Business PBX Solutions
3CX Software PBX for Windows
Become an ITSP Now!
Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.
Other services, such as SSH should be blocked by the hardware firewall.
Implement a software firewall if possible, using Linux IP Chains. The rules should be similar to the hardware firewall, with the possible addition of additional rules to protect against attacks originating on the local LAN.
SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.generationd.com or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)
Port Knock can be used to provide remote access to your Asterisk machine, opening ports needed to access asterisk services only for your IP, using a predefined sequence of ports to request a temporary on-demand opening of specific ports needed for your remote/dynamic IP.
Implement Fail2Ban to prevent denial of service attacks (password guessing can cause excessive CPU utilization). See security warning regarding fail2ban - don't depend on it.
All remote users should have strong, alpha-numeric passwords. These should be long. They should NEVER be the same as the username or based on the user's extension.
Your [default] context in
extensions.confshould be empty. This context is used when other contexts might not match a peer. You should explicitly refer to a non-default context for remote SIP calls.
In the [general] section, define:
[general] ... context=bogus allowguest=no alwaysauthreject=yes ...
The context line will refer to a context (which you *must define* in extensions.conf!) that should handle "default" SIP calls. This should go to a context with nothing in it (unless you want to play with them - then, if you have the bandwidth, feel free to play a recording or such!). Obviously if you want to accept anonymous SIP calls, send them to the proper context (but *never* a context that can dial out!).
The "allowguest" line disables anonymous SIP calls to your PBX. Some SIP providers connect as a guest user, however, so this may be inappropriate for your situation. Also, if you want to accept anonymous SIP calls, this line would block them, so you wouldn't want that. But it is listed here because it is the safest configuration.
The "alwaysauthreject" line is important. This causes a hacker to get the same response from your PBX when they try to guess passwords whether or not they guessed a valid username. This also has the side-effect of making poorly written scanning scripts (the vast majority of hacker scripts seem to be poorly written) take less resources on your Asterisk box, as even if they scan a valid username, they'll think it doesn't exist.
In addition to these, verify that all peers listed in sip.conf are valid and have strong passwords.
(I'm hoping others will fill in this section - I block IAX)
Do your users need to be able to dial internationally? If not, make sure your dialplan blocks international calls (in the US, these calls start with a 011 typically, although some countries "look like" US numbers - so also block calls to area codes that don't correspond to areas you call). You may be able to request your provider also blocks international calls. If you only have SOME users that need to call internationally, place them in a different context than the rest of your users.
Review your logs and CDR at least daily. Even one day of illegitimate calls can add up to tons of money quickly.
Custom modification to chan_sip.c
See this page on how chan_sip.c was modified to block IPs for a duration with bad login attempts. Similar modifications can be used to protect other areas.
Security in a complex piece of software like Asterisk is not a simple thing. Help us collect information on the subject:
- Information on Asterisk and Security, including a presentation from AstriCon 2006
- Asterisk Security White Paper: A white paper written by Zone24x7 Inc about how to configure Asterisk to be secure
- Astricon Europe Powerpoint presentation about asterisk security and stability
- SIP security: What security functions are implemented for SIP in asterisk
- Asterisk security coding: Any thoughts on secure coding, buffer overflows etc?
- Firewalls and Asterisk: What ports are involved and how do I set up a firewall to protect Asterisk?
- Linux security and Asterisk: Any special considerations when installing your Linux platform?
- Asterisk security iax
- Asterisk IAX Vulnerabilities
- Asterisk security mgcp
- Asterisk security ISDN
- Ranch Networks Configuration for MIDCOM with IP-PBX Asterisk
- Dialplan security - What to consider when setting up a dialplan in extensions.conf
- Asterisk security through geographic IP address restriction
- NetSec version of Asterisk v1.2.2: This release of Asterisk contains support for network security devices manufactured by Ranch Networks, Inc., using their MIDCOM interface library. You will need the companion libmidcom-0.1.0.tar.gz file to build the library. Contact Ranch Networks' support department for assistance in building and configuring MIDCOM support.
What is Midcom you ask?So Midcom is a IETF protocol Voip PBX speak to tell firewalls type boxes (like Ranch) what ports to open to allow calls through the firewall. The problem being as Voip get secure encrypted signaling firewalls will not be able to tell which ports to open to let media through the firewall. I am scared of the idea that my SIP proxy or IP PBX would be allowed to tell my firewall which ports to open. But I am not sure there is a better solution.
- Good paper that also includes short section on Midcom: NIST: Security Considerations for Voice Over IP Systems
- BSI on VoIP security (German): Abstract - 130 page report, 11 MB
- Nerd Vittles - Avoiding the $100,000 Phone Bill: A Primer on Asterisk Security
- Smartvox article - Tips for better security in your Asterisk server (and FreePBX) config.
- Secure your VoIP server with the SunshineNetworks knock - A method to hide your VoIP server from the outside world, while still allowing remote users access without requiring them to take any additional actions such as first navigating to a web site, etc. Should work with any PBX that has iptables installed (CentOS-based systems have iptables installed by default).
- Asterisk administration
- Asterisk encryption
- SecAst (Asterisk Intrusion Detection and Prevention)
- http://www.securiteam.com/securitynews/5LP0720B5G.html Security Notice: Asterisk / Sept 7, 2003 (Fixed).
- http://www.securiteam.com/unixfocus/5HP0H1PB5S.html Security Notice: Asterisk / Sept 16, 2003.
- Asterisk server running in a chroot jail; not as secure as virtualization but here it is. (Asterisk 1.4.18 and Linux 2.6.24) April 04, 2008.
- Asterisk and SIP: attack and monitoring via event correlation, by using SIPp and SEC January 13, 2009.
Please update this page with new information, just login and click on the "Edit" or "Discussion" tab. Get a free login here: Register Thanks! - Find us on Google+