Freeswitch and PBX security

[yukon]

Was wondering what everyone's security ideas are. How do you keep your system secure, how do you protect your provisioning, etc.

For me:

• All customers required to have static IP
• IP tables configured to only allow those IP's on 5060, etc
• Only https enabled, any IP can hit 443
• Use CIDR in fusionpbx provisioning
• Use http auth password for fusionpbx provisioning
• fail2ban setup with fusionpbx installed scripts and a couple custom ones.

Any other ideas and how do you handle security?

 

[NateDoc]

All accounts use named domains - that limits attackers dramatically since without knowing the domain name they can't ever successfully invite. Goes without saying not to use the domain in rDNS for this to be effective.

 

[DigitalDaz]

I have customers with static and dynamic IP
Provisioning I still do in the clear.
I also only use domain names and block anything that so much as sniffs at the IP

The current rule.v4 I think I have just posted on here somehwere

 

[DigitalDaz]

Yep, see http://www.fusionpbxforums.com/threads/iptables-rules.120/#post-280

 

[roger_roger]

I used to block all address except my customer's but then we started offering a mobile client and that made it mandatory that we do not block any addresses.

I have an ACL on my router that blocks most RIPE addresses and some other large blocks that I have identified as being potentially bad. I also have fail2ban set pretty aggressively as well.