Server hardening / security best practices in 2025?

Hi – trying to do my homework on best practices to keep a cloud instance of Asterisk safe (meaning: no hackers, no exploitation of the machine, and no unexpected spam calls coming in to extensions). We will have remote phones that call through this instance. It does not call out – all calls are internal to the PBX only. Many of the documents/posts I have found are pretty old, so I’m checking in here.

I have read the README-SERIOUSLY. Otherwise, my plan is fail2ban, tight-as-possible firewall rules, good passwords, etc. (I’m considering TLS for the remote phones but haven’t gotten there yet.)

Anything else to be thinking about? Seems like “alwaysauthreject=yes” and “allowguest=no” from sip.conf have no analogous settings in pjsip.conf, right?

If there is a modern guide to fail2ban with asterisk that’d be great to see.

Thanks! Just want to make sure I’m not overlooking anything.

I think alwaysauthreject is effectively permanently on.

chan_pjsip has explicit rules for matching anonymous callers, which are not included in normal configurations.

Thank you @david551 – sounds like I’m at least in the ballpark then.

There are some good guides for fail2ban with asterisk to start from.

As far as I read your post, your asterisk will not have a line to a sip provider. So at least you don’t have to worry about toll fraud in case of incidents.

If your clients have fixed ip addresses, I would use firewall rules to only allow sip traffic with them. Otherwise I would consider using vpn to your server.

That’s right, so pressure is not as high.

The clients do not have fixed IP. I do have ssh restricted to only my IP, but SIP/UDP will need to be open to all IPs (unless I can find a convenient way to block per country/region… all the phones are in the US.)

And in fact the cloud compute provider (Oracle) needs to have UDP open on all ports because if you restrict to 5060 and 5061, the fragmented packets associated with some UDP datagrams get blocked since they don’t contain port information (my post here). Since the cloud firewall can’t do it, maybe I can figure out how to do that in the VM itself without breaking SIP, but I’m no firewall expert…

Thanks for the link – I was reading through the fail2ban docs and it seems like maybe it’s not such a chore to get it working with asterisk these days.

You can still do the firewall on your machine with iptables / nftables. Should not be a big deal.

Regarding geoblocking I stumbled across GitHub - friendly-bits/geoip-shell: User-friendly and versatile geoblocker for Linux which I found very interesting but couldn’t try it myself by now.

Yeah I expect so, I’m just not fluent in iptables yet and unclear on how to “block UDP datagrams from ports besides 5060-5061 but not if they are fragmented IP packets without port association” but maybe the linux firewall is smart enough that I don’t need to worry about it? I’ll try it and see… I’m sure there is googleable info on doing that…

Ooh, thanks, I’ll check that out.

There is an iptables rule to recognize second and subsequent fragments, which could be used to let them all through.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.