best firewall to elastix

elastixguy

Joined
Mar 1, 2008
Messages
36
Likes
0
Points
0
#1
I have my Elastix pbx connected directly to the internet.

Yesterday I scanned it from external network and I was shocked to see several open ports listening on a public IP.

To make matters worse, these are known ports and are using default passwords! For example we have mysql on port 3306.

I don't have the money to setup a dedicated firewall, so let's be realistic here.

What would be the best firewall to use with Elastix? Ip tables? AFP?

And what ports should remain open as to not break the voip functionalities?


Regards
 

elastixguy

Joined
Mar 1, 2008
Messages
36
Likes
0
Points
0
#2
I have installed APF and closed all inbound ports. Have only allowed outbound connections on AFP rules.

Is is ok?

Everything seems to be working, including voip calls to outside world. We can even receive calls on our voip number.

On the other hand, I have always been told to open inbound port intervals 5060-5070 and 10000-20000 for voip purposes. But I haven't and it's still working fine as far as I can see...

Any comments? Maybe I should open the mentioned ports in order to improve call quality or something?

Your comments / replies will be very appreciated =)
 

nothings_found

Joined
Nov 5, 2007
Messages
72
Likes
0
Points
0
#3
Hey there, nice to know some people here also care about security on their systems.

I have my system multi-homed on one interface I have my local home network and on the other interface I have the Elastix system connected to its own dedicated 16Mbs/2Mbs cable connection.

I have installed apf, bfd so that my system is protected from open ports and to make sure that if someone is trying to brute force into my system they get automatically banned.

The Ports I have open on APF are:

UDP 5060_5080
UDP 10000_20000

And some other port that I use for management. You should be okay, I have not had issues with this setup ever since I configured it like that.

Good luck.
 

elastixguy

Joined
Mar 1, 2008
Messages
36
Likes
0
Points
0
#4
Thank you nothings_found.

I might install bfd here as well. Do you know if bfd is capable of detecting sip extensions brute force?

Since we have 5060 open and some of our client might know a few extensions, it shouldn't be hard for them to guess the credentials and make some free call from within our pbx... I plan to use good passwords combined with bfd to solve this.

Also why did you open 5060_5080 port interval instead of just 5060 itself?

I have researched (googled =D) and it if you're gonna use an iax provider or external extension, you also have to open 4569 port.

By the way, I have a very similar setup here with our pbx connected to its own dedicated cable link. ;-)
 

elastixguy

Joined
Mar 1, 2008
Messages
36
Likes
0
Points
0
#5
It seems bfd is incapable of detecting sip or iax attacks.

Unless someone writes the proper rules... In which case I beg you to share them. :)

Anyways with strong passwords we should be safe for a while.<br><br>Post edited by: elastixguy, at: 2008/03/02 21:06
 

nothings_found

Joined
Nov 5, 2007
Messages
72
Likes
0
Points
0
#6
Yeah I was also hooping that bfd would do that. I have not gotten around to verifying what rules need to be made to have functionality work.

Also yeah IAX ports 4569 is needed only if you will be doing IAX trunking etc..

The reason why I used 5060_5080 is because some ATA likes to use non standard ports when registering into the system and although we only listen on 5060 i figured I open 5060_5080 since there is nothing listening in the range any ways.

:D
 

Members online

No members online now.

Latest posts

Forum statistics

Threads
30,902
Messages
130,888
Members
17,568
Latest member
mehdii_igi
Top