Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsVoIPTrixbox Security and Remote IP Phones
mruane

420 posts

Ultimate Geek
+1 received by user: 2


#68851 29-Sep-2010 13:43
Send private message

I have recently reviewed security in respect of my Trixbox setup and wondered how others deal with remote IP phones that you want to set up as extensions on your Trixbox.

I have ensured that Anonymous access is not allowed although after reading the feedback to the SteveZone blog on SIP URI calls regarding a better way to deal with anonymous access, I am not sure which approach is best i.e. Anonymous access on or off.  The person who left feedback on that blog made some sense in suggesting leaving Anonymous Access turned on, but blocking attempts to connect by matching against inbound routes with a failed match resulting in a simple hangup!

However my main concern is my need to have port 5060 (or some other port) open on the firewall to allow remote IP phones to connect as extensions to my system. I have family overseas who connect to my Trixbox as an extension. Does anyone else have a similar situation and if so, can remote IP phones be connected without the need to expose the 5060 (or any other) port to the whole wide world?

Cheers Mike

Create new topic
joshp
205 posts

Master Geek
+1 received by user: 1

Trusted
WorldxChange

  #385921 29-Sep-2010 16:17
Send private message

Do the phones connecting to your server have static IP addresses?

I would look to lock down port 5060 to your SIP provider and your remote phone's IP addresses.  Using Trixbox or any other Linux Asterisk variant you can use iptables rules to implement this, or any other firewall for that matter.

 




http://wxc.co.nz



sbiddle
30853 posts

Uber Geek
+1 received by user: 9996

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #386060 29-Sep-2010 21:14
Send private message

If you are running fail2ban (and you really should be) then you're at least going to see if people are trying to hack your box.

One other option is to use non standard ports, you can easily set a remote device to use port 8060 for example for SIP, most of the bot scripts out there are all attacking port 5060.

At the end of the day exposing a SIP port is a risk, you just need to calculate how big that risk is.

mruane

420 posts

Ultimate Geek
+1 received by user: 2


  #386075 29-Sep-2010 21:45
Send private message

Thanks Gents

I can probably arrange for the remote IP Phones to originate from a fixed address, which sounds like the best option. Then only allow that port to be open from the specified IP addresses.

Cheers Mike

Create new topic








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.








RSS feeds
Main feed
Forums feed
Copyright
©2002-2026 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright