how to make inhouse freepbx secure from attacks

love IT
love IT used Ask the Experts™
on
I am using Freepbx 14 and working fine but I got thousands of attacks and in Intrusion Detection, my public ip  has been blocked sometimes and because of this calls are not working. I am using fortigate firewall and opened the 5060 to 20000 ports for the FreePBX so My question is 1. are ports forward mandatory for inbound route ( if I change the sip registration port from 5060 to other and do same with the trunk provider ) . Please let me know how I can make this FreePBX more secure so call disturbance would not occurred in future.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
I am using fortigate firewall and opened the 5060 to 20000

For the SIP interface you should be opening just 5060 and possibly 5061. One is SIP one is PJSIP.   For RTP you should be opening 10000 to 20000 UDP only.    An depending on what you are doing with your box, AKA VoIP service and end points you may not need any open ports or you may need to add some source / target IP rules to limit  traffic for valid sources.
nociSoftware Engineer
Distinguished Expert 2018

Commented:
Even opening 5060 will give all this unwanted attentiion.

On the FreePBX server:
- Use fail2ban   ( scans log files, and produces block rules  ).
- use iptables to filter traffic to what you want
  ( f.e if you SIP provider has 10 possible addresses, only allow those 10 addresses on the 5060 port).
- if you need to connect external mobile equipment consider moving the port 5060 to something else, or run those connections over a VPN (IPSEC, OpenVPN)  connection to your central point.
- use iptables string match to block port 5060 scans for "sipcli", "friendly scanner", and some others.

use sngrep  on the FreePBX system to get more insight into SIP traffic.

Author

Commented:
I am not using any external mobile requirements ....only my voip provider which is connected with only one ip on 5060 ...
I am not using any external mobile requirements ....only my voip provider which is connected with only one ip on 5060 ...

Then your Fortigate should be reconfigured so that traffic to and from your pbx is allowed only from the provider,. That may be based on FQDN or on your IP address(s) range, contact them for direction.  

Also, as @NOCI suggested be sure that your Fail2BAN and IPTables are complete and tight as well.
Software Engineer
Distinguished Expert 2018
Commented:
Only allow port 5060 be accessed from the one IP address in your firewall, this would be the simplest way to protect.

The RTP ports may need to be from random addresses, so don't restrict those.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial