VoIP Mechanic

Business VoIp Providers

  • RingCentral Business VoIP

  • Ooma logo

VoIP Business Phone Services Listing


Residential VoIp Providers

  • Home VoIP Service

  • Axvoice

VoIP Residential Phone Services Listing
Home | VoIP FAQs | Contact | Site Map

Asterisk Security primer


Securing SIP Asterisk installations effectively is a "must" today and by taking a few easy steps you can go a long way towards a more secure phone system.  There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP phone system.  Unfortunately, there are some easily obtainable SIP scanners widely available that make it much easier today for hacking into a ]system.  It was not long ago when these attempts were fairly prevalent and some systems were compromised allowing culprits to make thousands of toll calls at the owners expense.  Since that time awareness of potential SIP  vulnerabilities has increased and many installations of Asterisk have been "hardened", but many others may not have been.   For those we recommend the following easy steps that will make any attempts to exploit an easy target much more difficult, and in most cases not worth the effort.

Security on an Asterisk PBX is important. Take a few steps.

5 Steps to securing Asterisk

  • Change default passwords.  Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows good password rules.  Others that are part of the Asterisk@Home such as the maint login should be changed right away as well.  Additionally, disable the Alt+F9 access which bypasses directly to the administration console.
  • Do not use the extension number as the SIP name.   While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker. 
  • Use strong passwords.  Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust.  Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case.
  • Limit access to SIP authentication.   By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses.  This can be done by using permit= and deny= in the sip.conf file. 
  • Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
  • Disable International Calling.  Most attempts at using a hacked phone system (not only Asterisk) is to make International calls.  An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account.
Business VoIP Providers 
Provider Plan Details Monthly Rate*
RingCentral Business VoIP RATED #1 BY INDUSTRY EXPERTS
  • Includes 100+ Premium Features
  • Unlimited Calling, Faxing, SMS, Conferencing
  • Trusted by over 350,000 Businesses
$19.99
Details
4/5

142 Reviews

Ooma logo The #1 VoIP solution for remote teams.
  • Work from anywhere with mobile & desktop apps
  • Stay connected with video meetings
  • Manage users easily with intuitive admin portal
$19.95
Details
4.5/5

46 Reviews

Business VoIP Provider Alliance Phones for Business
  • Control Panel monitoring
  • Setup takes under an hour
  • Receive daily call reports

* 12% discount for subscribing and paying for a year upfront
$19.97*
Details
5/5

13 Reviews

*Rates shown do not include taxes, surcharges and E-911 charges. Some providers offering promotions like unlimited calling have restrictions. Read individual providers terms and conditions before you buy.
VoIP Business Phone Services Listing

One more good security step.

Malicious intruders on VoIP systems or now traditional PBXs typically try to make a large amount of calls over a short duration and the most expensive and costly are International calls, which amounts to the largest percentage of calling freud. 

  • Set your system to ask for a password on dialing overseas numbers or International 011 numbers, if you do make International calls.
  • Have your telecom provider disable to turn off International dialing on your account.

There are many more other security measures that can be taken on a network which will further secure access, including using non-standard ports, closing down your firewall except for specific ports needed for your voice and other applications.  Creating VLANs for voice is another good practice which segregates the voice side of the network, limiting access.  The above five suggestions are easy, necessary and can go a long way in prevented unauthorized intruders in using your system to make toll calls that end up on your account.  This happened in Australia where an unsuspecting business go hit with thousands of dollars worth of International calls over the short period of  2 days.  Targeting unprotected systems thieves hack into the system and exploit call-forwarding to sends calls out racking up toll charges.

Keep your Asterisk server lean.

Limit the services on your Linux operating system to only the essentials.  Turn off those services which are not needed.  You will also want to limit the what you install on the box.  It should only be Linux and Asterisk.  Consider:

  • Don't have a database (SQL) running on your Asterisk server.
  • No Apache.  Keep your web server on another box.

 

Website Navigation
information

Some Asterisk installations incorporate Fail2Ban, which is a limited log based intrusion detection system that can be used to prevent SIP brute force attacks against their Asterisk PBX.

It works by scanning log files and then taking action based on the entries in those logs and preventing connections from  specific IP addresses.  Typical settings would include a set time to stop the ban from a blocked host, so preventing a lock out from any credible connections that may have been temporarily mis-configured.  Usually several minutes blocking requests is adequate to stop a network connection being flooded by malicious connections.  And will reduce the chance of success from a dictionary attack.

Fail2ban can ban offending hosts for whatever interval is set, from a few minutes to permanently.

Watch this video of hacking an Asterisk PBX and getting extensions and their passwords.

 

Slashdot Media © 2005-2023 All rights reserved | Home | VoIP FAQs | Contact| Advertise | Terms of use | Privacy | Site Map