Asterisk security

If you are looking to secure your PBX you have several options which can be implemented independently or in combination:
  • PBX Configuration - adjust the settings of your PBX to minimize obvious attack surfaces (no longer considered optional - just part of setting up any PBX).
  • Perimeter Security - Add software/hardware around your PBX to improve security (one notch above configuration - just part of operating any server).
  • Integrated Security - add software which integrates with your specific PBX to improve security (this is what really makes a difference in protecting your PBX).

Note that some recommendations (eg: changing ports, port knocking, etc.) are ideal for small and home office installations, whereas these same recommendations are impractical for large-scale implementations. As well, some recommendations are a great starting point (eg: hardware firewall) but this is no longer sufficient to protect a PBX.

Integrated Security


SecAst

SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against intrusion and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.telium.ca or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)

Fail2Ban

Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to iptables. See security warning regarding fail2ban http://forums.asterisk.org/viewtopic.php?p=159984 Fail2ban is not an intrusion detection / prevention tool, it depends completely on Asterisk to detect and reject an attempt from a hacker.


Perimeter Security

If you are looking to add layers around your PBX with generic protection:

Hardware Firewall

Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.

Other services, such as SSH should be blocked by the hardware firewall.

IPtables

IPTables is the generic firewall included with Linux. It is not PBX aware (or intelligent in any way). IPTables is a great add-on to a larger security solution. However, simply adding static rules for every potential source is not a solution. Consider IPTables the basic of preventing someone from getting at your PBX - but it doesn't / can't know the actions or intent of someone connecting to your PBX.

Port Knock

Port Knock can be used to provide remote access to your Asterisk machine, opening ports needed to access asterisk services only for your IP, using a predefined sequence of ports to request a temporary on-demand opening of specific ports needed for your remote/dynamic IP. This type of solution is useful for small installations with technically savvy users (since they have to port knock before before every connection) but can effective.

PBX Configuration

If you wish to improve the security of your PBX through basic security configuration

Strong Passwords

All remote users should have strong, alpha-numeric passwords. These should be long. They should NEVER be the same as the username or based on the user's extension.

Default Context

Your [default] context in extensions.conf should be empty. This context is used when other contexts might not match a peer. You should explicitly refer to a non-default context for remote SIP calls.

sip.conf configuration

In the [general] section, define:


[general]
...
context=bogus
allowguest=no
alwaysauthreject=yes
...


The context line will refer to a context (which you *must define* in extensions.conf!) that should handle "default" SIP calls. This should go to a context with nothing in it (unless you want to play with them - then, if you have the bandwidth, feel free to play a recording or such!). Obviously if you want to accept anonymous SIP calls, send them to the proper context (but *never* a context that can dial out!).

The "allowguest" line disables anonymous SIP calls to your PBX. Some SIP providers connect as a guest user, however, so this may be inappropriate for your situation. Also, if you want to accept anonymous SIP calls, this line would block them, so you wouldn't want that. But it is listed here because it is the safest configuration.

The "alwaysauthreject" line is important. This causes a hacker to get the same response from your PBX when they try to guess passwords whether or not they guessed a valid username. This also has the side-effect of making poorly written scanning scripts (the vast majority of hacker scripts seem to be poorly written) take less resources on your Asterisk box, as even if they scan a valid username, they'll think it doesn't exist.

In addition to these, verify that all peers listed in sip.conf are valid and have strong passwords.

iax.conf


(I'm hoping others will fill in this section - I block IAX)

Dialplan


Do your users need to be able to dial internationally? If not, make sure your dialplan blocks international calls (in the US, these calls start with a 011 typically, although some countries "look like" US numbers - so also block calls to area codes that don't correspond to areas you call). You may be able to request your provider also blocks international calls. If you only have SOME users that need to call internationally, place them in a different context than the rest of your users.

Custom modification to chan_sip.c


See this page on how chan_sip.c was modified to block IPs for a duration with bad login attempts. Similar modifications can be used to protect other areas.

Logs, CDR


Review your logs and CDR at least daily. Even one day of illegitimate calls can add up to tons of money quickly.


