Simple way to keep hackers out of your Digium Switchvox PBX system (or any VOIP PBX)

In this article I will show you an easy way to keep hackers or anyone unwanted from connecting to your Digium Switchvox PBX system (or any VOIP PBX).

digiumswitchvox

This solution will work the same on any VOIP PBX. This can be achieved without having to rely on VPN access! It works great for Dynamic IP remote users! It’s super easy to maintain!

A little background…

I’ve used the Digium Switchvox on-prem PBX with a SIP trunk from Nextiva for over 2 years. The only trouble that i have had, have been hackers trying to connect to our PBX on port 5060 to try and make International TOLL calls, using our PBX. The rules listed below block them from having access. Since I made these rules, I’ve had ZERO successful hack attempts and ZERO TOLL calls placed on our PBX. If you’re not listed in these rules, your PBX is not visible! These rules also help in the fact that since a hacker can not see port 5060, they can not run their tools against your PBX, thus you will not get unwanted static on your phone calls, because your SIP ports are not being flooded with fake connection requests! There is nothing worse than choppy VOIP calls…well except for choppy POTS lines!

phonehacker

Hackers love port 5060!

If you are using your VOIP PBX for any phones connecting from outside of your network, you are forced to open up SIP port 5060 (or similar ports) to your PBX.  With this simple rule, you can essentially block everyone, except for those who you wish to connect to your PBX. (the other option is creating a ton of rules in your firewall, and well this is simpler!)

Create a rule in your PBX Access Control to BLOCK ALL NETWORKS with a CIDR range of 0.0.0.0/0. This rule will BLOCK ALL connections to your PBX!

ALLNETWORKRULE

( NOTE: I only allow access to the admin fuctions and user portal login screens of our PBX to the outside world in this rule, so that I can manage the system remotely!)

Next Create a rule in your PBX to ALLOW all of your local LAN IPs CIRD range (example: 10.0.0.0/32, 192.168.0.0/32 etc)

LOCALIPS

(You will need a rule for each IP range in your LAN, so you will have several rules for this. I allow all functions, except the config server for local LAN IPs.)

For each of your remote VOIP phones you will need their WAN IP address. I normally have my outside phone users go to http://www.ipchicken.com to determine their IP address.

Next I search their IP on http://www.arin.net to get their CIRD range (as pictured below)

ARIN CIDR Range

(Simply plug in their IP in ARIN and you can easily see their CIRD range.)

Create a rule for each Remote Phones IP allowing their CIDR range that you got from Arin.net.

USERRULE(For remote users I allow SIP, and the Web User Portal/User API, so that my users can check the PBX from their mobile devices for voicemails, transfering calls etc.)

Once these rules are established, essentially only those IP address’ in your local LAN and your specified remote users CIDR range can connect to your PBX. You can just add your users WAN IP, but I prefer to use the CIRD range, because if they do not have a Static IP, most of the time their dynamic IP will stay in the same range. If you have a user with a dynamic IP, it can also change CIDR ranges, especially if they have power loss or reboot their cable/dsl modem. I create new rules each time this happens. So if User Smith looses connection, I’ll get their new IP address and add a rule USERSMITH2, leaving the old CIDR range, just incase they migrate back to that dynamic range.  Very rarely is a hacker going to be sitting inside your users CIDR range, yes it’s possible, but highly unlikely. Most hack attempts that I have seen in the past 3 years have come from overseas IPs.

This works well for those who have remote users who do not have Static IP address’, if their IP changes and their phone no longer connects, simply add their NEW IP CIDR range to your allowed list.

voipguy

Another TIP: If your user looses connection (due to IP change), you can open the SIP rule on the BLOCK ALL NETWORKS rule, and let the users phone re-connect to your PBX, once they are connected, you will see their WAN IP, pop that IP in ARIN, add their CIDR range, then CLOSE the SIP rule. This will let you add your users IP, without having them go to IPChicken.com (or other WAN IP Lookup website).

Since I put these rules into place, the only things I see in my PBX error logs are users dialing incorrectly! Out of thousands of calls a day, there may be 10-15 listings in the error logs!

Comments
  1. Nathan Shands says:

    I like your approach to keeping hackers off the PBX. I implemented a similar policy in our PBX and now are calls are clear, and there are no more hack attempts in our PBX log file. Having to have ports 5060/5061 open to the public for SIP trunking, your instructions have saved me! No more bogus calls on our SIP trunk!

    Keep up the good work, I’ve favorited your blog!

  2. David says:

    Does your phone system ever get overloaded with blocking incoming connections? We use our firewall to do the same thing you are done…although the Switchvox is much easier to configure than the Cisco ASA!

  3. Mark Gardner says:

    This information is great.
    Additional question:
    I have users who I would like to allow to use the Switchvox App on their smart phones and I assume that means their IP/CIDR range will change with every mobile cell they hand off to as they travel.
    Is there a method in SIP permissions/blocking that validates based on mobile MAC rather than CIDR range?
    Thanks!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.