Securing the PBX

[DLS]

Hi,

 

Following on from getting a number of external blocked IPs that I can't explain I'm looking to lock down our PBX as much as ppossible. I have outbound proxy addresses in place for all trunks, limited inbound access on the trunks to our ITSPs address, and am locking accounts to fixed IPs for the phones.

 

What I can't work out is how to block access to the PBX so that anything outside our local subnet and the trunks has no access. I've set the access to allow for 192.168.x.0/24 to allow, but unsure what to do to block all others. I'm assuming something like 0.0.0.0/0 but not 100% sure and didn't want to lock myself out of the PBX!

 

Cheers

Andrew

[Vodia PBX]

The way the PBX processes the list is by the netmask. It searches the more special entries first. So if you specify /0 netmark, this entry is processed last. So if you want to blacklist everything as a general rule, thats file. Just make sure that the subnet where you are coming from is already there when you add the general rule. If you screw it up, you can still go to the file system, remove the last added rule and restart the system.

[DLS]

Thanks - so I've added the following:

 

0.0.0.0/0 - Block

192.168.x.0/24 - Allow (where x is our subnet)

 

Hopefully this will be the last we see of hacking attempts!

 

Cheers,

Andrew

[snomuk]

Hi Andrew

 

I suggest adding an allow on localhost too so you can access the web interface from the machine itself.

 

127.0.0.1/32