[Asterisk-Users] Security and SIP

Damon Estep damon at suburbanbroadband.net
Mon Aug 15 07:32:32 MST 2005 

Block sip on a firewall between * and the public internet, and then
create rules for your peers IP range.

This assumes you know the IP that all peers and client use; if not just
block from regions of the world you do not need to connect to/from.

We find that most hack attempts come from one well known region, so we
block the entire IP range routed to that region. 

Also, add noload= for the voip protocols you do not use in modules.conf.

You are far better off even if you do things like limiting the
connections to the ENTIRE ip range of your local Cable/DSL providers.
Prevents folks in the rest of the world from even trying to connect.

Toll fraud is huge, it looks like you have done the basics, but you
should take additional steps many other would call unnecessary since you
will get the bill if someone gets it.

> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com [mailto:asterisk-users-
> bounces at lists.digium.com] On Behalf Of John Fawcett
> Sent: Monday, August 15, 2005 3:22 AM
> To: asterisk-users at lists.digium.com
> Subject: [Asterisk-Users] Security and SIP
> 
> I've now setup SIP for:
> - internal softphones
> - registering with external providers (like FWD) for making calls
> - receiving calls from theese providers
> 
> For the latter step, it was necessary to forward ports from my NAT
> to the asterisk server: 5060 + range of ports mentioned in rtp.conf.
> 
> I was just wondering about how to make this setup as secure as
> possible. Here's what I've done so far:
> 
> 1. defined a default context in sip.conf which cannot access any
> real extension.
> sip.conf:
> [general]
> context=from-unknown-sip
> 
> extensions.conf:
> [from-unknown-sip]
> exten => _.,1,CONGESTION
> 
> 2. for peers, defined a context which does not provide access to
> outside lines.
> 
> sip.conf:
> [fwd.pulver.com]
> type=peer
> username=688426
> fromuser=688426
> secret=xxxxxxxxxx
> host=fwd.pulver.com
> port=5060
> nat=yes
> canreinvite=no
> insecure=very
> context=sip-external
> disallow=all
> allow=ulaw
> 
> 3. for peers, defined insecure=very which should check that the
> incoming call comes from the same IP as was registered.
> 
> 4. for internal softphones, which can make outgoing calls,
> limited registrations to a specific network address using
> deny/permit
> 
> sip.conf:
> [31]
> type=friend
> callerid="31 at sip.michaweb.net" <31>
> host=dynamic
> deny=0.0.0.0/0.0.0.0
> permit=192.168.2.32/255.255.255.255
> context=sip-internal
> secret=xxxxxxxxxxxx
> disallow=all
> allow=ulaw
> allow=alaw
> 
> Anything else I can do to improve security?
> 
> I specifically don't want anyone external to be able to make calls.
> 
> As I've opened port 5060 + rtp.conf ports only for the purpose of
> receiving calls from services I have registered with, I don't want
> any external phones to be able to register via this route.
> Is there any risk of this if someone can guess a password (maybe
> unlikely but given time this could happen).
> 
> Thanks,
> John
> 
> _______________________________________________
> Asterisk-Users mailing list
> Asterisk-Users at lists.digium.com
> http://lists.digium.com/mailman/listinfo/asterisk-users
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users

More information about the asterisk-users mailing list