[asterisk-users] How do you harden an Asterisk install?

Thu Jul 13 21:53:19 MST 2006

shadowym wrote:
> Thanks for the suggestions but I specifically asked for options OTHER than a
> second server.  Your suggestions about disabling un-needed services are good
> though.  I already do that.  I am hoping someone has some suggestions that
> are not as obvious that I have perhaps not thought of.   

 From a linux command line, run "netstat -a" or "netstat -an" and 
identify every tcp & udp port that has a state of listen. You'll 
probably find several that you were not aware of. Research what the 
ports are used for and disable as needed. If you don't / can't disable 
the function using the port, then use a firewall or router access list 
to block internet folks from accessing the machine on those ports. Or, 
download and run nmap to identify open ports remotely.

Download and run nessus (security scanner) against your server.

Review your asterisk config files and make sure you understand exactly 
what default contexts are implemented, and address those as needed.

iax2 and sip access to the server match certain parameters defined in 
each context, looking for a match that might include username, secret, 
IP address, etc.  Understand the matching logic and make sure each 
defined context is used the way it is supposed to be used. (There are 
likely a fairly large number of asterisk boxes with contexts defined 
where the implementor thought it was being used, but a different context 
is actually being used.)

Implement the "deny" and "permit" statements where it makes sense to do 
so, limiting access to a specific IP address or network.

Use lengthy secrets in your sip and iax definitions as its not all that 
hard to write code that will repeatedly guess them. (For example, there 
are apps that can be downloaded to guess account passwords in Microsoft 
domains. One such app that I tested a while back guessed a users 
five-character password in less then five seconds. Changing his password 
to eight characters required an hour to guess it, and changing the 
password to eight characters with special symbols required over 24 
hours.) You might also read the sample conf files and look for a 
parameter that addresses how many incorrect secrets asterisk can see 
before it slows its responses, essentially minimizing the impact of 
password guessing apps.

Subscribe to any of several security lists that track linux distro 
vulnerabilities and patch your distro as needed. One such advisory 
service is available at http://secunia.com/advisories .

Use "asterisk security" with google and you'll see several references to 
white papers, wiki pages, etc, for additional items.

Then, back up your config files on something else and wait for your 
server to be compromised. ;)

R.