The Incredible PBX: Adding Remotes, Preserving Security

Unlike most Asterisk®-based PBXs which are insecure as installed and leave it to you to implement sufficient safeguards to preserve the integrity of your system, the Incredible PBX is delivered with rock-solid, air-tight security already in place. Because it is designed to operate behind a hardware- based firewall, what you'll be doing when you want to add functionality with the Incredible PBX is loosening security rather than tightening it. The trick, of course, is to do it in a way that doesn't compromise the overall integrity of your system. As delivered, the Incredible PBX relies upon four layers of network security: a hardware-based firewall of your choice1, a preconfigured IPtables software-based Linux firewall, preconfigured Fail2Ban to monitor your logs for suspicious activity and to block specific IP addresses when abuse is detected, and random passwords for all extensions and DISA connections.

If you installed the Incredible PBX using SIPgate as the intermediate provider with Google Voice, then your hardware-based firewall should have no ports opened and forwarded to your server. If you used IPkall, then only UDP 4569 has been opened and forwarded to your server. And the Incredible PBX IPtables setup for IAX restricts access to just a few IP addresses to support IPkall.

There are obviously situations in which you will want or need additional connectivity. The most likely one involves activation of SIP telephones at remote locations, such as a branch office, or Grandma's house or a relative in college. The other obvious use is with cellphones and PDAs that support SIP clients such as Android phones, iPhones, and iPads.2

What we'd recommend you not do is open the SIP floodgate to your PBX by providing unrestricted inbound SIP access, but we'll show you how if you really want or need this functionality. As desirable as this can be, it is accompanied by an array of security issues that really are not worth the risks unless you know what you're doing and you're willing to stay on top of security updates and keep your system patched.

Let's first tackle how to provide limited inbound SIP functionality without selling the farm. If the remote site has a fixed IP address, the procedure to allow remote access to your server is fairly straight-forward: just map the SIP ports on the hardware-based firewall to your server (UDP 5000:5082 and UDP 10000:20000) and then restrict SIP access using IPtables to the remote IP address as well as the subnet of your private LAN. You can decipher your private subnet by running status. If your server's IP address is 192.168.0.123, then your private subnet would be 192.168.0.0. The IPtables firewall settings are stored in /etc/sysconfig/iptables. Edit that file and find the line that looks like this:

-A INPUT -p udp -m udp --dport 5000:5082 -j ACCEPT

Delete or comment out this entry with a leading # and insert new entries that look like the following using the public IP address(es) you wish to add plus the private subnet:

-A INPUT -p udp -m udp -s 141.146.20.10 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 141.146.20.11 --dport 5000:5082 -j ACCEPT
-A INPUT -p udp -m udp -s 192.168.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT


After making the changes, save the file: Ctrl-X, Y, then Enter. Then restart IPtables: service iptables restart.

Unfortunately, in many situations, the remote phone or cellphone uses an Internet connection with a dynamic IP address. So we don't know the actual IP address that will be assigned. There are a number of solutions to this problem, and we'll rank them in our order of preference. First, spend the $200 and install another Incredible PBX at the remote site. Then the two servers can be linked with IAX connections between the servers making connectivity between the systems totally transparent. Second, install VPN routers at both sites and use a private IP address to establish connectivity with the host system. In this situation, you will have the equivalent of a fixed IP address for the remote device which makes it the equivalent of the fixed IP address solution above. Third, install OpenVPN on your host system and purchase a SIP phone or cellphone that supports VPN connectivity. Most of the high-end SNOM SIP phones have this functionality as do Android phones, iPhones, and iPads. With this setup you also have the equivalent of a fixed IP address, even though it's on a virtual private network. Fourth, talk to the Internet service provider at your remote site and obtain the range of IP addresses that DHCP hands out to those using their services... or just make an educated guess.3

BEFORE Activating Full SIP Connectivity. OK. We hear you. You travel for a living, and the IP address of your cellphone changes hourly, all day, every day of the year. Then, yes, you are a candidate for a full-fledged Asterisk server with unlimited SIP access. Before covering how, let's review what responsibilities go with running such a server. Bear in mind that one compromised SIP password or otherwise vulnerable application on your server (including Asterisk, FreePBX, SSH, and hundreds of others), and you may very well be the proud owner of a whopping phone bill. And we're not talking hundreds of dollars. It could very well be tens of thousands of dollars. And it doesn't take weeks or months. It could be a few hours.

