[asterisk-users] Asterisk Security

Mon Apr 6 07:08:30 CDT 2009

If that someone is between you and the other endpoint (like between you
and the switch, or using port-mirroring on a router somewhere), then
yes. The conversations can be recorded. In the US, the ability to be
able to do this is required by law. You've little to worry about random
hackers coming in off the Internet for this sort of thing. It's usually
something to do with having physical access to the network in which you
or the other end is connected.

There's ARP poisoning and the like which could make this possible in a
local network environment on either side, but for the most part, you'll
know who's on your local net, and they likely have physical access to
your phones as well. A listening device would be easier to plant in the
mic pickup of your phone if they REALLY wanted to listen in on your calls.

There are all sorts of levels one can to to find out what you're doing,
and preventing against them can involve a great deal of creativity.

That said, the answer is yes. You could use a VPN tunnel from one end to
the other, and many people do just that to help ensure the privacy of
their connections (both data and voice).

N.

Tom wrote:
> Since we are talking about security, if I am using * to talk to a cisco
> gateway via SIP, is there some sort of encryption you can use?  Like a 
> vpn tunnel?  
>
> Can someone capture packets and re-assemble to make out a conversation?
>
>
>
> -----Original Message-----
> From: asterisk-users-bounces at lists.digium.com
> [mailto:asterisk-users-bounces at lists.digium.com] On Behalf Of Martin
> Sent: Saturday, April 04, 2009 7:20 PM
> To: Asterisk Users Mailing List - Non-Commercial Discussion
> Subject: Re: [asterisk-users] Asterisk Security
>
> Lets not be that paranoid. If you have these ports open to the internet then
> from time to time someone will check if your default unsecured context
> can dial out to PSTN...
>
> with sip.conf you can add
>
> allowguest=no
>
> With IAX2 there's no allowguest but I believe you have to have a guest
> username in iax.conf with no password to access
> the unsecured context.
>
> Martin
>
> On Sat, Apr 4, 2009 at 3:42 PM, Todd Reese <treese65 at gmail.com> wrote:
>   
>> Hi All,
>>
>> Coming in to day, the logs on the asterisk server showed several entries
>> such as:
>>
>> [Apr  4 15:25:16] NOTICE[9280]: chan_sip.c:14627 handle_request_invite:
>> Call from '' to extension '9810380487965419' rejected because extension
>> not found.
>>
>> This has gotten me to thinking about security of this box.
>>
>> 1. Currently the box sits behind a firewall with iax and sip ports
>> pointing to it for the ip phones that are offsite.  There isn't any
>> other access through the firewall to this box.
>> 2. All devices have an extension assigned to them in sip.conf and
>> extensions.conf.  i.e. supra ATA, Grandstream GXP-2000
>> 3. The box is fed via Les.net and Voicepluse.  All other feeds are
>> shutoff when not active.
>>
>> I'm looking for ideas to tighten up on the security so that this won't
>> happen again.
>>
>> TIA,
>>
>> Todd Reese
>>
>>
>>
>>
>>
>>
>>
>>
>> _______________________________________________
>> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>>
>> asterisk-users mailing list
>> To UNSUBSCRIBE or update options visit:
>>   http://lists.digium.com/mailman/listinfo/asterisk-users
>>
>>     
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com 
> Version: 8.0.238 / Virus Database: 270.11.41/2040 - Release Date: 04/04/09
> 16:53:00
>
>
> _______________________________________________
> -- Bandwidth and Colocation Provided by http://www.api-digital.com --
>
> asterisk-users mailing list
> To UNSUBSCRIBE or update options visit:
>    http://lists.digium.com/mailman/listinfo/asterisk-users
>   