About

Security is about mitigating risks while providing ease of use, problem detection, and remediation while protecting the most important characteristics of the system. This section will provide a number of points to consider.

Considerations

General Recommendations

If you are not using a VPN nor on a local intranet with the FS server make sure to use SIP_TLS as all sip traffic and authentication is in the clear otherwise.

The most basic things for any system include:

Sources to consider:

Freeswitch Configuration

Passwords and Other Confidential Information

Your  configuration will have a number of areas where confidential information is stored. Here is a list to start with:

Please change the following elements of the default configuration:

Local Registrations

Firewall configuration

An example configuration for iptables can be found at Iptables on debian.

Rate-Limit Examples

by Bret McDanel

It may be interesting to add rate-limiting of incoming SIP traffic. Below is an example of how this can be done. If you use the default internal and external sip profiles then you should block on both ports 5060 and 5080.

# Trixter's SIP rate limiter (This helps protect you from DoS attacks)
iptables -A INPUT -p udp --dport 5060 -m limit --limit 5/s --limit-burst 5 -i eth0 -j REJECT
iptables -A INPUT -p udp --dport 5080 -m limit --limit 5/s --limit-burst 5 -i eth0 -j REJECT

5 per second TOTAL may be too low for your usage. This ended up rejecting all my many 5 UAs from registering.

DoS REGISTER Attack Prevention

iptables -A INPUT -m string --string "REGISTER sip:" --algo bm --to 65 -m hashlimit \
    --hashlimit 4/minute --hashlimit-burst 1 --hashlimit-mode  srcip,dstport \
    --hashlimit-name sip_r_limit -j ACCEPT

iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
-Or-
iptables -A INPUT -d YOUR_FS_IP -p udp -m udp --dport YOUR_FS_PORT -m string \
    --string "REGISTER" --algo kmp --from 20 --to 60 -j dos-filter-register-external 

iptables -A dos-filter-register-external -m hashlimit --hashlimit 5/sec \
    --hashlimit-burst 8 --hashlimit-mode srcip --hashlimit-name REGISTER \
    --hashlimit-htable-size 24593 --hashlimit-htable-expire 90000 -j RETURN 

iptables -A dos-filter-register-external -j REJECT --reject-with icmp-admin-prohibited