Baker's Dozen SIP Security Checklist

1. Keep Asterisk Current & Patched
2. Keep FreePBX Current & Patched
3. Make Frequent Backups
4. Visit PBX in a Flash Forums Regularly
5. Subscribe to PBX in a Flash RSS Feed
6. Secure Alphanumeric Extension Passwords
7. Secure DISA, VMail, Root, FreePBX Passwords
8. Lock Down Extensions with Deny/Permit
9. Turn Off Recurring Payments with Providers
10. Restrict Trunks to 1-2 Simultaneous Calls
11. Tighten Dialplan by Removing Wildcards
12. Eliminate Intl & Toll Calls With Providers
13. Check FreePBX Call Logs Daily for Abuse

Baker's Dozen SIP Security Checklist. Before opening the floodgates, let's review what you need to do. First, you'll need to run the very latest version of Asterisk... all the time. This means you need to monitor asterisk.org, and keep your system up to date by running update-scripts, update-source, and update-fixes regularly. The default version of Asterisk on current PBX in a Flash and Incredible PBX builds is extremely reliable, but it contains SIP and IAX vulnerabilities which should not be exposed directly to the Internet! Second, you need to run the latest version of FreePBX and apply all patches as they are released. Third, you need to make frequent backups appreciating that sometimes the Asterisk and FreePBX developers get things horribly wrong, and stuff that used to work no longer does. Believe it or not, they're human! Fourth, you need to visit the PBX in a Flash Forums daily and keep abreast of security alerts and bug reports on CentOS, Asterisk, and FreePBX. Fifth, you need to subscribe to the PBX in a Flash RSS Feed which provides regular security alerts when there are reported problems. Sixth, you need to really secure your extension passwords with very long, complex alphanumeric passwords. Ditto for your root and FreePBX passwords! Seventh, for DISA and voicemail, these passwords need to be numeric, complex, and extra long. Eighth, you need to lock down as many of your extensions as possible with deny/permit settings to restrict the IP addresses of those extensions. If you only have one or two remote SIP extensions with dynamic IP addresses, then all of the rest should have deny/permit entries! Ninth, turn off recurring payments with all of your telephony providers and keep minimal funds available in all of your accounts. This means you'll have to monitor these accounts to make sure they are not deactivated for lack of funds. Tenth, restrict all of your trunks to one or at most two simultaneous calls to reduce your call exposure in the event someone breaks into your system. Eleventh, tighten up your Trunk Dial Rules and eliminate any entries that would permit calls to anywhere in the world! If you don't regularly make international calls, there's absolutely no reason to have such entries in your dialplan. If you still have Ma Bell PSTN lines, this is even more important. In fact, consider eliminating long distance access to all of these trunks. Twelfth, where possible, configure your provider accounts to eliminate international and toll calls of all varieties. Finally, check your FreePBX call log every day to make certain no one is making calls on your nickel.

If you are unwilling or unable to perform these Baker's Dozen steps while continuing to monitor the sites provided and recheck your setup regularly (at least every week), don't activate unrestricted SIP access to your server.

Other Options. Consider using an intermediate provider such as voip.ms to provide SIP URI access to your server. Keep in mind that having a registered connection between your server and a VoIP provider alleviates the need to punch a hole in your firewall. So the idea here is to sign up for an inexpensive voip.ms account and set up the trunk connection with your server as either an IAX or SIP account with an always-on connection. Then voip.ms gives you the option of activating a SIP URI as part of a subaccount setup. Just create an internal extension on their server, and this will generate a SIP URI, e.g. 123456666@sip.us4.voip.ms where 12345 is your voip.ms account number and 6666 is the internal extension you created. This lets you connect directly with your server through the SIP URI from anywhere once you map this subaccount to an extension or IVR on your server. The charge for SIP URI calls is only $.001 per minute. The last step is to use this SIP URI in your remote SIP phone to connect back to your server. You can take advantage of the full range of Asterisk functions once these calls reach your server including IVRs and DISA. The approach is not only simple to implement, but it's also safe and economical.

There are some other alternatives as well. Use something like Google Voice or Ooma to redirect calls to your cellphone when you're traveling. Or buy an Ooma for Grandma or a MagicJack for Joe College. These options also are safe, secure, and quite inexpensive.

