complete defense against (1) is IMO best done by giving your PBX an obscure domain name, e.g. pbx23647.mycompany.com. Incoming SIP packets containing this name are permitted to pass, as are those that are part of an existing dialog; all others are simply dropped. You will never see āserver farms in France and Iceland that send us a huge amount of bad trafficā; after the first few packets receive no response at all, they give up and move on to the next sucker. This takes just two iptables entries.
HTTPS requests without the correct domain name receive a dummy self-signed certificate and get a ānothing to see hereā response. This is just a few lines of Apache configuration.
SSH is configured to authenticate by RSA key only and reject all attempts to use a password. It should be on a non-standard port so the numerous requests with ā123456ā and āpasswordā donāt waste server resources and fill your logs.
All packets other than SIP, RTP, HTTP(S), VPN and SSH are dropped.
Iāve run test servers like this for weeks, open to the world, without seeing a single malicious request in any log.
Defense against (2) is more difficult. SIP and web access should be restricted to a short whitelist of authorized addresses (your offices and trunking providers). A branch office or teleworker with a dynamic IP that changes once or twice a year can be accommodated with dynamic DNS. Otherwise, a VPN is a must. 3CX uses a tunnel by default and you rarely see security issues on their forums.
Defense against (3) is extremely difficult, usually fails, and is well beyond my expertise. However, I can assure you that if you are wasting time blocking IP addresses, you are not addressing the relevant issues.
Edit: typo fixed as noted by @dicko in next post.