SIP Trunk Security

ffh · January 9, 2013, 9:08am

Hi all,

I am looking for a little direction here. I have a FreePBX 2.9 deployed to a server in a data center (lets call it a cloud setup). I have it locked down reasonably tight with CSF and all extensions have at least 16 character secrets.

It is working quite nicely but I am getting someone trying to connect via the SIP trunk. To be able to accept incoming calls through the SIP trunk I have the “Allow Anonymous Inbound SIP Calls?” set to yes.

We only have the one SIP trunk (Pennytel) so I would like to know if I can lock down FreePBX to allow incoming SIP trunk traffic to a specific IP?

I was thinking of doing this with CSF but it would block connections from the SIP client on my mobile which has a dynamic IP, which I don’t want. All other extensions have static IP’s so I can use CSF for that.

If anyone else has an alternative recommendation then I am all ears.

Thanks in advance.

ffh · January 9, 2013, 11:31am

Just to clarify, I am looking to see if I can lock down incoming traffic on the SIP trunk only to come from a specified IP. This restriction should be performed by FreePBX so as to not disrupt extension connections with dynamic IP’s. I will control all other blocking with CSF.

Hope that’s a bit clearer. Amazing what a reread does. lol

Cheers.

atcom · January 9, 2013, 3:50pm

You can setup IPtables (the Linux firewall) to drop all packets on 5060 except those from Pennytel’s IP.

A quick Google search should provide the direction you need.