I have been looking to secure our system more and saw many posts on the forums regarding reducing the attack surface and log clutter by changing your sip signaling ports. Are there any recommendations regarding suggested port ranges to use, etc? Also, I assume you just change the port on:
SIP settings in FreepBX
Assuming you use IP authentication with the trunk provider, change the port where the provider sends calls to.
In the remote phone configuration files. (instruct the phones to register to the PBX with this new port number
Are these the only 3 places I would need to change the port number? What about the built in FPBX Firewall? Anything needed there?
I know there are a TON of posts about this, but no real step by step guide. Also, when changing the port, is there a recommended range as to avoid problems with crappy home user routers?
Changing ports is security theater and IMHO is a waste of time. A properly configured firewall will be fine for 90% of people. The next best thing os to add something in front such as a SBC. Again in most cases simply make sure your firewall is setup properly. Anything you have to expose lock down to certain ips. Best bet expose nothing and use a VPN.
I can do a syn scan on a host in seconds and learn about all of your ports. Thus why non standard ports are pointless.
But any decent firewall could detect and drop a port scanner before a very few ports where scanned. Not using udp 5060-5099 is never bad advice especially for those still with ssh on 22
On my home system I chose a few random ports in the 50k (not 5k!)range. By doing this I get fail2ban/responsive blocks at the rate of a few times a year instead of a few times a minute. That and quiet logs are the only benefits. The FreePBX Firewall module is capable of adapting to whatever ports you set, so no firewall config specific to SIP port change is required. Obviously you must update anything that SIP registers to Asterisk (phones) as well as anything sending calls to Asterisk where registration is not used (IP auth trunks/gateways/etc)…
@jfinstrom I agree that anyone can do a syn scan easily. I am not saying that “security by obscurity” is a good security practice. That’s not what this consideration is about at all. I just see many people on here doing this, in an effort to clean up the logs. @dicko seems to love this idea and speak highly of it.
An SBC is a great option, but doesn’t that just add an extra layer in the communication path that is unnecessary? (but since you suggested it, any specific SBC setups you recommend)
VPN - Can you do a VPN with built in tools with FPBX? I know there is a sysadmin addon that allows this. Would this be required?
The folks exploiting poorly designed voip systems are not the amateurs using brute force sipvicious anymore although there are plenty of them still around , many operate within a sophisticate CAC system, the simplest test to flag a ‘mark’ is if an ip numbered host sends anything back on a sip query to udp/5060 , often that flag is handed off to a secondary system that next explores other non-voip open ports on that same ip, this builds a fingerprint which can be matched against their wider knowledge and then sent off to yet another system that specialize in that fingerprint, so your ports are precisely probed not scanned so changing standard ‘service’ ports makes perfect sense, call it ‘hair and makeup’ for your character.
Protecting yourself at each level makes sense to me. If you can’t use the FreePBX firewall, then you need to alternatively cover the transport used for your extensions.
Acts of the play:-
act i)
if you don’t use 5060 then you wont see most attacks,
act ii)
if you use tcp then again the attack surface is hugely reduced,
act iii)
if you use tls again, less surface
act iv)
using a tls certificate certified to a domain not directly discernable from your ip address even more so.