I have been working to tighten the bolts down on our PBX systems in the iptables firewall rules (modifying via Webmin - I’m only slightly masochistic - I like point and click where at all possible).
Below is the dump of my firewall rules on our new master image system which runs the latest version the FreePBX distro with the latest version of everything - FreePBX 2.11.x and Asterisk 11.7.0. We have fail2ban configured and verified works properly with Asterisk 11 and confirmed our firewall rules security works as we desire. My question for everybody is with these firewall rules in place, am I subjecting myself to any security risk I cannot forsee when we have all ports locked down as such? I am attaching the rules and I recommend you open them via Notepad++ or in Linux - just don’t use Notepad.
Our rules are essentially as follows:
Ports 1:3999,5000:5059,5061:9999,20001:65535 tcp/udp go to a WHITELIST chain I created that lists customer IP addresses including ours. As you can see, port 5060, 4000-4999 (t.38) and 10000-20000 (rtp) are allowed from any IP address. We have extensions locked down in FreePBX to only allow registrations for that customer’s static IP address in each extension’s settings. But for mobile user extensions that use Bria on their mobile phones, we let any IP address register and connect, and if it is an incorrect password attempted twice, fail2ban will jail that IP address for 12 hours before releasing.
Am I missing something, or is this a safe practice to follow?
I forgot to mention that all our systems are internet-facing in a datacenter.
Aparently I can’t attach files. So you’ll just have to use the above info for an example. I also forgot to mention that the INPUT chain’s default action is to allow after first having gone to the WHITELIST chain, and the last rule in the WHITELIST chain is to drop the connection attempted on those port ranges.