Thread: http://fonality.com/trixbox/forums/trixbox-forums/open-discussion/sip-port-5060-why-do-you-keep-using-it

Obeliks:

The SIP signaling port to can be changed from its default setting of 5060.
If your PBX is not behind NAT but exposed directly to the internet, ( or for some reason you port forward 5060 )
this would prevent your PBX from being discovered during automated scans looking for PBXes to crack.
Given the fact almost nobody does that, what are the arguments against it ?

Kerryg:

Not all SIP trunk providers allow you to change it on their side. This is probably the single biggest obstacle for "rolling your own port". My biggest response to that is why in the hell would you have a system exposed directly to the internet and not behind a firewall? With a firewall you can (depending on the model) lock down the ports to specific IP addresses and avoid the port scanning issue.
--
Kerry Garrison
http://www.VoipStore.com - http://3cxbook.com
(888) VOIPSTORE - (888) 864-7786

Jlutes:

Just because you move the port doesn't stop anyone from finding you PBX. It doesn't take very long to do a port scan on an IP address. Though I do agree changing it will stop what we call 'script kiddies' or people who have no idea what they are doing but have this cool program that does this and that, it won't stop a true cracker or even slow them down much. All that said, we NAT our boxes and though we don't change the ports for SIP traffic, we do change the ports for web and ssh access. We had one intruder that got in through SIP and made some phone calls on our dime. We blocked the IP address and configured the Permit string on all of our devices and haven't had trouble since.
What I guess I'm saying is that if it ain't broke, why fix it?
P.S., I agree with Kerry - get a firewall!

Obeliks:

Not all SIP trunk providers allow you to change it on their side.
I am talking about changing the port on your side, not on the trunk provider side.
The trunk provider finds you based on your registration.
The only problem I can see with this change is when your trunk provider has a fixed IP configured for your end of the trunk and does not allow you to use a non-default port, but I believe most would allow you to change the port when using fixed IP.
As a matter of fact I just configured my trixbox on a non-default port and everything works just fine.
The biggest issue was to reconfigure all extensions to register on a different port with my trixbox.
Some softphones do not allow you to change the port. I was successful with X-Lite, but could not change it with Blink.
In case of ATAs and VoIP phones this reconfiguration is very easy.

Astrosmurfer:

Changing port numbers is an ineffective security measure. You are only delaying the inevitable and the length of that delay may be very short.
People try to hide other services like HTTP and SSH by changing the listening port but it is trivial to find these systems regardless of the port. Likewise, it is quick and simple to find a SIP server on any port.
There was a time, when internet connections were very slow, that it was sufficiently "expensive" to scan an entire port range. But now, when more and more people are hosting their services on multimegabit connections and even home users have highspeed connections, full sweep port scans are trivial and relatively quick.
It's been discussed countless times but, even if you aren't using NAT, you should still use a firewall, VPN and fail2ban. Changing ports is ineffective.

Obeliks:

Well, everybody is entitled to their own opinions. ;-)
If you are using a non-default port then for an attack directed specifically at you, it is not going to add much protection.
But almost no attacks are like that. In most of the cases the internet is scoured for potential victims and attacks are directed
at those who are easiest to find. I certainly would not want to be a victim of a 0-day attack.
Remember, you don't have to outrun the bear, just the next trixbox user ;-)
Running on a non-default port can buy you some time, so you can install patches when they become available.
I am not convinced that majority of the users on this forum employ fully staffed security teams to deal with network attacks and can respond immediately to all asterisk security issues. I agree that fail2ban should be part of the deployment but what are you going to do if the next yum update breaks it and you do not notice or if you are dealing with an attack that fail2ban does not offer protection for ?

Obeliks:

get a firewall!
This statement could be attributed to a firewall vendor ;-)
Firewalls offer no protection if you have to accept packets from unknown extensions/peers.
If you know where your traffic will be coming from then properly configured iptables can offer sufficient protection and there is no need for a separate firewall.

BubbaPCGuy:

Quote
get a firewall!
This statement could be attributed to a firewall vendor ;-)
Unquote
Well the statement would be attributed to any (decent) network admin.
Using IPtables is fine but to make a blanket statement like " there is no need for a separate firewall" shows us that you in fact have no business
setting up PBX or any computers connecting to the net.
It is folks who try to think they are smarter than the hordes of hackers / scripts out there, who make trouble for the rest of us...where do you think they get those botted boxes to do the scanning???? They get them from you folks without a firewall.
To filter traffic is easy..the rule is inet connected severs is to BLOCK all reaffic and then ALLOW ONLY that which needed.
IPTables working hard on a PBX will effect the PBX, why subject the box to that???I can see No reason to.
As someone who has had PBXes on the net for YEARS (racks full) without a single breakin, it is very safe to run on standard ports as long as you do not allow just any ole IP address or do not use VPN (which MY way) to give access
If your end users can not afford a static IP then drop in a Open VPN server or use VPN end points (routers)...but ALWAYS use a firewall in front of ALL web connected units.
Safety comes at a cost but it is still cheaper than running around naked.

Obeliks:

Using IPtables is fine but to make a blanket statement like " there is no need for a separate firewall" shows us that you in fact have no business
setting up PBX or any computers connecting to the net.
I would be cautious with statements like this. Some people may question your professionalism. There is no web site I know of pumping significant amount of traffic (>10Gbps) and using firewalls. You can check with people who run Youtube, Akamai or any other major internet player. You use ACLs on your routers. You also make sure your servers do not have more holes than swiss cheese. Here is some info on the subject:

http://trixbox.org/forums/trixbox-forums/open-discussion/security...

http://trixbox.org/forums/trixbox-forums/open-discussion/security...

http://trixbox.org/forums/trixbox-forums/open-discussion/list-por...

As someone who has had PBXes on the net for YEARS (racks full) without a single breakin, it is very safe to run on standard ports as long as you do not allow just any ole IP address or do not use VPN (which MY way) to give access
This was not the case I was discussing in my original post. My post was directed at people who do allow traffic from arbitrary IPs, like people with mobile devices who need to have their phones registered no matter where they happen to be, "road warriors" with softphones, etc ....
IPTables working hard on a PBX will effect the PBX, why subject the box to that???
How hard do you think Iptables will work ? Do you have any numbers to support your statement or is it just another example of FUD ?