One of the most common environments where the PBX are being installed nowadays is in the Cloud (VPS), due that it is economic, that we don’t have to worry about issues with the hard disk or the internet, etc. But one of the major problems of installing our PBX systems in the cloud is the SIP scanners that automatically scan all the network searching for SIP servers to attack them and try to find vulnerabilities.
So, the question is, how can we protect our PBX? Well, there are different ways, some are simpler than others and more efficient. Coming up we will list the ways we can protect our PBX. These procedures can also be applied to your local PBX, so don’t worry, the cloud is not necessary to apply them.
Change the Default Ports
This is the most simple and quick way of protect our PBX, we can change the ports for others that are less common. The disadvantage of this method is that many SIP providers do not allow port 5060 to be exchanged for another one.
Define A Specific IP Address for the SIP/IAX2/PJSIP Devices
Another way to protect our PBX is to define an specific IP or network address for our devices, thus allowing only trusted devices to connect to our PBX. This is a method that although very simple and effective, will only work if we know the IP or the complete network of the devices, thus removing the flexibility that end users use dynamic IP addresses.
This is by far the best method to secure our PBX, for its simplicity, flexibility, efficiency, and high level of security. With this method there will be no need to worry about dynamic IP addresses, since each of the end users will have the necessary files to configure and authenticate their devices.
Although it may be a little complex for end users to configure their devices with this method, there are a series of posts, where step by step it is explained how to configure both the VPN server and its clients:
In addition, with this method you can eliminate in a large percentage the vulnerabilities of your system, since you can close all ports if necessary, except for the OpenVPN port, and only allow connections through the VPN. However, for any contingency, we recommend leaving at least the SSH port and the HTTP port open.