References


Security in a complex piece of software like Asterisk is not a simple thing. Help us collect information on the subject:



Articles



See also

Business PBX Solutions
Provider Solution Details
3CX Software PBX for Windows
  • Windows Software Solution
  • Easy to Install and Manage
  • Auto Configures Phones & Trunks
  • Android, iOS, Windows & Mac clients
Details
Bicom VoIP Become an ITSP Now!
  • Become a serious competitor in VoIP Immediately
  • FULL Consultancy, Installation, Training & Support
  • Sell Hosted IP PBXs, Biz Lines, Call Centre
  • Turnkey Provisioning at your data center
Details
If you are looking to secure your PBX you have several options which can be implemented independently or in combination:
  • PBX Configuration - adjust the settings of your PBX to minimize obvious attack surfaces (no longer considered optional - just part of setting up any PBX).
  • Perimeter Security - Add software/hardware around your PBX to improve security (one notch above configuration - just part of operating any server).
  • Integrated Security - add software which integrates with your specific PBX to improve security (this is what really makes a difference in protecting your PBX).

Note that some recommendations (eg: changing ports, port knocking, etc.) are ideal for small and home office installations, whereas these same recommendations are impractical for large-scale implementations. As well, some recommendations are a great starting point (eg: hardware firewall) but this is no longer sufficient to protect a PBX.

Integrated Security


SecAst

SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against intrusion and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.telium.ca or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)

Fail2Ban

Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to iptables. See security warning regarding fail2ban http://forums.asterisk.org/viewtopic.php?p=159984 Fail2ban is not an intrusion detection / prevention tool, it depends completely on Asterisk to detect and reject an attempt from a hacker.


Perimeter Security

If you are looking to add layers around your PBX with generic protection:

Hardware Firewall

Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.

Other services, such as SSH should be blocked by the hardware firewall.

IPtables

IPTables is the generic firewall included with Linux. It is not PBX aware (or intelligent in any way). IPTables is a great add-on to a larger security solution. However, simply adding static rules for every potential source is not a solution. Consider IPTables the basic of preventing someone from getting at your PBX - but it doesn't / can't know the actions or intent of someone connecting to your PBX.

Port Knock

Port Knock can be used to provide remote access to your Asterisk machine, opening ports needed to access asterisk services only for your IP, using a predefined sequence of ports to request a temporary on-demand opening of specific ports needed for your remote/dynamic IP. This type of solution is useful for small installations with technically savvy users (since they have to port knock before before every connection) but can effective.

PBX Configuration

If you wish to improve the security of your PBX through basic security configuration

Strong Passwords

All remote users should have strong, alpha-numeric passwords. These should be long. They should NEVER be the same as the username or based on the user's extension.

Default Context

Your [default] context in extensions.conf should be empty. This context is used when other contexts might not match a peer. You should explicitly refer to a non-default context for remote SIP calls.

sip.conf configuration

In the [general] section, define:


[general]
...
context=bogus
allowguest=no
alwaysauthreject=yes
...


The context line will refer to a context (which you *must define* in extensions.conf!) that should handle "default" SIP calls. This should go to a context with nothing in it (unless you want to play with them - then, if you have the bandwidth, feel free to play a recording or such!). Obviously if you want to accept anonymous SIP calls, send them to the proper context (but *never* a context that can dial out!).

The "allowguest" line disables anonymous SIP calls to your PBX. Some SIP providers connect as a guest user, however, so this may be inappropriate for your situation. Also, if you want to accept anonymous SIP calls, this line would block them, so you wouldn't want that. But it is listed here because it is the safest configuration.

The "alwaysauthreject" line is important. This causes a hacker to get the same response from your PBX when they try to guess passwords whether or not they guessed a valid username. This also has the side-effect of making poorly written scanning scripts (the vast majority of hacker scripts seem to be poorly written) take less resources on your Asterisk box, as even if they scan a valid username, they'll think it doesn't exist.

In addition to these, verify that all peers listed in sip.conf are valid and have strong passwords.

iax.conf


(I'm hoping others will fill in this section - I block IAX)

Dialplan


Do your users need to be able to dial internationally? If not, make sure your dialplan blocks international calls (in the US, these calls start with a 011 typically, although some countries "look like" US numbers - so also block calls to area codes that don't correspond to areas you call). You may be able to request your provider also blocks international calls. If you only have SOME users that need to call internationally, place them in a different context than the rest of your users.

Custom modification to chan_sip.c


See this page on how chan_sip.c was modified to block IPs for a duration with bad login attempts. Similar modifications can be used to protect other areas.

Logs, CDR


Review your logs and CDR at least daily. Even one day of illegitimate calls can add up to tons of money quickly.


References


Security in a complex piece of software like Asterisk is not a simple thing. Help us collect information on the subject:



Articles



See also

Created by: oej, Last modification: Sat 23 of May, 2015 (13:53 UTC) by telium
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+