Asterisk� Security primer
Securing SIP Asterisk installations effectively is a "must" today and by taking a few easy steps you can go a long way towards a more secure phone system. There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP phone system. Unfortunately, there are some easily obtainable SIP scanners widely available that make it much easier today for hacking into a ]system. It was not long ago when these attempts were fairly prevalent and some systems were compromised allowing culprits to make thousands of toll calls at the owners expense. Since that time awareness of potential SIP vulnerabilities has increased and many installations of Asterisk have been "hardened", but many others may not have been. For those we recommend the following easy steps that will make any attempts to exploit an easy target much more difficult, and in most cases not worth the effort.
5 Steps to securing Asterisk
- Change default passwords. Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows good password rules. Others that are part of the Asterisk@Home such as the maint login should be changed right away as well. Additionally, disable the Alt+F9 access which bypasses directly to the administration console.
- Do not use the extension number as the SIP name. While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker.
- Use strong passwords. Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust. Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case.
- Limit access to SIP authentication. By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses. This can be done by using permit= and deny= in the sip.conf file.
- Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
- Disable International Calling. Most attempts at using a hacked phone system (not only Asterisk) is to make International calls. An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account.
One more good security step.
Malicious intruders on VoIP systems or now traditional PBXs typically try to make a large amount of calls over a short duration and the most expensive and costly are International calls, which amounts to the largest percentage of calling freud.
- Set your system to ask for a password on dialing overseas numbers or International 011 numbers, if you do make International calls.
- Have your telecom provider disable to turn off International dialing on your account.
There are many more other security measures that can be taken on a network which will further secure access, including using non-standard ports, closing down your firewall except for specific ports needed for your voice and other applications. Creating VLANs for voice is another good practice which segregates the voice side of the network, limiting access. The above five suggestions are easy, necessary and can go a long way in prevented unauthorized intruders in using your system to make toll calls that end up on your account. This happened in Australia where an unsuspecting business go hit with thousands of dollars worth of International calls over the short period of 2 days. Targeting unprotected systems thieves hack into the system and exploit call-forwarding to sends calls out racking up toll charges.
Keep your Asterisk server lean.
Limit the services on your Linux operating system to only the essentials. Turn off those services which are not needed. You will also want to limit the what you install on the box. It should only be Linux and Asterisk. Consider:
- Don't have a database (SQL) running on your Asterisk server.
- No Apache. Keep your web server on another box.