[Asterisk-Users] Security and SIP

Mark Phillips g7ltt at g7ltt.com
Mon Aug 15 04:08:45 MST 2005 

You could make your FWD sonfigs even more secure by switching to IAX 
(you have to register with them for it) and then you can use RSA keys 
(already in your * distro) to prevent faking of connections.

Check with the FWD site. Ther's a howto on there.

I use this method and I like it alot. Especially as the IAX trunk allows 
me to have more than one concurrent call and takes up very little extra 
network overhead.

Mark

John Fawcett wrote:
> I've now setup SIP for:
> - internal softphones
> - registering with external providers (like FWD) for making calls
> - receiving calls from theese providers
> 
> For the latter step, it was necessary to forward ports from my NAT
> to the asterisk server: 5060 + range of ports mentioned in rtp.conf.
> 
> I was just wondering about how to make this setup as secure as
> possible. Here's what I've done so far:
> 
> 1. defined a default context in sip.conf which cannot access any
> real extension.
> sip.conf:
> [general]
> context=from-unknown-sip
> 
> extensions.conf:
> [from-unknown-sip]
> exten => _.,1,CONGESTION
> 
> 2. for peers, defined a context which does not provide access to
> outside lines.
> 
> sip.conf:
> [fwd.pulver.com]
> type=peer
> username=688426
> fromuser=688426
> secret=xxxxxxxxxx
> host=fwd.pulver.com
> port=5060
> nat=yes
> canreinvite=no
> insecure=very
> context=sip-external
> disallow=all
> allow=ulaw
> 
> 3. for peers, defined insecure=very which should check that the
> incoming call comes from the same IP as was registered.
> 
> 4. for internal softphones, which can make outgoing calls,
> limited registrations to a specific network address using
> deny/permit
> 
> sip.conf:
> [31]
> type=friend
> callerid="31 at sip.michaweb.net" <31>
> host=dynamic
> deny=0.0.0.0/0.0.0.0
> permit=192.168.2.32/255.255.255.255
> context=sip-internal
> secret=xxxxxxxxxxxx
> disallow=all
> allow=ulaw
> allow=alaw
> 
> Anything else I can do to improve security?
> 
> I specifically don't want anyone external to be able to make calls.
> 
> As I've opened port 5060 + rtp.conf ports only for the purpose of
> receiving calls from services I have registered with, I don't want
> any external phones to be able to register via this route.
> Is there any risk of this if someone can guess a password (maybe
> unlikely but given time this could happen).
> 
> Thanks,
> John
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>   http://lists.digium.com/mailman/listinfo/asterisk-users
> 

-- 

Mark, G7LTT/KC2ENI
Randolph, NJ
http://www.g7ltt.com

More information about the asterisk-users mailing list