So you have just installed asterisk on a linux system, and maybe you have also installed FreePBX to administer it, good for you.
Firewalls..
Below i have listed a nice firewall script for use on a fresh centos+Asterisk installation.
service iptables restart iptables -P INPUT ACCEPT iptables -F iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p udp -m udp --dport 5060:5061 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT iptables -A INPUT -p icmp -m limit --limit 10/second -j ACCEPT iptables -A INPUT -p icmp -j DROP iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -L -v /sbin/service iptables save service iptables restart
Asterisk security tips…
now you have a simple firewall lets talk about some simple ways to protect your asterisk installation from hackers.
As part of my work in the telecoms industry i hear of a lot of peoples Asterisk / SIP PBXs being hacked, and normally this is due to really stupid things like using the extension number as the password IE username/Extension 300 and password 300, this is very stupid and could cost you thousands of pounds.
So what to do…
my advice to anyone setting up asterisk is to enable the firewall only open the ports you need IE the standard sip and IAX ports, have a firewall run that only lets sip traffic in from a trusted source IE your TSP or from remote workers IP addresses, never use the extension number as the password, and use a hard/strong password.