HELLO & WELCOME

[tombal]

I've setup an Asterisk installation and it's running pretty well, but I'm interested in setting up external SIP clients.

Obviously the simplest method would be to simply forward port 5060 to the IPBX, but having tried that, I'm getting a lot of external intrusion attempts (thankfully all unsuccessful) so was considering changing the port. The problem is that simply changing the number of the external port to forward to 5060 would mean that the client wouldn't be looking for a response on 5060 (which the IPBX would invariably send).

From what I understand of Asterisk, I can't specify a different bind port for different extensions (probably sensible or you'd end up with an IPBX so full of holes you'd be hacked very quickly) and changing the general port would result in me having to change the port for all locally attached SIP devices.

What would people suggest?

My current thought is to enable local port forwarding. This would normally not resolve the problem, but I have my phones on a separate subnet to my internet connection, so could just enable port forwarding for the appropriate ethernet adapter - thoughts?

[bosconian]

I may be wrong but I don't think changing the port will prevent you from getting intrusion attempts. You'll just start getting them from a different port. Also maybe local forwarding the port may even give you NAT problems.

I think it would be better for you to use a service like Fail2ban [http://www.fail2ban.org] and let it block out people trying to remotely log and exploit your server.

A friend of mine says that there are just two kind of people in the world: those who have been hacked and those who don't know have been hacked. What I'm saying is that you should't worry about getting a lot of external intrusion attempts because you'll get those attempts no matter what port you choose. You just need to be sure that you have some kind of perimeter protection like Fail2ban or any other system.