Installation of PBX server
To install Phone server, insert Elastix CD and follow the screen instructions.
Securing PBX/Asterisk server:
Basic Security measures:
1. Secure Extensions
The extension in Elastix is very vulnerable to attack. Enabling extensions with weak password would open the way for attackers to hack the phone system.
1.1 Strong secret password for extensions (either combination of numbers, letters, Ascii chars)
1.2 Use allow/deny field
Deny 0.0.0.0/0.0.0.0
Allow 192.168.0.0/255.255.255.0
This only allows extension to connect to local network. For example if local network is 10.1.1.0 use 10.1.1.0/255.255.255.0 in allow field
1.3 No NAT for extensions – don’t enable NAT for extensions
2. Block Anonymous SIP calls
Allowing anonymous calls is weakening the phone server. Anyone can make fake calls and scan phone system structure including extension. Blocking anonymous SIP calls is the best security practice for PBX.
Go to general settings and select NO to allow anonymous calls
3. Block SIP guests
Do not allow guest SIP account to register with PBX.
Open Unembedded freePBX and in tools section, click Asterisk settings. Select NO to Allow SIP guests.
4. Do not install any extra services on phone system unless need. (There would be more unwanted ports)
Advanced Security measures:
Securing PBX/Asterisk/Elastix through IPTABLES:
Edit iptables if PBX server behind NAT and not behind on firewall
#Accept SSH connection from local subnet 192.168.0.0/24
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#Accepts any (all) SIP connection from interface eth0.
# iptables -A INPUT -p udp -m udp -i eth0 --dport 5060 -j ACCEPT
#This will be more effective, which only accept connection from SIP trunk
# iptables -A INPUT -s 1.1.1.1 –p UDP -m UDP --dport 5060 -j ACCEPT
OR
# iptables -A INPUT -s 1.1.1.1 -j ACCEPT
Note: 1.1.1.1 – is an IP address of SIP trunk provider.
#globally accepts RTP connection via eth0
# iptables -A INPUT -p udp -m udp -i eth0 --dport 10000:20000 –j ACCEPT
#globally accept SMTP, POP, IMAP, HTTP, HTTPS (if PBX serves only SIP these commands are unnecessary – make sure don’t run any other service unless needed)
# iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
#doesn’t drop current session or connected sessions
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED –j ACCEPT
# Block SSH globally
# iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
#except these rules block all packets
# iptables -A INPUT -p all -i eth0 -j DROP
# iptables –L
# iptables –F
# /sbin/service iptables save
Port forwarding for PBX ServerIf PBX server is behind NAT, make sure forward ports that are used by Elastix.
Common ports for Elastix
SIP: 5060
RTP: 10000-20000
Ex. Cisco-config# access-list 108 permit udp any any range 10000 20000
#This command is to forward all traffic to WAN IP 1.2.3.4
Cisco-config# ip nat source static 192.168.1.222 1.2.3.4
Cisco-config# access-list 108 permit udp any any
The above command allows any incoming connection to PBX server. It’s open wide for hackers to attack PBX system. To block unwanted connections being access phone server, it’s mandatory to only allow SIP trunk provider to connect PBX server.
Advanced port forwarding for Asterisk/PBX serverAdvanced port forwarding is must for Asterisk/PBX server, these commands block any access to PBX server other than SIP trunk provider.
#To make it more precious to above commands, the following is must. Create an access list for outbound interface and only allow SIP provider to connect to PBX.
Cisco –config# access-list 108 permit udp host 1.2.3.4 host SIP.IP log
Cisco-config# access-list 108 deny udp any any log
Cisco-conf# log buffered
Make sure to add this access-list to WAN interface of Cisco Router.
Cisco-config# interface Dialer 0
Cisco-if-config# ip access-group 108 in
#verify that access list is in the interface,
Cisco# show ip access-list interface Dialer 0
Access-list 108 in.
Install fail2banServer# yum install fail2ban
Edit config file, and replace alert email address in jail.conf
Server# nano /etc/fail2ban/jail.conf
#change SSH-iptables and fail2ban directives to true and change email address to receive email
Download As PDF
To install Phone server, insert Elastix CD and follow the screen instructions.
Securing PBX/Asterisk server:
Basic Security measures:
1. Secure Extensions
The extension in Elastix is very vulnerable to attack. Enabling extensions with weak password would open the way for attackers to hack the phone system.
