richard.seguin at marisec.ca
2013-Oct-17 10:30 UTC
[asterisk-users] Access PBX from internet - best practice
Hello, I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet. This is what I was thinking of implementing: 1. Use OpenSips for the SBC, enable SRTP and TLS 2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips Is there anything that I am missing that probably should be implemented? Thanks, Richard
Administrator TOOTAI
2013-Oct-17 10:56 UTC
[asterisk-users] Access PBX from internet - best practice
Le 17/10/2013 12:30, richard.seguin at marisec.ca a ?crit :> Hello,Hello> > I have a question about best practice (or recommended practice) for allowing SIP registrations from the Internet.Registrations from Internet is vague: - are EP with fixed IP: define the extension in SIP.conf with host = <EP IP>. You can even add an iptables rule to allow the <EP IP> to connect to port 5060 in udp (if your setup is this one) - are EP travellers => fail2ban or through VPN. OpenVPN is a good solution.> This is what I was thinking of implementing: > 1. Use OpenSips for the SBC, enable SRTP and TLSAll clients doesn't support SRTP> 2. Allow limited access to the actual Asterisk PBX (behind firewall) via OpenSips > > Is there anything that I am missing that probably should be implemented?In all cases I would recommend: - a strong extension definition eg [MyFav0Rite-prefiX_123] instead of [123] - always use fail2ban [...] -- Daniel