FreePBX | Register | Issues | Wiki | Portal | Support

Restrict connection from VOIP provider to improve security


(Robert Wooden) #1

I am receiving many “Wrong password” attempts in my logfiles.

How do I set the firewall to only receive connections from my VOIP provider published (or hostname) ip address?

Forgive me, I am more than a little confused by the firewall settings? Would this be a “Interfaces” setting or a “Network” setting?

Perhaps there is a how to that I have over looked?


(Lorne Gaetz) #2

https://wiki.freepbx.org/display/FPG/Firewall+Getting+Started+Guide


(Robert Wooden) #3

Thank you, lgaetz, I have read that.

So, I have set my VOIP providers ip address as “Network” >>> “Internet” but, I am still receiving “Wrong password” attempts.

I am clearly doing something wrong and will need a little more assistance. Suggestions?


#4

turn off the responsive firewall (not the whole firewall)


(Robert Wooden) #5

I did as suggested, turned off “responsive firewall” (not the whole firewall.)

The ‘hits’ continue. Please help me? I’m worried about this. Suggestions?


#6

Are you certain they are not coming from a misconfigured phone on your own premises?


(Robert Wooden) #7

Well, I am pretty sure.

They look like this: [2017-09-13 10:37:00] NOTICE[2374] chan_sip.c: Registration from ‘“105” sip:105@50.249.158.213’ failed for ‘195.154.241.108:5067’ - Wrong password

I do not have an extension “105” and the ip address and the extension number changes from time to time.

Simply put, I am not clear as to how to accept connection ONLY from my VOIP source address?


(Itzik) #8

Do you have any remote phones?

If not lockdown sip-services (Port Forwarding) to your SIP providers IP only.


#9

With responsive firewall disabled nothing except your providers should be able to send you SIP registrations.
Check that your firewall Interface eth0 or eth1 is set to “Internet” not trusted or something else.


(Dave Burgess) #10

This thread has been long on good suggestions and short on concrete recommendations, and it’s easy to understand why. Every installation is a little bit different and every difference potentially requires a different solution. My experience is not exhaustive, but there are a few things that can help you.

  • Unless you MUST have your PBX on the Internet, put it behind a firewall. Your choice of firewall will determine how to do a lot of “other stuff” but there are certain characteristics that can help you succeed and simplify your life. This will require you to set up for NAT, which is a well documented set of issues on its own. Note that NAT is a “local to the device” thing, so if you have two devices, they may both need NAT configurations. This obviates knowing things like external addresses or using STUN servers (in some cases).

  • Minimize your exposure by blocking all access to the PBX from outside your network. There is no reason to blankly open port 5060 through the firewall. I’ll talk more about port 5060 in a second, but keep in mind that 5060 is the default “SIP port” and Asterisk uses it strictly by convention. There are free (software) firewalls that you can implement that do this, so if your expensive commercial firewall can’t, you’re doing it wrong.

  • There are two compnents of a SIP phone call - the control part (which talks on port 5060, by convention) and the Real Time protocol (RTP audio) part. With the SIP port blocked at the firewall, you will still need to open the RTP part (UDP ports 10000 to 20000) and redirect them your server. While this seems like a huge hole through the firewall, it actually improves security by allowing the remote phones’ audio streams to actually connect to your server.

  • Try to avoid using “the standard” SIP ports (5060, 5061, and 5160). Set up your inbound connections on “unusual” UDP ports. The important part of this is the understanding that the only people that need to access your server on the SIP ports are people that are starting a call. If you don’t allowing incoming calls (you don’t have a DID and all of your extensions are local, for example) there is no reason to ever allow your SIP port to be visible from the Internet. Assuming your firewall works with people browsing porn from work, the outbound connections do not require any special access.

  • Be sure to set up the FreePBX Integrated Firewall and Responsive Firewall (two different things, managed through the “Firewall” tab in the GUI) to minimize access to your local PBX instance. This is true whether you use an external firewall or not but is even more so if your PBX is exposed to the Internet without an intervening firewall.

  • If you have external connections that require the ability to “start” a conversation with your phone server, set up your Firewall to pass your SIP traffic to your server on the “alternate” UDP SIP port. Your choice of alternate ports is up to you because the only things that use it are services that YOU allow to connect to your server. Do not confuse this with the port OTHER PEOPLE use to connect to their servers. They are probably stupid and will think that 5060 is the only port you can use. Don’t try to correct them - there’s no point arguing with stupid people.

