188 SMG digital gateway
9 APPENDIX E. GUIDELINES FOR SMG OPERATION IN A PUBLIC NETWORK
SMG operation in a public network requires to take all security measures in order to avoid the device
password brute forcing, DoS (DDoS) attacks, and other intrusive actions which may lead to unstable operation,
subscriber data theft, attempts to perform calls at the expense of other subscribers, and consequently to
damages to the service provider as well as subscribers.
Avoid using SMG in a public network without additional protective measures like session border controller
(SBC), firewall, etc.
Guidelines for SMG Operation in a Public Network
Operation in a public network with the default SIP signalling port 5060 is not recommended. To
change this, modify the Port for SIP signalling reception parameter in the SIP interfaces settings in
SIP general configuration and SIP interface settings. This setting will not ensure complete
protection as the signalling port may be discovered during port scanning.
If IP addresses of all devices communicating with SMG are known, use the iptables utility to
configure rules allowing access from these addresses and denying access from all other ones.
Also, you should configure the fail2ban utility.
Fail2ban stores unsuccessful SIP protocol access attempts in a log file (/tmp/log/pbx_sip_bun.log), and if
the number of such attempts exceeds a defined value, the IP address, which has originated them, will be banned
for the specified time. The utility also allows generation of lists for trusted and untrusted addresses. For detailed
description, see section 4.1.11.1.
To Next Page
Loading...
