Asterisk firewall and some useful tips….

So you have just installed asterisk on a linux system, and maybe you have also installed FreePBX to administer it, good for you.


Below i have listed a nice firewall script for use on a fresh centos+Asterisk installation.

service iptables restart
iptables -P INPUT ACCEPT
iptables -F
iptables -A INPUT -i lo -j ACCEPT
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 5060:5061 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 10000:20000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 8080 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 443 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p udp -m udp --dport 4569 -j ACCEPT
iptables -A INPUT  -p icmp -m limit --limit 10/second -j ACCEPT
iptables -A INPUT  -p icmp -j DROP
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -L -v
/sbin/service iptables save
service iptables restart

Asterisk security tips…

now you have a simple firewall lets talk about some simple ways to protect your asterisk installation from hackers.

As part of my work in the telecoms industry i hear of a lot of peoples Asterisk / SIP PBXs being hacked, and normally this is due to really stupid things like using the extension number as the password IE username/Extension 300 and password 300, this is very stupid and could cost you thousands of pounds.

So what to do…

my advice to anyone setting up asterisk is to enable the firewall only open the ports you need IE the standard sip and IAX ports, have a firewall run that only lets sip traffic in from a trusted source IE your TSP or from remote workers IP addresses, never use the extension number as the password, and use a hard/strong password.

Share and Enjoy

  • Facebook
  • Twitter
  • Delicious
  • LinkedIn
  • StumbleUpon
  • Add to favorites
  • Email
  • RSS
This entry was posted in How To Guides, Little Guides and tagged , , , , , , , , , , , . Bookmark the permalink.

Comments are closed.