[asterisk-users] Access PBX from internet - best practice

richard.seguin at marisec.ca richard.seguin at marisec.ca
Thu Oct 17 06:13:06 CDT 2013 

The endpoints do not have a fixed IP, and a VPN tunnel wouldn't work under this scenario.  Basically this setup is for people who are traveling, and may be using a smart phone at an airport (or something similar).  The idea is that our system can be used to reduce toll costs, and provide access to internal resources. 

Thank you for the recommendations on fail2ban, IPtables, and the device naming scheme... I am not overly found of having a device name (ex: 101) that corresponds to the extension being used,  so I will be using user and devices under freebpbx to name them differently. 


-----Original Message-----
From: "Administrator TOOTAI" <admin at tootai.net>
Sent: Thursday, October 17, 2013 6:56am
To: asterisk-users at lists.digium.com
Subject: Re: [asterisk-users] Access PBX from internet - best practice

Le 17/10/2013 12:30, richard.seguin at marisec.ca a écrit :
> Hello,

Hello

>
> I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet.

Registrations from Internet is vague:

- are EP with fixed IP: define the extension in SIP.conf with host = <EP 
IP>. You can even add an iptables rule to allow the <EP IP> to connect 
to port 5060 in udp (if your setup is this one)
- are EP travellers => fail2ban or through VPN. OpenVPN is a good solution.

> This is what I was thinking of implementing:
> 1. Use OpenSips for the SBC,  enable SRTP and TLS

All clients doesn't support SRTP

> 2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips
>
> Is there anything that I am missing that probably should be implemented?

In all cases I would recommend:

- a strong extension definition eg [MyFav0Rite-prefiX_123] instead of [123]
- always use fail2ban

  [...]

-- 
Daniel

-- 
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list