[Asterisk-Users] Security and SIP

[John Fawcett]

I've now setup SIP for:
- internal softphones
- registering with external providers (like FWD) for making calls
- receiving calls from theese providers

For the latter step, it was necessary to forward ports from my NAT
to the asterisk server: 5060 + range of ports mentioned in rtp.conf.

I was just wondering about how to make this setup as secure as
possible. Here's what I've done so far:

1. defined a default context in sip.conf which cannot access any
real extension.
sip.conf:
[general]
context=from-unknown-sip

extensions.conf:
[from-unknown-sip]
exten => _.,1,CONGESTION

2. for peers, defined a context which does not provide access to
outside lines.

sip.conf:
[fwd.pulver.com]
type=peer
username=688426
fromuser=688426
secret=xxxxxxxxxx
host=fwd.pulver.com
port=5060
nat=yes
canreinvite=no
insecure=very
context=sip-external
disallow=all
allow=ulaw

3. for peers, defined insecure=very which should check that the
incoming call comes from the same IP as was registered.

4. for internal softphones, which can make outgoing calls,
limited registrations to a specific network address using
deny/permit

sip.conf:
[31]
type=friend
callerid="31 at sip.michaweb.net" <31>
host=dynamic
deny=0.0.0.0/0.0.0.0
permit=192.168.2.32/255.255.255.255
context=sip-internal
secret=xxxxxxxxxxxx
disallow=all
allow=ulaw
allow=alaw

Anything else I can do to improve security?

I specifically don't want anyone external to be able to make calls.

As I've opened port 5060 + rtp.conf ports only for the purpose of
receiving calls from services I have registered with, I don't want
any external phones to be able to register via this route.
Is there any risk of this if someone can guess a password (maybe
unlikely but given time this could happen).

Thanks,
John