Security - Opening ports

Go All,

I’ve a quick question. I’ve just setup frewpbx with a sip trunk using up authentiqtion and type is friend. I had to forward ports 5060 and the rtp ports. Extensions are locked down by up allow and deny and all extensions are internal. In sip settings anonymous sip calls and sip guests are disabled. Can anyone tell me if there is a security or hacking risk?

Port 80 is not forwarded and PBX is behind nat

I’ve also enabled fail2ban. Should it be okay from a security point of view?

There is no guarantee, anytime you expose udp/5060 to the internet there is a “security or hacking risk” agianst your SIP stack and the drive-by’s will notice and forward your box’ IP for later more deep exploration. Limit such access to your known hosts, better yet don’t use 5060 for SIP signaling.

Thanks for your response. My provider will only do IP authentication and I have to open 5060 for that unfortunately. I have the extensions configured and locked down to the inside network and even if they get the username and password and get pass fail2ban will they be able to place calls through that provider?

The trunk accepts calls from a certain up only and anonymous sip calls guests etc is disabled.

I am going to setup the firewall to allow certain ip addresses which should limit it down?

If you only allow SIP traffic from your vsp then you are safe from sip probes. BUT check it, best practice is to perform a penetration test from outside your box, any port open ups the risk. After 40 years it is generally acknowledged that ANY open port exposes you to risk.

Thanks. By risk what do you mean? Surely other then if the provider’s network is compromised it will be alot of work to get access to an extension since they’re locked down. external ops can’t get access unless they are from the provider?

Until I setup firewall rules, should a system as above with fail2ban stand for 48 hours? I know there’s a risk but how can a PBX get hacked easily if all extensions are locked down to internal ips?

Hanks for your help.

Well as to risk, your box by default probably has ports 5038 53 and 3309 unnecessarily open, some will assure you that there is no problem here as the underlying accounts are restricted to the local host, in the past, some who believe this have been exposed to various buffer overrun exploits and found it was bad advice. There is a fair chance that your DNS is still recursive, this can cause DOS and other security breaches. Although the risk is small, it is still there, and no guarantees , there are many intrusion testing suites out there, and regularly throwing them (including SIP Vicious) against your external IP(s) is always good practice. As is adding rkhunter or some such, to the mix, you can never have too much vigilance here as a successful intrusion can cost many thousands of dollars. As they say in England “Use both your belt and braces”

Hi there,

Thanks for the response. I’ve received the following email: "Hi,

The IP… has just been banned by Fail2Ban after
4 attempts against Asterisk.



The thing is is that 5060 is closed. I checked this online and it is closed from the router. I have 5060 forwarded for 1 IP (my carrier) and I tried to connect externally and it cannot connect. Why would I get attacks for a closed port since 5060 is for sip signaling?. I register with another carrier on port 5060, would that make a difference?

The only ports I have forwarded are the RTP ports as otherwise I would have no audio. I can’t forward 10000-20000 for an IP though as the router will only do 10 for ip based. Is there any way I can I get audio without forwarding rtp?

Thanks for your help:)

The logs from which fail2ban derives its data are generally in /var/log/asterisk/full (although there is IMHO a better way of setting up Fail2ban).

You need two rdp ports for each call, they are defined in /etc/asterisk/rtp.conf, the audio is always in rdp packets so it wont work without those ports being forwarded.

Makes sense thanks.

If I forward the RTP ports will there be any security risk?

I forwarded port 5060 from my router for an IP by a carrier, should this be okay?

I’m sort of paranoid about this sort of thing. Thanks for your help


Don’t “bump”, just read the wiki. If you don’t allow udp/5060 then there will be no SIP setup, if you don’t allow RTP between your allowed in rtp.conf there will be no audio. It is up to you to sort out your router(s)