[asterisk-users] SRV record for non-standard SIP port?
Daniel Pocock
daniel at readytechnology.co.uk
Tue Jan 31 11:22:41 CST 2012
On 31/01/12 16:16, Gilles wrote:
> Hello
>
> To cut down on the number of hackers trying to break into an Asterisk
> server, I'd like to simply move the SIP port from the standard UDP
> 5060 to something non-standard.
Something more appropriate for your goal might be a move to TLS, it is
definitely needed for any external connectivity
This RFC provides some details:
http://tools.ietf.org/html/rfc5922
The bottom line is that external SIP peers must send you their cert when
they connect. SIP hackers will need to identify themselves (e.g. with
credit card) to get a certificate, or they just won't be able to talk to
your server. Obviously, this cuts out about 99% of the script kiddies.
As a further safety measure, you could use something like repro or
Kamailio as a SIP router to isolate your Asterisk from the public
internet. All DNS SRV records would point at the SIP router, not
Asterisk. Phones would register with the SIP router. Calls would be
selectively routed to Asterisk (e.g. for voicemail)
More information about the asterisk-users
mailing list