When it comes to securing your PBX, QuestBlue, by default, recommends a whitelist-type firewall for deployments that do not have a hardware based firewall or built in firewall in the PBX. This method provides very strong control and security over who has access to your system, but regardless of what you use, it is important that it stays active at all times. Securing root access with a password is not enough. If you need assistance setting up your firewall, you can speak with a QuestBlue representative about setting up a time and date for a remote session so that we may assist.
Regardless of what route you go to protect a server, there are some IPs which are necessary to allow access to in order to keep your PBX funcitoning normally:
Access from QuestBlue's SBC HA-NODE-IP Address: sbc.questblue.com 18.104.22.168
Access for UDP to pass to your system for ports 10000-64000 from any IP (not a port forward, but just do not block it when your PBX requests it)
Access from your LAN if your PBX is local in your office network or your WAN IP if your PBX is hosted in a data center or offsite in another location
Access for any remote workers, support personnel, vendors, or any other party that will need regular access from an outside network
Other than these, you should reject the rest. The system should be dark to all other forms of traffic.
In your Asterisk deployment you will want to secure your PBX in the file /etc/sysconfig/iptables. We've provided a sample introductory iptables file below:
Barebones iptables file:
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state ESTABLISHED -j ACCEPT
-A INPUT -p udp --match multiport --dports 10000:64000 -j ACCEPT
#Port 5060 - SBC QuestBlue
-A INPUT -s 22.214.171.124/24 -j ACCEPT
-A INPUT -s 126.96.36.199/24 -j ACCEPT
-A INPUT -s 188.8.131.52 -j ACCEPT
-A INPUT -s 184.108.40.206 -j ACCEPT
#Port 3306 - Mysql from Known Sources
-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 3306 -j ACCEPT
#Reject The Rest
-A INPUT -p tcp -m tcp -j REJECT --reject-with tcp-reset
-A INPUT -p udp -m udp -j REJECT
(Note: in the section labeled #Remote Phones you'll want to delete the -A INPUT -s 220.127.116.11 -j ACCEPT line and fill that section with any IPs that require remote access. Do not include these lines in parenthesis in your iptables file.)
If you use the command nano /etc/sysconfig/iptables from the command line, you will find the above file. You can make a copy of the file ahead of time just in case you want to fall back to the original before editing and saving changes. The above recommended firewall settings on your Asterisk system will help prevent unwanted visitors to your system, as it makes the server look like it doesn't exist to anyone on the internet, unless they are in the approved IP list.
Once you are done editing these changes, save the file. CTRL-X will exit the file in Nano. Hit y to save your changes, and Enter to keep the same filename.
Then, run service iptables restart from the command line to restart the iptables service and apply the new firewall rules. You should recieve green OKs across the board. If you get any red Failed messages, then your firewall is not currently running! Make sure you fix whatever errors the command line notifies you of and restart the firewall, otherwise your system is not protected!
Port Scanning and Security
Port scanning is when an external client that doesn't have access attempts to identify open ports on a server or network. This is a popular means of breaching security, as it provides hackers convenient information about vulnerabilities in your system, if not an outright means of access.
You can identify when port scanning is occurring if you start receiving multiple random calls at all hours of the day, usually with a caller ID of 100, 1000, or another extension that doesn't exist on your PBX. These are often referred to as ghost calls or phantom calls.
In order to prevent port scanning, ensure your router firewall has the following settings:
Allow port 5060 access from the IP address of the PBX and sbc.questblue.com only
Never allow ANY port 5060, UDP or TCP, from ANY/ANY
Always allow 10000-64000 UDP from ANY/ANY
Follow these guidelines and you should lock down your network from port scanning.