SBC as an admission controller for remote extensions

A number of months back there was a webinar for Bria stretto and freepbx. One of the questions asked was how to securely connect the remote bria stretto extensions to the asterisk pbx. The suggestion was to use an SBC. They also suggested this on the counterpath website. Now, I cannot find that suggestion any longer, no can I find the webinar, so I’m guessing that this isn’t actually a viable option (I saw an old post from dicko that suggested that there wasn’t a viable open source solution at that time).

I’ve done my due diligence and I’ve tested many remote extension solutions, most of them requiring user interaction–either dialing first into the pbx, having a dyndns or knockd software on the pc or smart phone, or of course a vpn that requires the end user to figure out how to use the vpn or always ensure that he or she is logged into the vpn. The best solutions I’ve come across has iptables check information in the registry string but after testing those solutions extensively, I’ve found that the registration is actually hit or miss, sometimes taking more than one attempt or lagging for longer than is acceptable (to the point of seeming that it times out).

That said, I’ll actually get to my question. Has there been any headway in using SBCs in this way with asterisk? I’ve tested opensbc and I’ve tested kamailio, but I’ve found that I cannot use features such as star codes with my extension (for example logging in an agent to a queue using the star code or *97). or fop2.
In a reverse of this scenario, for a cloud based pbx solution, I’ve used edgewater routers to connect by establishing a trunk to the pbx, then extensions register to the edgemarc router. But the extensions’ registrations are forwarded to the pbx using a transparent sip proxy mode. Is there any thing like this, but the reverse? Or would that simply be the same as forwarding 5060 to the pbx wide open? …any takers on this one?

Not really, FreePBX is a PBX, your SBC/proxy is exactly that. you probably need to register your extensions against a FreePBX instance, (which is what Kamailio can proxy for you)

If you are worried about security issues, then 99%+ will go away if you JUST DON’T USE 50XX, it’s just that simple.

I would agree with all your reservations about VPN etc. complete BS in the real world. but have you clients register against instead is almost as brain undead as sending your money to Palestine/5060 “clients” is braindead . . . .

Here are the instructions for configuring an upper registration with a Sangoma SBC… I believe this is what you are looking for:

Thanks dicko! Is there anything that needs to be changed with regards to fail2ban to make sure that it is able to stop any brute force attempts against a random port (as your ex., against 54667)? Also, I did some testing; asterisk will take a random port even if that’s not it’s default port. Do you still recommend the default listening port be changed from 5060?

fail2ban is as effective as the regexes you build to use against the log files that expose the IP addresses of the bad guys.

I will disagree with “asterisk will take a random port” , it won’t. If you are talking about rtp connections, don’t worry, apart from a vague possibility that a local host on your network might listen to a phone call without using srtp then there is no risk at all…

Yes 99.99% of all attacks originate on ports 5000-5999, 99.786% on 5060/5061, just don’t unnecessarily expose your self .

I forwarded a random port (used 50xxx) with bria and it established the connection after opening that port in iptables. Also, sip show peers showed the state of that extension connected on that port. Actually, not just that, but I have a bunch of softphones locally using non standard 5060, as well as hardphones using standard 5060. I didn’t force asterisk to listen on any of those ports, just at the endpoint only.

121/121                   {ext ip hidden}                             D   N          A  50321    OK (227 ms)
112/112                                      D              A  62381    OK (9 ms)
118/118                                    D              A  5060     OK (11 ms)

I will clarify my response, asterisk will not “take” a random port, it can be programmed to listen on any unused port ,don’t chose a “privileged” port below 1024, if you have PJSIP and CHSAN_SIP choose two, if you use TCP and UDP, choose two more

So far I’ve had no problems. Thanks for your help Dicko