nexMatrix has released new updates to Protel LTS and Protelity LTS that provide software firewall options and greatly enhance the options available for securing the IP PBX system.
Prior to this release, Linux “Fail2Ban” has been installed on our PBX products, which is a very effective tool for banning IP addresses that attempt to establish connections to the PBX with failed authentication. Fail2Ban, however, does not block SIP-specific connections that have managed to masquerade as authorized PBX peer connections. The new Protel/Protelity firewall tool allows you to only allow SIP connections from an IP whitelist, effectively locking down your PBX and blocking unwanted peer connections with the possibility for fraudulent phone usage.
After the update is installed, you will notice that there is a new link under the Networking menu called “Whitelist IPs”. If you have previously configured whitelist entries in the PBX to be ignored by Fail2Ban, those entries will automatically be migrated to this new section.
Under the “Security Systems” link, you will now find the controls to Enable/Disable the Firewall settings. When enabled, the PBX will reject any SIP connection attempt unless the IP address has been whitelisted. While Fail2Ban will block any type of connection attempt after 3 failed authentications unless the address is in the whitelist, the Firewall will not even consider a SIP connection attempt unless the IP address is whitelisted. We recommend that you activate both security systems in order to maximize protection on the PBX, especially if the PBX is connected directly to an ISP public IP address.
Both Fail2Ban and the Whitelist Firewall use the the same IP whitelist. Please note that after adding or deleting whitelist entries, you must STOP and then START each of the two security features in order for their tables to be updated and activated – a “Reload” command does not do this. If you forget to whitelist the IP address of any phone that is currently connected, starting the Firewall will immediately disconnect those phones. If you add new phones to your dialplan later, you will need to remember to whitelist their IP addresses as well. It is not necessary to whitelist your trunk connections, these are automatically added to the whitelist when you stop/start either of the security features. Since the Firewall is specific to SIP connections, you should not need to whitelist IP addresses that connect via HTTP or SSH, assuming that the connecting IP is using the correct credentials. Failed connection attempts will still place them in the Fail2Ban list, however.
Please let us know if you need additional information or clarification regarding this new feature enhancement.