Discover Our Helpdesk & Knowledge Base

Table of contents

Table of contents

    Secure Configuration Settings for an On-Premises PBX

    Share this on

    Securing an on-premises PBX is essential for protecting VoIP infrastructure against unauthorized access, SIP attacks, and telephony fraud.
    This guide outlines the recommended security configuration practices for self-hosted PBX systems, including firewall configuration, NAT management, and FreePBX security settings.

    To ensure the integrity of a self-hosted PBX, administrators should, at minimum, follow the rules below:

    • Avoid configuring a public IP address on any interface of the PBX, so that it is not accessible from the internet.

    • If a public IP is required, install a firewall that allows only outbound connections and, for inbound connections, only established and related connections.

    • Avoid configuring port forwarding on the NAT* device. The modulus service does not require it, and such practices expose the internal network to attacks, especially when the source IP of the DNAT* is not restricted.

    • Do not configure the default Asterisk context to answer incoming calls. In distributions based on FreePBX, make sure that the “Allow Anonymous Inbound SIP Calls” option in the “General SIP Settings” section is disabled.

     

    * NAT (Network Address Translation): Translation of private IP addresses into public ones for internet access.

    * DNAT (Destination NAT): A method of redirecting inbound traffic to a specific internal destination.

    Frequently asked questions

    A self-hosted PBX that is not properly secured can become a target for SIP attacks, unauthorized calls, and toll fraud, potentially leading to financial losses and service disruption.

    SIP attacks are attempts to gain unauthorized access to VoIP devices or PBX systems through the SIP protocol. They typically involve automated password-guessing attempts, active account scanning, and efforts to misuse telephony services.

    A SIP brute force attack consists of automated attempts to discover the correct username and password of a SIP account by continuously testing different credential combinations.

    Toll fraud occurs when unauthorized individuals gain access to telephone accounts or PBX systems and make unauthorized calls, usually to international or premium-rate destinations.

    Key security best practices include:

    • Using strong passwords
    • Disabling anonymous SIP calls
    • Restricting access through firewall rules
    • Regularly updating software
    • Avoiding unnecessary port forwarding
    • Limiting management access from the Internet

    To protect your PBX system, it is recommended to:

    • Use strong SIP account passwords
    • Implement firewall access restrictions
    • Disable anonymous SIP traffic
    • Regularly review system logs
    • Keep the PBX updated to the latest available version

    Main Security Risks for VoIP PBX Systems

    Self-hosted VoIP PBX systems may become targets of attacks such as SIP scanning, brute force attacks, toll fraud, and unauthorized access. Using a firewall, avoiding unnecessary port forwarding, and properly configuring Asterisk or FreePBX are essential measures for protecting your VoIP infrastructure.

    Was this article helpful?

    Thank you for your feedback!