IMPORTANT - Asterisk (and other PBX) Security

#1
We support open source Asterisk and several proprietary PBX installations and provide free SIP trunks to your servers.

However, please be aware that if you don't know exactly what you are doing you could easily open yourself to attack from the many internet hackers now targeting naive PBX users.

If you do use one of these boxes, we strongly advise you to have it professionally installed and maintained; Voipfone is not responsible for your network being compromised by hackers and you could find yourself with a large telephone bill.

If you're not an Asterisk specialist installer/maintainer and do not use one, we recommend you use our Virtual PBX which is managed by us in our secure Data Centres.

See: http://www.voipfone.co.uk/switchboard_a ... rvices.php

Below are 7 tips that Digium, the Asterisk company, provide to minimise these risks.
Seven Easy Steps to Better SIP Security on Asterisk:

1) Don't accept SIP authentication requests from all IP addresses. Use the permit= and deny= lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file. Even if you accept inbound calls from anywhere (via [default]) don't let those users reach authenticated elements!

2) Set 'alwaysauthreject=yes' in your sip.conf file. This option has been around for a while (since 1.2?) but the default is 'no', which allows extension information leakage. Setting this to 'yes' will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

3) Use STRONG passwords for SIP entities. This is probably the most important step you can take. Don't just concatenate two words together and suffix it with '1'& if you've seen how sophisticated the tools are that guess passwords, you'd understand that trivial obfuscation like that is a minor hinderance to a modern CPU. Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

4) Block your AMI manager ports. Use 'permit=' and 'deny=' lines in manager.conf to reduce inbound connections to known hosts only. Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

5) Allow only one or two calls at a time per SIP entity, where possible. At the worst, limiting your exposure to toll fraud is a wise thing to do. This also limits your exposure when legitimate password holders on your system lose control of their passphrase & writing it on the bottom of the SIP phone, for instance, which I've seen.

6) Make your SIP usernames different than your extensions. While it is convenient to have extension '1234'map to SIP entry '1234'which is also SIP user '1234', this is an easy target for attackers to guess SIP authentication names. Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try 'md5 -s ThePassword5000')

7) Ensure your [default] context is secure. Don't allow unauthenticated callers to reach any contexts that allow toll calls. Permit only a limited number of active calls through your default context (use the 'GROUP' function as a counter.) Prohibit unauthenticated calls entirely (if you don't want them) by setting 'allowguest=no' in the [general] part of sip.conf.

These 7 basics will protect most people, but there are certainly other steps you can take that are more complex and reactive. Here is a fail2ban recipe which might allow you to ban endpoints based on volume of requests.

http://www.voip-info.org/wiki/view/Fail ... d+Asterisk

The industry recommendations for secure deployment of an IP-PBX document can be found here:
http://www.itspa.org.uk/downloads/ITSPA_BCP_IP-PBX.pdf
Regards,

Voipfone Customer Services

iNet Telecoms Ltd (Voipfone)
Sovereign House
227 Marsh Wall
London
E14 9SD
United Kingdom

Registered number: 05168033
Vat Registration Number 858850966

Telephone: 020 7043 5555
Fax: 020 7043 5556

Web: http://www.voipfone.co.uk
Blog: http://www.voipfoneblog.co.uk
Forum: http://www.voipfoneuserforum.co.uk
Twitter: http://www.twitter.com/voipfone

Re: IMPORTANT - Asterisk (and other PBX) Security

#3
We already limit the number of auto top-ups possible to protect you from open-ended risk.

For obvious reasons we can't discuss the level this is set at - but of course we have to balance the risk of a compromised account against the risk of running out of calling credit.

We'll look into allowing this to be user configurable, but we are also thinking about other safeguards.

If you keep your PBX up to date and use a professional to maintain it, you should be safe. Otherwise you should use our virtual PBX.
Regards,

Voipfone Customer Services

iNet Telecoms Ltd (Voipfone)
Sovereign House
227 Marsh Wall
London
E14 9SD
United Kingdom

Registered number: 05168033
Vat Registration Number 858850966

Telephone: 020 7043 5555
Fax: 020 7043 5556

Web: http://www.voipfone.co.uk
Blog: http://www.voipfoneblog.co.uk
Forum: http://www.voipfoneuserforum.co.uk
Twitter: http://www.twitter.com/voipfone

Who is online

Users browsing this forum: No registered users and 1 guest

Copyright 2004 - 2017, iNet Telecoms® Ltd. All rights reserved.