ARR

SIP

Posted on Jan 1, 0001

date: 2021-10-08

FreePBX Securing

The ultimate aim here is to lock down FreePBX so that it’s safe to tie into an external VOIP service where we can associate a number with it and allow contact through it.

There are a few practices that need to be considered like

  • not allowing guest connections
  • only authorised traffic through verified trunks
  • if possible, only open up the SIP port externally to the VOIP provider
  • fail2ban for unauthorised traffic/multiple attempted login attempts
    • both for SIP and SSH (though don’t open up SSH to the outside)

fail2ban

This can usually be installed through the OS package manager, but since there’s a dedicated command for it on FreePBX, I’m assuming it’ll have some additional settings related to the PBX and not just SSH.

As root, run install-fail2ban.

root@raspbx:~# install-fail2ban  
Installing Fail2Ban for Asterisk  
Configuration by Razvan Turtureanu  
Installer script by Gernot Bauer  
Please read the documentation at http://raspbx.org/fail2ban  
Send notifications to email address (leave empty for no notifications): 

I don’t have mail settings configured at the moment, but I’ve put in my e-mail address for future use.

Once installed, I’m presented with

Your configuration has been saved successfully to these files:  
/etc/asterisk/logger_logfiles_custom.conf  
/etc/fail2ban/filter.d/asterisk.conf  
/etc/fail2ban/action.d/iptables-asterisk.conf  
/etc/fail2ban/jail.local  
Please be aware that this configuration only works if you have allowguest=no  
in your sip.conf file. To configure this in FreePBX, go to Asterisk SIP  
Settings and set Allow SIP Guests to No.  
A good practice is to also add the setting  
alwaysauthreject=yes  
in Other SIP Settings on the Asterisk SIP Settings page.

sip.conf seems to be located at /etc/asterisk/sip.conf, but I’m not seeing an allowguest parameter. I’m also not sure if this should be edited or if it needs to be done from the FreePBX GUI.

The GUI equivalent is at Settings > SIP Settings > Security Settings > Allow SIP Guests. I’ve turned this off for now, so let’s see how that goes.

Storm

#sip #telephony #freepbx