1.1 Strong secret password for extensions (either combination of numbers, letters, Ascii chars)
1.2 Use allow/deny field
Deny 0.0.0.0/0.0.0.0
Allow 192.168.0.0/255.255.255.0
This only allows extension to connect to local network. For example if local network is 10.1.1.0 use 10.1.1.0/255.255.255.0 in allow field
1.3 No NAT for extensions – don’t enable NAT for extensions
2. Block Anonymous SIP calls
Allowing anonymous calls is weakening the phone server. Anyone can make fake calls and scan phone system structure including extension. Blocking anonymous SIP calls is the best security practice for PBX.
Go to general settings and select NO to allow anonymous calls
3. Block SIP guests
Do not allow guest SIP account to register with PBX.
Open Unembedded freePBX and in tools section, click Asterisk settings. Select NO to Allow SIP guests.
4. Do not install any extra services on phone system unless need. (There would be more unwanted ports)
Advanced Security measures:
 |
| Securing Asterisk/PBX server |
Securing PBX/Asterisk/Elastix through IPTABLES:
Edit iptables if PBX server behind NAT and not behind on firewall
#Accept SSH connection from local subnet 192.168.0.0/24
# iptables -A INPUT -s 192.168.0.0/24 -j ACCEPT
#Accepts any (all) SIP connection from interface eth0.
# iptables -A INPUT -p udp -m udp -i eth0 --dport 5060 -j ACCEPT
#This will be more effective, which only accept connection from SIP trunk
# iptables -A INPUT -s 1.1.1.1 –p UDP -m UDP --dport 5060 -j ACCEPT
OR
# iptables -A INPUT -s 1.1.1.1 -j ACCEPT
Note: 1.1.1.1 – is an IP address of SIP trunk provider.
#globally accepts RTP connection via eth0
# iptables -A INPUT -p udp -m udp -i eth0 --dport 10000:20000 –j ACCEPT
#globally accept SMTP, POP, IMAP, HTTP, HTTPS (if PBX serves only SIP these commands are unnecessary – make sure don’t run any other service unless needed)
# iptables -A INPUT -p tcp -i eth0 --dport 25 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 110 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 143 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 80 -j ACCEPT
# iptables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
#doesn’t drop current session or connected sessions
# iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED –j ACCEPT
# Block SSH globally
# iptables -A INPUT -p tcp -i eth0 --dport 22 -j ACCEPT
#except these rules block all packets
# iptables -A INPUT -p all -i eth0 -j DROP
# iptables –L
# iptables –F
# /sbin/service iptables save
Port forwarding for PBX ServerIf PBX server is behind NAT, make sure forward ports that are used by Elastix.
Common ports for Elastix
SIP: 5060
RTP: 10000-20000
Ex. Cisco-config# access-list 108 permit udp any any range 10000 20000
#This command is to forward all traffic to WAN IP 1.2.3.4
Cisco-config# ip nat source static 192.168.1.222 1.2.3.4
Cisco-config# access-list 108 permit udp any any
The above command allows any incoming connection to PBX server. It’s open wide for hackers to attack PBX system. To block unwanted connections being access phone server, it’s mandatory to only allow SIP trunk provider to connect PBX server.
Advanced port forwarding for Asterisk/PBX serverAdvanced port forwarding is must for Asterisk/PBX server, these commands block any access to PBX server other than SIP trunk provider.
#To make it more precious to above commands, the following is must. Create an access list for outbound interface and only allow SIP provider to connect to PBX.
Cisco –config# access-list 108 permit udp host 1.2.3.4 host SIP.IP log
Cisco-config# access-list 108 deny udp any any log
Cisco-conf# log buffered
Make sure to add this access-list to WAN interface of Cisco Router.
Cisco-config# interface Dialer 0
Cisco-if-config# ip access-group 108 in
#verify that access list is in the interface,
Cisco# show ip access-list interface Dialer 0
Access-list 108 in.
Install fail2banServer# yum install fail2ban
Edit config file, and replace alert email address in jail.conf
Server# nano /etc/fail2ban/jail.conf
#change SSH-iptables and fail2ban directives to true and change email address to receive email
I've heard of systems like Elastix / Trixbox getting hacked for thousands of dollars; however, how is that possible when you have an ITSP which you fund for only a set dollar amount. For example, I only funded the account for $10. Is there some type of trick to even charge more?
ReplyDeletePlease Can you make your question more clear? It didn't understand what are you trying to achieve.
ReplyDeletehow can allow another ip in fil2ban ?
ReplyDelete