Just Released: Remote Phone Meets Travelin' Man

Activating Inbound SIP on Your Server. If you still are hell-bent on opening SIP access to your server, the Incredible PBX already is preconfigured to support it. Just map the SIP ports on your hardware- based firewall to your server (UDP 5000:5082 and UDP 10000:20000). Once activated, anyone can reach you through the following SIP URI using the actual public IP address of your server: mothership@12.34.56.78. You also can adjust the e164 trunk in FreePBX to route inbound calls to any destination desired. Then register your phone number on e164.org and others can call you at no cost using your traditional phone number. Enjoy!


The Incredible PBX: Basic Installation Guide

Adding Skype to The Incredible PBX

Adding Incredible Backup... and Restore to The Incredible PBX

Adding Multiple Google Voice Trunks to The Incredible PBX

Remote Phone Meets Travelin' Man with The Incredible PBX

Continue reading Basic Installation Guide, Part II.

Continue reading Basic Installation Guide, Part III.

Continue reading Basic Installation Guide, Part IV.

Support Issues. With any application as sophisticated as this one, you're bound to have questions. Blog comments are a terrible place to handle support issues although we welcome general comments about our articles and software. If you have particular support issues, we encourage you to get actively involved in the PBX in a Flash Forums. It's the best Asterisk tech support site in the business, and it's all free! We maintain a thread with the latest Patches and Bug Fixes for Incredible PBX. Please have a look. Unlike some forums, ours is extremely friendly and is supported by literally hundreds of Asterisk gurus and thousands of ordinary users just like you. So you won't have to wait long for an answer to your questions.




Need help with Asterisk? Visit the PBX in a Flash Forum.
Or Try the New, Free PBX in a Flash Conference Bridge.


whos.amung.us If you're wondering what your fellow man is reading on Nerd Vittles these days, wonder no more. Visit our new whos.amung.us statistical web site and check out what's happening. It's a terrific resource both for us and for you.


 
New Vitelity Special. Vitelity has generously offered a new discount for PBX in a Flash users. You now can get an almost half-price DID and 60 free minutes from our special Vitelity sign-up link. If you're seeking the best flexibility in choosing an area code and phone number plus the lowest entry level pricing plus high quality calls, then Vitelity is the hands-down winner. Vitelity provides Tier A DID inbound service in over 3,000 rate centers throughout the US and Canada. And, when you use our special link to sign up, the Nerd Vittles and PBX in a Flash projects get a few shekels down the road while you get an incredible signup deal as well. The going rate for Vitelity's DID service is $7.95 a month which includes up to 4,000 incoming minutes on two simultaneous channels with terminations priced at 1.45¢ per minute. Not any more! For PBX in a Flash users, here's a deal you can't (and shouldn't) refuse! Sign up now, and you can purchase a Tier A DID with unlimited incoming calls for just $3.99 a month and you get a free hour of outbound calling to test out their call quality. To check availability of local numbers and tiers of service from Vitelity, click here. Do not use this link to order your DIDs, or you won't get the special pricing! After the free hour of outbound calling, Vitelity's rate is just 1.44¢ per minute for outbound calls in the U.S. There is a $35 prepay when you sign up. This covers future usage and any balance is fully refundable if you decide to discontinue service with Vitelity.
 


Some Recent Nerd Vittles Articles of Interest...

Be Sociable, Share!

  1. We, of course, continue to recommend a dLink Router/Firewall. Low Cost: $35 WBR-2310  Better: DIR-825  Best: DGL-4500 []
  2. We recommend the free SipAgent client for Android devices and the commercial Acrobits Softphone for iPods and iPads. []
  3. Adding an entry like the following would dramatically reduce the likelihood of a SIP attack: -A INPUT -p udp -m udp -s 141.146.0.0/255.255.0.0 --dport 5000:5082 -j ACCEPT []

16 Responses to “The Incredible PBX: Adding Remotes, Preserving Security”

  1. Trousle says:

    Since this article is about remote clients, can the next article (or one in the next couple of weeks) be about adding remote servers or connecting servers using SIP or IAX?

  2. Curious says:

    The risk of bulk international calling obviously exists, but in Google Voice’s case, doesn’t Google Voice not connect an international call unless there is a sufficient balance in the account?

    Also, assume my SIP provider allows me to turn off international calling, would that also protect me?

    I’m an absolute newbie in the field and I’m not entirely sure where to begin my googling.

  3. Paul says:

    HI Ward–great article. I have a hardware firewall and have port 5060 open. Your article implies that it’s possible to leave this closed and still receive phone calls (perhaps I’m reading it wrong). As a test I disabled 5060 and dialed my home number from my cell: busy signal. How is it possible to receive calls with 5060 closed?

    [WM: Use the recommended firewalls, and there won't be a problem. Details here.]

