Recommended Security Settings
In this article you will find general recommendations for safeguarding your system against attacks.
Â
Make certain that there is a router between your server and the internet. Connecting the server directly to the internet through the cable modem leaves it vulnerable to attack.
Make sure your server has a private internal IP address, and that the public IP of your server is not being broadcasted to the internet.
NOTE: when performing port forwarding on your network, be sure to only allow trusted sources! Allowing untrusted sources can result in unsolicited registrants to your system.
The following ports are important and vulnerable to abuse - unsolicited inbound traffic on these ports should not be allowed:
UDP port 5060 ( SIP )
TCP port 21 ( FTP )
TCP port 22 ( SSH )
TCP port 69 ( TFTP )
TCP port 80 (Â HTTPÂ )
Â
These ports should be explicitly blocked and not forwarded to the internal IP of your PBX at all times unless you have specific uses for them. In most cases, 5060 is the only port that should be forwarded and specific firewall rules should be created to allow only known/trusted traffic or deny unknown traffic into your network. A whitelist or blacklist can be programmed into most routers/firewalls and can include IP ranges as well as individual IP addresses.
Â
For example, on the D-Link DIR-655 the steps to create a blacklist are:
Log into the routers web interface ( defaults to http://192.168.0.1/ )
Go to the 'Advanced' tab
Click 'Inbound Filter' on the left
Add a new rule with the start and end IP addresses and choose the 'Deny' option from the dropdown
Â
This will protect you from potential abuse from malicious parties as 5060 is the primary port with which they bombard networks with attacks in an attempt to register an IP phone to your system as an extension to place free long distance/international phone calls. Port 21 is especially dangerous to leave open as some malicious parties can force their way into your system where they could have full command line access, including all phone registration information.
Â
If setting a root password, do not allow public IPs to connect to port 22, or only specific public IPs.Â
Make sure that "Enable callout" is disabled under extension/voicemail settings. Otherwise, if someone guesses your voicemail password or hacks your voicemail system, they can use it to place long distance or international calls that will be billed to your VM, not to their phone.
Â