One thing we did to secure remote users is to use SNOM370s and OpenVPN..<br><br clear="all">--<br>Singer XJ Wang, Senior System and Database Administrator<br>The Pythian Group - love your data<br><a href="http://www.pythian.com">http://www.pythian.com</a><br>
Desk: (613) 565-8696 x298<br>Cell: (613) 266-3763<br><br>
<br><br><div class="gmail_quote">On Thu, Nov 25, 2010 at 12:33, Adrian Marsh <span dir="ltr"><<a href="mailto:Adrian.Marsh@ubiquisys.com">Adrian.Marsh@ubiquisys.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt 0.8ex; border-left: 1px solid rgb(204, 204, 204); padding-left: 1ex;">
<div link="blue" vlink="purple" lang="EN-GB"><div><p>Hi Gary,</p><p> </p><p>I went through this process a few times over the past few years.</p><p>Theres a few short guides for securing Asterisk, but much of it depends on your design. If it’s a traditional POTs-type PBX then locking down IPs using firewalls is a great thing, however if you make use of inbound-SIP calls from end-user PC clients on the Internet then that’s not always possible.</p>
<p> </p><p>So heres my recommendations:</p><p> </p><p>1) Change the default context name to something like "publicinbound".</p><p>2) Create a context called publicinbound that does basically nothing.</p><p>3) Setup a different context for an peer or friend IAX or SIP, or whatever. That way you can see which connection the hackers coming in from.</p>
<p>4) If you don’t want to firewall off the whole internet, then at least make use of fail2ban - it’s a free scripted addon that watches for hacking attempts and firewalls them off.</p><p>5) Really really long passwords and usernames - this ones pretty key. My first task was in going through and understanding where all the passwords were and changing them. I now make mine completely random and a min of 30 chars.</p>
<p>6) IP restrictions. If a peer or user does have a fixed IP, then define it in the appropriate config file.</p><p>7) The alwaysauthreject is good.. helps fumble the hackers.</p><p> </p><p> </p><p> </p><p>Thanks,</p><p> </p>
<font color="#888888"><p>Adrian</p><p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal"><span style="font-size: 11pt; color: rgb(31, 73, 125);"> </span></p><p class="MsoNormal">
<span lang="EN"> </span></p></font></div></div><br>--<br>
_____________________________________________________________________<br>
-- Bandwidth and Colocation Provided by <a href="http://www.api-digital.com" target="_blank">http://www.api-digital.com</a> --<br>
New to Asterisk? Join us for a live introductory webinar every Thurs:<br>
<a href="http://www.asterisk.org/hello" target="_blank">http://www.asterisk.org/hello</a><br>
<br>
asterisk-users mailing list<br>
To UNSUBSCRIBE or update options visit:<br>
<a href="http://lists.digium.com/mailman/listinfo/asterisk-users" target="_blank">http://lists.digium.com/mailman/listinfo/asterisk-users</a><br></blockquote></div><br>
<pre>--
The best compliment you could give Pythian for our service is a referral.