  4. daj says:

    I’ll second Trousle’s request

  5. Michael says:

    “Then register your phone number on e164.org and others can call you at no cost using your traditional phone number” – Well that’s certainly not how enum works. Obviously these “others” would need to be calling through an enum trunk.

    [WM: The context was that others would also be using an Incredible PBX. And it would work as advertised.]

  6. Naser says:

    what about IAX client ? As you know the IAX is NAT friendly more than SIP. can the next article be about connecting IAX client ?

  7. Paul says:

    Hi Ward–Why was my question/post removed?

    [WM: It wasn't. But we don't stay up all night moderating comments. :roll: Details here.]

  8. ward says:

    Another example of why opening SIP access to your server is a bad idea… from a user in Atlanta:

    > FYI —
    > Had ’209.76.47.13′ attempt to access a box this afternoon..
    > [Jun 9 15:03:10] NOTICE[3216] chan_sip.c: Registration from
    > ‘”1831848281″‘ failed for ’209.76.47.13′
    > – No matching peer found
    > [Jun 9 15:24:47] NOTICE[3216] chan_sip.c: Registration from
    > ‘”487739648″
    ‘ failed for ’209.76.47.13′ -
    > No matching peer found
    > In 21 Mins had 77,464 attempts.
    > JMS…

  9. Scott says:

    Ward,

    Are there any problems with using Apple’s Extreme N Router? I haven’t seen any comments for or against. TIA

  10. Lee says:

    Since I use a Nokia N95, I followed through on the article’s recommendation to find a VPN client for this phone. Nokia offers a sort of red herring for my purposes, called “Nokia Mobile VPN Client” which a requires an IPsec router (like a Ci$co) or either OpenSwan or FreeSwan doing the job on a linux box. I use DD-WRT for my routing purposes, which only offers OpenVPN/PPTP VPN service easily. SO, in order to connect Symbian devices to something like a DD-WRT box, it is possible to use a $30 client called SymVPN from http://www.telexy.com.

    FWIW, the VPN version of DD-WRT also offers a Milkfish SIP firewall-thingy. In real-life, this Milkfish sorted out my SIP NAT voice issues having a DD-WRT in a subnet behind another DD-WRT, (which might be common in a well-networked multi-tenet building sharing a common internet connection.)

  11. Joel says:

    I believe the address block for t-mobile is located here:

    https://developer.t-mobile.com/loadKbaseEntry.do?solutionId=1154

  12. Joel says:

    I believe everywhere you typed -dport you really should type –dport (with two hyphens) correct?

    WM: Yes. It’s a formatting bug in WordPress. We fixed it in the article, but there’s no fix in comments. Sorry.

  13. Joel says:

    Long story short, I also had to go to Tools > System Administration > Asterisk SIP Settings and enter my dyndns info to get audio to work.
    Hope this helps anyone with audio problems.

  14. Jeff says:

    I have spent the better part of a day trying to get external clients to be able to log into my SIP server (yes, I fully understand the risks). The whole reason I am using PIAF is to have a server for my SIP clients on my phones and tablet, connected from anywhere and everywhere. This became eminently more useful with the addition of the direct connection to Google Voice now available in PIAF.

    The above instructions over-simplify what is actually required to enable full network access. In addition to allowing your hardware firewall, you need to edit the IPtables firewall (I edited the WHITELIST rule, effectively whitelisting the internet for testing purposes) and ensure that the extension you are attempting to use isn’t limited to only the local network. After all of that, I was able to get full access to PIAF across the internet. Hope that helps someone else out who is having similar problems.

    [WM: Our Travelin' Man app makes the necessary modifications to both Asterisk and IPtables if you are using the current version.]

  15. ward says:

    A major SIP security vulnerability was discovered in all versions of Asterisk today. You can read all about it here.

    We have developed a script for Asterisk 1.8.x which will quickly patch your system and eliminate the problem. Log into your server as root and issue the following commands:

    cd /root
    wget http://incrediblepbx.com/sipfix
    chmod +x sipfix
    ./sipfix

    Please apply this patch immediately to protect your server!

  16. Joe McGuirl says:

    Ward,
    I think I am missing something here… TravelingMan does work as advertised except for one thing. It does not seem to remove the previous IP associated with the extension from the white list. And before anyone else says it, I know it does change the IP in the associated .inc file.

    [WM: See this thread on the PIAF Forum for more information.]

Leave a Reply

Ringbinder theme by Themocracy