VoIP How-To's

(Below applies if you are using IP Authentication rather than registering)

Before forwarding ports, make sure you have taken measures to secure your PBX fully. Ensure you have locked extensions down with strong passwords, extensions limited to certain IP Addresses and have a firewall & Fail2Ban correctly configured. Google for some tips. I take no responsibility for your PBX getting hacked.

1. Forward port 5060 to FreePBX
2. Login to FreePBX
3. Navigate to Connectivity > Trunks
4. Click 'Add SIP Trunk'
5. Configure as below:

Trunk Name: Digiweb
Outbound Caller ID: [As Preferred, Include Area Code, e.g. 011234567]

Outbound Settings
Trunk Name: Digiweb
PEER Details:
type=friend
insecure=very
nat=yes
qualify=no
canreinvite=no
host=[SBC IP Address from Digiweb]
dtmfmode=rfc2833
context=from-trunk
disallow=all
allow=alaw
disallow=all
permit=[SBC IP Address from Digiweb]

USER Context: from-trunk

USER Details:
[Blank]

Register String:
[Blank]

5. Click 'Submit Changes'
6. Click the 'Apply Config' at the top bar.

Like any other traditional phone system, it is possible that your phone system can be hacked. These tips should at least help in preventing your phone system from being hacked, but should not be seen as an ultimate list. As always, please let me know if anyone has anything to add.

1. Do not forward any ports from your router
It has been well documented that opening any ports on your router is the first technique any DDoS system will use to breach your system.

If you do need to forward ports, most firewalls have a setting on them that allow you to only forward ports for a certain IP Address (i.e. your provider's SBC/Server's IP). You should be able to find this under a 'Filter' or '' setting.

2. Change all passwords on all equipment and extensions
It is bad practice in my opinion to use default passwords on extension SIP accounts, e.g. don't use the password 100 on the extension 100. Some people use a mix of the phone's MAC address and random characters, but I think it's best to use a very long random password.

It's always a good idea to change the username and password on all network equipment (Router, Printers, File Shares etc), especially the router.

Make sure to change the default Asterisk password, voicemail passwords, FreePBX passwords and the server password. [If possible, do not use root. Some distros use root, some don't. If they don't, don't enable the root user. Use the sudo command instead.]

These password generators are very handy for passwords:
https://identitysafe.norton.com/password-generator
https://www.random.org/passwords/

3. Ensure software packages are kept up to date
It sounds pretty obvious but it's important. Keep all software updates up to date to patch any security bugs that appear from time to time.

E.g. For Debian based systems:
sudo apt-get update
sudo apt-get upgrade
raspbx-upgrade [Only For Raspbx]

Also, update any phone firmware that is available from the manufacturer.

4. Use a separate VLAN & encrypt calls
It's always a good idea to separate voice from other data on your network. If a computer gets a virus, then at least it won't be able to listen in on calls. I would also recommend to use SRTP and VoIP encryption on your network, especially if you are connecting computers and phones on the same network. If you don't do this, it is very easy to snoop on calls.

If you have a wireless network, separate this from the VoIP network by using a VLAN. Guests should be on a lan-firewall isolated network from any business server.

5. Restrict registrations
Lock down extensions to a certain IP address so no unauthorised person can go calling premium rate numbers willy-nilly.

6. Password protect premium rate numbers
International numbers, 118XX and 15XX numbers can cost a fortune to ring. It's possible to set a password on those routes. It would not suit some businesses however.

7. Encrypt calls between your network and your provider
In light of foreign Government surveillance and due to the exact nature of the internet, it's a good idea to encrypt calls to your provider. Whether or not it's encrypted between your provider and their carriers is unknown and beyond of your control. VoIP encryption is not that common, however, it's something that is being developed. Corporate espionage is a huge issue for businesses, and fortunately you can encrypt calls unlike with with traditional lines where you cannot prevent wiretaps.

8. Implement Fail2Ban
By now you probably think that you have enough done. Probably. But if you don't do any of the above, make sure you do this!
Set up Fail2Ban on your Asterisk box. Give them 1 chance, specify allowed IP ranges on your network and block any unauthorised users indefinitely. If you lock a phone out because you put in the wrong password, you can always unblock that phone.

9. Do not use inbound DID calling numbers
Some find it useful to set up a dial-in number to call out through your business phone system. It's not a great idea and if you're going to do it, lock it to your caller ID. You can always call out through a private number by setting up that through your outbound routes using the number 141 + the phone number you wish to ring. If possible, please avoid setting up a dial-in call-out number on your system!!

Other resources to read:
http://nerdvittles.com/?p=9452
http://www.voip-info.org/wiki/view/Asterisk+security
http://nerdvittles.com/?p=3148
http://www.businessbee.com/resources/news/technology-buzz/5-tips-beefing-voip-security/
http://meship.com/Blog/2011/04/21/network-voip-security-tips/