Is port 5080 insecure?

[AIC2000]

Just looking to get some opinion really. A solution to many provider routing inbound call issues is to point them to 5080 instead of 5060 - meaning they are in the PUBLIC context rather than authenticated.

Should 5080 be locked down so that not any IP can send inbound traffic to them?

Is this something that should be done? As it doesn't seem to be mentioned in many places!

Thanks

 

[EasyBB]

Should 5080 be locked down so that not any IP can send inbound traffic to them?

It is always a good idea to have multiple layers of protection- at the firewall, inbound dial plan etc

I usually allow only providers IP through the firewall. As an added security measure (or if you don't use firewall), inbound dial plan can take a condition to match network_addr (IP address of the server sending the INVITE).

FusionPBX default installation also installs fail2ban protecting both 5060 and 5080.

 

[AIC2000]

Ah of course, Fail2ban has a rule doesn't it, I believe if an IP tries a destination that gets more than 3 (or something) 404 not found, it'll ban the IP address - therefore giving you that protection for abuse!

 

[EasyBB]

Fail2ban may go inactive or can fail without warning, so don't depend on it 100%. Set up some form of security at every possible level so a compromise would require getting through multiple defenses.

I am always careful not to let unsolicited packets to reach FreeSWITCH. To achieve this I use a mix of of VPN, non standard SIP port, router firewall and NAT, iptables and fail2ban. Not all methods are possible in every situation.