Skip to content

Phils Blog and Stuff

TELECOMS. VIRTUALIZATION. IT. CODING. and more…

Menu
  • Home
  • Resources
    • Subnet Mask Cheat Sheet
    • Easy Dmarc+Email
    • MX Tool Box
    • LOAD BALANCING & SRE
  • SHOP
  • SOLUTIONS
  • SERVICES
  • Contact Me
Menu

Asterisk firewall and some useful tips….

Posted on 27/07/201108/03/2023 by Phil

So you have just installed asterisk on a linux system, and maybe you have also installed FreePBX to administer it, good for you.

Firewalls..

Below i have listed a nice firewall script for use on a fresh centos+Asterisk installation.

service iptables restart
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT  -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT  -p icmp -j DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT ACCEPT
iptables -L -v
/sbin/service iptables save
service iptables restart

Asterisk security tips…

now you have a simple firewall lets talk about some simple ways to protect your asterisk installation from hackers.

As part of my work in the telecoms industry i hear of a lot of peoples Asterisk / SIP PBXs being hacked, and normally this is due to really stupid things like using the extension number as the password IE username/Extension 300 and password 300, this is very stupid and could cost you thousands of pounds.

So what to do…

my advice to anyone setting up asterisk is to enable the firewall only open the ports you need IE the standard sip and IAX ports, have a firewall run that only lets sip traffic in from a trusted source IE your TSP or from remote workers IP addresses, never use the extension number as the password, and use a hard/strong password.

POSTS

  • Home Assistant. Add water meter with PHP+MQTT+YML.
  • Automating your home with Home Assistant. Initial install and config (Hyper-V).
  • The importance of setting up email security correctly.
  • Automate Debian installations with Seed, DHCP and Nginx.
  • A simple link shortener.. Fun little project…

WORD CLOUD

3CX 3CX Phone System Apache Asterisk Cacti CentOS CRM DHCP DNS Email Fail over Failover File System Firewall FreeBSD FreeNAS FXO IAX install IP IP PBX Linux M0n0wall Nottingham Open Source PBX PFSense PHP Router Server SIP snom SSH TrixBox ubuntu VLAN Voice VoIP VPN vyatta WAN Website WiFi yealink ZFS

© 2025 Phils Blog and Stuff | Powered by Superbs Personal Blog theme