VoIP Security: Configuring the Elastix Firewall GUI

So you’ve got your Asterisk based Elastix system up and running and you are able to make and receive calls. Its probably safe to assume you have a static public IP address,  and a NAT router/firewall forwarding SIP traffic on port 5060 to your server and RTP traffic on a range of ports forwarded to your server as well. Your setup may vary, and I’ll assume that you have the knowledge to get the traffic to your server.

The good news is that your setup works, the bad news is that your VoIP server is probably still exposed to hackers who are (NO JOKE) actively trying to access your server. SIP is a very high value target for hackers and people are constantly scanning the internet for open connections on port 5060. When they find one the first thing they usually do is to try and brute force attack common extensions and get access to the server.

You will get notifications in your log like this one that show someone is trying to break in:

Screen shot 2014-01-02 at 10.44.06 AM

I am sure you were smart and set up very strong passwords for your extensions, but to be even safer it is a good idea to block inbound SIP traffic from non-trusted IP ranges.

The Elastix GUI interface allows you to control your server’s firewall settings by taking control of IPTables which is Linux’s software based firewall. If you choose to use the Elastix Firewall GUI, it is best to just use it and not rely on hand-coded IPTables rules.

The first thing to do is go to the Security Tab on the Elastix Admin.

Screen shot 2014-01-02 at 11.37.35 AM

The first thing open should be the Firewall settings and you need to specify to turn the Elastix Firewall on. At this point Elastix Firewall is controlling your IPTables and any hand coded settings you have made are nullified so you need to set up your firewall settings in the Elastix Firewall GUI exclusively.

Note that if you have services that are running on ports not covered by the default rules, like for example Webmin, they will cease to function until you allow them.

The default settings for the Elastix Firewall are pretty much useless for security purposes, just letting any traffic from anywhere into the serve.  You need to know how they work to configure them, they are numbered and are processed in order. You should not modify the First rule or the last three as they are critical to the system. Rule 1 allows local loopback traffic in the last three rules also allow the system to function.

For an in-depth look at how these rules and the Elastix Firewall GUI work check out This Guide that will help with most everything covered here except the final configuration.

If the only thing you are running on your system is Elastix/Asterisk and your VOIP provider has given you the IP addresses of their servers from where you can expect incoming traffic, you need to create a rule for each IP address and move it up anywhere above the last three rules. You should click the new rule button and add the IP address of the first server with the CIDR of /32 (One address allowed)

Screen shot 2014-01-02 at 11.54.07 AM

Then move the rule up using the up and down buttons next to the service number, anywhere above the last three rules will work. Make a new rule for each valid server IP address from your SIP trunk provider. Your SIP provider may give you a range of expected RTP IP addresses as well, and you can set up those addresses for RTP in a similar fashion. My SIP trunk provider only provides them for SIP connections so I have to leave RTP open.

Now go ahead and edit the Firewall rules for the services that you do use to include only the IP ranges you want to allow to access them, For example edit the incoming SIP rule to your local network to allow for LAN devices to connect. Edit the SSH rule to be your personal workstation or your local LAN.

Now use the Lightbulb icon to deactivate any services you do not use.

At the end of the day your firewall should look similar to this:

Screen shot 2014-01-02 at 12.07.20 PM

The rules basically say:

  1. Loopback traffic is OK
  2. Traffic from /16 on any protocol is Blocked (Region was trying to break in often)
  3. Traffic from my LAN is allowed on SSH
  4. Traffic from Provider SIP IP 1 on UDP:5060 is allowed
  5. Traffic from Provider SIP IP 2 on UDP:5060 is allowed
  6. Traffic from Provider SIP IP on UDP:5060 is allowed
  7. Traffic from Provider SIP IP on UDP:5060 is allowed
  8. Traffic from my LAN on UDP:5060 is allowed
  9. Traffic from my LAN on HTTPS is allowed
  10. Traffic from my lan on Dell Openmanage is allowed
  11. Traffic from any address on RTP is allowed

To set up rule 10 or a similar rule for a non-standard service/port you need to go to define ports and add a new port for your service then add a firewall rule to allow the service for the appropriate IP ranges.

All the rules below are disabled with the yellow light bulb except the final three system rules.

Screen shot 2014-01-02 at 10.40.24 AM

Now you have a more-secure Elastix system, using the Elastix Firewall GUI.

A word to the wise, should you break your ability to access the Elastix admin via HTTPS with the Elastix Firewall GUI, you need to SSH or locally access the system and type:

SUDO service iptables stop

Then go ahead and log in via the admin panel, change the offending rule and then go back in via SSH or local access and type:

SUDO service iptables start
Posted in Linux, Networking, VoIP.

Leave a Reply

Your email address will not be published. Required fields are marked *