I have some knowledge of FreePBX, Sipstation and such. I am not 100% on how the transport of calls happen.
So Here is my question… I know the IPs of the trunks that I use, could I only allow these IPs to access my server coming in and out on my SIP ports?
I have no other phones outside of my Local Network, apart from a couple of cellphones that use IAX ports with a random IP, so that is not feasible. Anything else would be blocked from entry at my firewall, only to allow the few trunk providers.
I have not noticed an IP change on the most part in many years, apart from when Sipstation moved servers I believe, the only thing I would need to be aware of is if my trunk provider does change IP, of which would be very rare.
Thoughts on this? I need to secure my firewall from probing scum on the internet, I am seeing a lot of Fail2ban messages in my emails, and a lot of sniffing for open ports at my firewall.
If your VoIP provider assures you that traffic always come from the same IPs you can do what you are suggesting, only allow traffic from their servers (I know at least a few providers do).
If your firewall allows it (I know pfSense, which I use, does) you can also use the FQDN host name of their servers for this (if they give you their server names) which can protect you against IP changes…
You can’t do that with all providers though and for some of them while the communication with port 5060 (or 5061 or possibly others) is done with servers for which you know the IPs but the RTP streams come from servers you don’t know the IPs of…
One of the providers I use is like that (the one I use for T.38 fax) so I could not put any ACL on my servers RTP ports (10000-20000).
I would like to secure my system. What IP addresses can I lock down open ports to?
You can lock down port 5060/UDP to trunk1.freepbx.com and trunk2.freepbx.com. You cannot lock down the media ports because the
media servers vary and change. Most security issues that are reported
are usually related to manufacturer vulnerabilities in their SIP stack,
port 5060. By locking down this signaling port, you should be able to
address almost all potential issues.
I am also using PFSense on my firewall, so glad that can be done. It is the SIP ports I am more interested in, don’t see much on the multimedia ports if anything. They are always hitting the SIP ports, trying to find a way in… lol
I appreciate your time, off to do some more security on my Firewall…
Thanks, I will look into that, I just set the 3 Trunks I am using into an alias within PFSense NAT, ran a firewall test and it seems to be working so far, just have to test with some inbound and outbound calls…
I am constantly being scanned by 173.193.55.236 on UDP ports around the 5060 plus or minus range. The IP goes back to IBM on softlayer.com. I have reported and asked why this is going on, probably a weak web-server security and someone is using it for their benefit.
I see no reference to IBM but are you using an IBM product which could try to phone home in some way? I know WebSphere servers have some sort of test app or something that does SIP…