I would like to ask about best practices when connecting Zoiper on IOS to freepbx installed on my home lab. Nat through pfsense. Zoiper on the cellular network. Do I open port 5060 to the world, I’ve heard bad things, or do I trust in the freepbx firewall?
Anyone?
I this a stupid question?
Best if you allow SIP Services from your IP only
I don’t really understand what you mean by that. If you have mobile workers and want them conneted to your PBX what is the best practise to achieve that?
If they have a Static IP or DDNS then whitelist it in your firewall, otherwise, you’ll need to use the responsive firewall. And maybe add a Geo IP based filter on top of it.
1 Like
Most of the bad things are from nincompoops who set simple SIP passwords or open their dialplan to allow unauthenticated calls to be placed through their server.
I do not remember the last time SIP ports were exploited strictly by way of software vulnerability.
If you are a little bit smart you can set up a system with SIP ports open to the world.
Responsive firewall is great at discouraging scanners/hackers who want to beat on your system and try to guess passwords.
Picking a port other than 5060 also helps keep the noise down in your log files.
VPN is recommended for the clients. Short of that, since I assume your clients are DHCP, you should look into the responsive firewall.
Recommended reading material:
https://wiki.freepbx.org/display/FOP/Remote+Phone+Best+Practices+and+Limitations
https://wiki.freepbx.org/display/FPG/Responsive+Firewall
https://info.sangoma.com/voip-security-best-practices.html
Another common exploit vector comes from not properly securing provisioning files. It’s critically important to ensure all provisioning services are locked down, particularly when signalling ports are open to the Internet.
3 Likes
I never recommend VPN. It adds overhead and fragility. I implement it when other options are worse.
ZoIPer is no longer free for business use. Your example is home lab, so that qualifies, but using it for business requires a license.
Been there, done that. Have the phone bill to prove it.
VPN has its place. Depending on network complexity and subject matter knowledge, VPN can be helpful. And while it adds complexity (overhead), With a proper setup, VPN is seldom the “broken link” in the chain. That said with the tools available, I agree there are ways to securely complete the task without VPN.
a) use tcp (0referably tls) , it will improve your battery life also.
b) dont use any port between 5000 and 5999
c) only accept sip cinversations directly to your domain name, reject anything to your servers ip address.
d) only provision over https or ftps
e) limit concurrent calls by extension
f) disable your management web server port when you dont need it,
add the above to an effective firewall and feel safer, (there is no guaranteed method of preventing penetrations bar disconecting the system from the internet)
JM2CWAE
This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.