  • If you are using more than one SIP Channel Driver (Chan-SIP and PJ-SIP, for example), the discussion about ports still applies. Each one requires it’s own port. It doesn’t matter how many inbound connections you have (trunks, phones, etc.) - the Channel Driver will be assigned to a single inbound port and you control that port. By the way - this port is how you decide what goes to Chan-SIP and what goes to PJ-SIP. That’s an insight that might help you debug a problem someday (it took me a long time to get that one).

  • Having said all of that about inbound ports - don’t start out trying to get tricky. Get your stuff set up using the defaults. Once everything works, change the port address and fix each of the problem children individually.

  • If you have people outside your network that MUST initiate calls through UDP port 5060, use the firewall’s redirection capabilities to send port 5060 traffic that originates at their specific IP address to your server. So, let’s say you are using “Steve’s House of Internet Telephones” as your provider, and Steve is stupid, he will tell you “You can only use port 5060 for SIP, my IP address is 271.164.513.12 and my traffic comes via port 5060”. You can’t argue with him - he’s using 5060 for his inbound and expects you to do the same (see above). So, you set up your inbound connection port to 22006 (“TO SIP” - see below). In your firewall, you set up a route that looks like “Allow all traffic from 271.164.513.12 on UDP port 5060 and redirect it to 22006”.

  • If something you want to connect to your PBX uses TCP port 5060, the discussion above still applies, but you have to expand your scope to include TCP traffic (as well as UDP traffic). This is usually a specialized connection (some softphones work better over TCP than UDP) and is actually still pretty uncommon.

  • If you have phones outside your network, you will need to do some other gymnastics to allow connections. The first is to change your inbound port number (if your chosen phones will only connect on port 5060, see above) in the phone’s configuration. If the caller’s IP address changes (they connect by parking in McDonald’s parking lots, for example) then you may have no choice but to open port 22006 to the world. If you do, you will need to set up your Integrated and Responsive Firewalls to allow this.

  • If you can, use a VPN to limit access to the “local” network(S). There are lots of ways to do this, from setting up subscriber phones with individual VPNs to setting up remote networks with VPN. Either way, be sure to mark the VPN network as a “Trusted” network in your Integrated Firewall configuration. If you can’t use VPNs (for whatever reason, including “I can’t figure it out”) use DynDNS hostnames (which you can buy or get free) and then use the hostname instead of an address.

  • While I’m on the topic - spring for a real, dedicated IP address for the system that is exposed to the Internet in front of your phone system. Many of the least expensive providers will only work with you if you have a dedicated IP address (they do IP based authentication) and it solves a lot of problems (Chan-SIP can sometimes go zombie if it’s address changes, as an example). There is often an argument that “I can’t afford a dedicated IP address” posited by some people, which in my analysis is almost always incorrect. They spend hours and hours troubleshooting problems, lose customers because their phones just “drop off” when their addresses change, and all the money it takes to maintain all of the other stuff that has to be set up. Most providers charge a premium for a dedicated IP address (I have Cox Internet and have to have a separate Cox Business account for mine) but even at that premium, it costs less per year than it would for me to even spend two hours playing around with a flaky connection, and I’d end up spending a lot more per minute on phone services because my provider requires me to have a dedicated IP address to get the (lots less than a penny a minute) rate that I pay.

That’s a lot of opinion to wade through, but knowing this stuff might help you make decisions about what you need to do to get your phones working using a more secure setup.

  • NOTE - To = 2, SIP = S * 100 + I * 10 + P - 2 and 1900 + 90 + 16 your multipliers may vary)

(Robert Wooden) #11

Work demands left me no time to read (carefully) the valuable information provided until today. I agree with EVERYTHING you said and practice most. Those suggestions I did not practice, I do now. Thank you.

My problem with “Wrong password” attempts from know blacklisted ip address appears to have been solved by simply returning to my basic setup and double checking all settings. (Could be the documentation changed since I did my initial setup but don’t why, just know I found what I had done wrong and now are accepting connections from ONLY my SIP provider. No more “Wrong password” entries in my logfile and the log on my server has dropped to normal. All caused by my bad, my mistake.)

Now, I have a different problem that I will post on a new thread.


#12

First of all, is open SIP port on your router?? if any reason to have open sip port for remote extension, it better to use VPN connection.
By the way it seems no logical reason to have open SIP port on your router, because you only want to receive connection from your VOIP provider.
Just one thing if your Asterisk box is already registered to VOIP provider, it doesn’t need to take care about VOIP provider connection to your Asterisk (basis on client and server handshaking)
Recommendation close your router open SIP port.