Securing an on-premises PBX is essential for protecting VoIP infrastructure against unauthorized access, SIP attacks, and telephony fraud.
This guide outlines the recommended security configuration practices for self-hosted PBX systems, including firewall configuration, NAT management, and FreePBX security settings.
To ensure the integrity of a self-hosted PBX, administrators should, at minimum, follow the rules below:
• Avoid configuring a public IP address on any interface of the PBX, so that it is not accessible from the internet.
• If a public IP is required, install a firewall that allows only outbound connections and, for inbound connections, only established and related connections.
• Avoid configuring port forwarding on the NAT* device. The modulus service does not require it, and such practices expose the internal network to attacks, especially when the source IP of the DNAT* is not restricted.
• Do not configure the default Asterisk context to answer incoming calls. In distributions based on FreePBX, make sure that the “Allow Anonymous Inbound SIP Calls” option in the “General SIP Settings” section is disabled.
* NAT (Network Address Translation): Translation of private IP addresses into public ones for internet access.
* DNAT (Destination NAT): A method of redirecting inbound traffic to a specific internal destination.