8/2/2016 Firewall security

8/2/2016 Firewall security

nexMatrix has released new updates to Protel LTS and Protelity LTS that provide software firewall options and greatly enhance the options available for securing the IP PBX system.

Prior to this release, Linux “Fail2Ban” has been installed on our PBX products, which is a very effective tool for banning IP addresses that attempt to establish connections to the PBX with failed authentication.  Fail2Ban, however, does not block SIP-specific connections that have managed to masquerade as authorized PBX peer connections.  The new Protel/Protelity firewall tool allows you to only allow SIP connections from an IP whitelist, effectively locking down your PBX and blocking unwanted peer connections with the possibility for fraudulent phone usage.

After the update is installed, you will notice that there is a new link under the Networking menu called “Whitelist IPs”.  If you have previously configured whitelist entries in the PBX to be ignored by Fail2Ban, those entries will automatically be migrated to this new section.

Under the “Security Systems” link, you will now find the controls to Enable/Disable the Firewall settings.  When enabled, the PBX will reject any SIP connection attempt unless the IP address has been whitelisted.  While Fail2Ban will block any type of connection attempt after 3 failed authentications unless the address is in the whitelist, the Firewall will not even consider a SIP connection attempt unless the IP address is whitelisted.  We recommend that you activate both security systems in order to maximize protection on the PBX, especially if the PBX is connected directly to an ISP public IP address.

Both Fail2Ban and the Whitelist Firewall use the the same IP whitelist.  Please note that after adding or deleting whitelist entries, you must STOP and then START each of the two security features in order for their tables to be updated and activated – a “Reload” command does not do this.  If you forget to whitelist the IP address of any phone that is currently connected, starting the Firewall will immediately disconnect those phones.  If you add new phones to your dialplan later, you will need to remember to whitelist their IP addresses as well.  It is not necessary to whitelist your trunk connections, these are automatically added to the whitelist when you stop/start either of the security features.  Since the Firewall is specific to SIP connections, you should not need to whitelist IP addresses that connect via HTTP or SSH, assuming that the connecting IP is using the correct credentials.  Failed connection attempts will still place them in the Fail2Ban list, however.

Please let us know if you need additional information or clarification regarding this new feature enhancement.

    • Related Articles

    • Fortigate

      Fortigate firewall products have SIP session helpers that are on by default.   These need to be turned off! http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-voip-guide-52/sessionhelper-disenable.htm   Fortigate, like many firewalls, ...
    • nexMatrix Host Names and IP addresses

      nexMatrix SIP trunk service will connect to your IP PBX from one or more of these servers. You may need to whitelist these addresses and/or host names to allow unsolicited inbound traffic from them to your PBX on UDP port 5060 and whatever range of ...
    • How to Manually Provision a Grandstream Phone

      Before you begin:   Your phone needs to be powered up and connected to a Local Area Network (LAN) that is able to connect to the internet. Your computer needs to be on the same LAN as the phone.   1.  Find the IP address of the phone.    Press the ...
    • 9/24/2016 Trunk peer dialing

      We are pleased to announce a significant feature addition to the Protel LTS platform:  the ability to trunk multiple Protel PBX units together, allowing extension-to-extension dialing between any number of Protel systems, regardless of location.   To ...
    • Auto Attendants - Complete Programming Guide

      OVERVIEW Auto Attendants, sometimes called IVR (Interactive Voice Response), are a useful and versatile component in any PBX dialplan.  Commonly, they are used to play messaging and allow callers to direct calls by pressing number keys on their ...