[asterisk-users] Best practice security for internet access to Asterisk

[Duncan Turnbull]

Hi All

For the scenario of a single asterisk server that needs to serve clients 
on the net, as well as local office clients, I would be very interested 
in people's views of the best method to handle security to prevent net 
based attacks while still allowing the client access.

Some of the challenges I see are:
- preventing brute force and bot type attacks
- monitoring for unusual events and notifying and acting appropriately
- limiting damage if someone does get in
- avoiding a Denial or degradation of service on your asterisk platform
- making it easy for staff to use

Some of this can be done with
- firewall control - but its hard to limit where your clients will come 
from, besides restricting ports
- scripts monitoring logs, I saw a recipe for checking password failures 
then blocking that ip after x failures, I imagine this could get quite 
sophisticated
- using separate restrictions for offnet users but this kind of makes it 
harder for the staff members.
- using a proxy in front of asterisk for SIP, to limit the available 
extensions and minimise the scanning impact on the asterisk box. I am 
hoping this could detect and prevent illegitimate or poorly formed 
requests or unknown user agents. Staff should be using a standard set.
- using iax softclients to shift the attack requirements - I don't know 
much about how well these work
- running all clients over a vpn e.g open vpn, but this is not so good 
for wireless handsets or other devices that can't do a vpn

I am interested in all views and recommendations

Thanks very much

Cheers Duncan