[Asterisk-Users] (newby) Asterisk on the open internet & security

Michiel van Baak michiel at vanbaak.info
Sun Feb 5 14:11:18 MST 2006


On 22:38, Sun 05 Feb 06, Cosmin Prund wrote:
> 
> Hello everyone. I'm again bothering you with a bit of a problem, hopefully
> not really a problem. I just need someone to tell me this is ok :-)
> 
> I'm planning on having two * machines on the open internet (ie: not behind a
> NAT) and having them talk to each other using IAX2. I can handle all the
> fire walling requirements in this case easy because at least one of the *'s
> has a fixed address and I'll be able to filter traffic on IP.
> 
> It's all fine and safe so far. But then it hit me: I'll also want to "log
> on" to my business's PBX from home, in order to gain access to some of its
> low-rate gateways! That will not work if my office * filters on IP! Nor
> would I be able to use a soft SIP phone on my laptop when I'm not at the
> office!
> 
> So my question:
> 
> Is Asterisk's built-in security enough? If ALL my sip peers have propper
> usernames and secrets set up and my box has only the required ports open, is
> it safe to run Asterisk on the open internet? Does anyone run Asterisk like
> that?
> 
> I can allmost answer my own question: "You may safely run Asterisk like that
> - there are lots of VoIP services providing PSTN termination that way" but,
> being new to all this stuff, I'll stay on the safe side and ask.
> 
> Thanks. 

Hey,

We are running asterisk on the internet, allowing sip phones
at customers locations/laptops etc login and use the calls.
Just make sure to disallow sip users/peers without valid
user/secret in the extensions.conf
(something like this in sip.conf)
[general]
context = sip-default
(and in extensions.conf)
[sip-default]
exten => s,1,Hangup()

If you dont trust and fear someone is sniffing your udp
packets that hold user/secret, you can always setup openvpn
(or whatever vpn solution) and use that to connect first and
tunnel your sip traffic through it
-- 
Michiel van Baak
http://michiel.vanbaak.info
michiel at vanbaak.info
GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x7E0B9A2D

"Why is it drug addicts and computer afficionados are both called users?"




More information about the asterisk-users mailing list