# Fine-tuning the firewall

When publishing a PBX on a public IP address, the task arises to protect the speaker from scanners, pests who are trying to pick up passwords to SIP PBX accounts. If a simple numeric password is set, it will be picked up very quickly, which will cause losses.

For basic protection against scanners, fail2ban must be enabled. Additionally, you can fine-tune the iptables rules.

1. Go to the "**System file customization**" section

<figure><img src="https://835495363-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsZ8acWnNlSalIHQjMFu1%2Fuploads%2Fn06cIfMIqk6wJhcxD3gW%2FSystemFileCustomization.png?alt=media&#x26;token=4edfbfbf-6903-46c5-b1b5-d2a62131f59e" alt=""><figcaption><p>"System file customization" section</p></figcaption></figure>

2. Go to edit the **/etc/firewall\_additional** file

<figure><img src="https://835495363-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsZ8acWnNlSalIHQjMFu1%2Fuploads%2FaFgjGDSYtg9NS7P1LxwZ%2FENfirewall_additionslFile.png?alt=media&#x26;token=7eb41ef3-d657-4b45-8381-5202f4e30a77" alt=""><figcaption><p>File "/etc/firewall_additional"</p></figcaption></figure>

3. Set the "**Add to end of file**" mode, insert the following code:

```php
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'friendly-scanner' --algo bm --to 65535 -j DROP
```

<figure><img src="https://835495363-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FsZ8acWnNlSalIHQjMFu1%2Fuploads%2FcYhIQX0oygrlYr1uUFL1%2FENCodeForfirewall_additionslFile.png?alt=media&#x26;token=37f3ee64-2bc9-420b-b6f0-590d8fb46386" alt=""><figcaption><p>The code for the file "/etc/firewall_additional"</p></figcaption></figure>

{% hint style="warning" %}
The added rule allows blocking all incoming requests over the UDP protocol that contain the substring "**friendly-scanner**"
{% endhint %}

A more complete example of a set of rules:

{% code fullWidth="true" %}

```php
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'sipcli' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'sip-scan' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'iWar' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'sipvicious' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'sipsak' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'sundayddr' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'VaxSIPUserAgent' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p udp -m udp --dport 5060 -m string --string 'friendly-scanner' --algo bm --to 65535 -j DROP

iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'sipcli' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'sip-scan' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'iWar' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'sipvicious' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'sipsak' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'sundayddr' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'VaxSIPUserAgent' --algo bm --to 65535 -j DROP
iptables -I INPUT 2 -p tcp -m tcp --dport 5060 -m string --string 'friendly-scanner' --algo bm --to 65535 -j DROP
```

{% endcode %}

This will protect you from most scanners that I mention User-Agent when requesting.