On 23/12/15 5:43 pm, James Ronald wrote:
Is anyone aware of a pfSense config/recipe to safely allow remote SIP
phones to connect a local asterisk PBX?
You will need to be more specific about what you are trying to achieve
or prevent.
In my experience:
1) Create an alias containing a list of 'allowed' IPs from which you
want to allow external SIP connections.
2) Set up your UDP/5060 allow rule to only let in connections from this
list of IPs.
3) On the asterisk box itself, run things like fail2ban to alert you to
potential password guessing attacks.
4) Make sure your upstream provider - be they SIP, ISDN or analogue
connections - will allow you to impose a per-day limit on charges so
that if the worst does happen and a compromised device connects, you
aren't exposed to massive call charge fraud.
That's what you can do at the server end. But I've seen several attacks
of late against the web interfaces on SIP phones - many of these will
allow you to dial a number. Because these dialling attempts come from an
authorised IP/device, many of the server protections won't catch them,
so you'll want to do the following as well:
1) Only allow calls to destinations your users need to reach - if they
don't need to make international calls, then don't let them; or if they
do need to call internationally, but only to certain countries, only
allow calls to those countries.
2) If you control the SIP endpoints, make sure their web interfaces have
a strong password. Enforce this rigidly.
3) If you control your end users' routers, make sure these don't allow
incoming traffic to the SIP device's web interface, except from trusted
IPs if needed. Certainly don't use the 'default DMZ' option present in
many consumer routers - it may be a quick/easy way of fixing the broken
SIP ALG issue, but you're exposing the web interface to the world at large.
4) Have some sort of auto-provisioning system for regular cycling of
credentials, and pushing firmware updates to endpoints.
Kind regards,
Chris
--
This email is made from 100% recycled electrons
_______________________________________________
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold
