[asterisk-users] Securing Asterisk
Lee Howard
faxguy at howardsilvan.com
Tue Jul 26 01:01:38 CDT 2011
Here are a few guidelines that I think may serve you well...
Firstly, every network port that is being listened-to on any
publicly-reachable system MUST be carefully protected - typically by
firewalling. So, for example, you're likely going to want to block SSH
from all but certain IPs. In certain situations you may need to expose
a port to the entire world. In these cases you really have to take
measures to limit the amount of probing that you allow from the entire
world. One approach that has worked for me with SIP are these with
iptables:
iptables -N SIP_CHECK
iptables -A INPUT -p udp --dport 5060 -m state --state NEW -j SIP_CHECK
iptables -A SIP_CHECK -m recent --set --name SIP
iptables -A SIP_CHECK -m recent --update --seconds 180 --hitcount 5
--name SIP -j DROP
This rate-limits any source to 5 new SIP communication attempts every 3
minutes. If you service a lot of SIP devices all running behind one IP,
then it may simply be wise to dodge this security by accepting all SIP
communication from that IP... if that one IP remains static, of course.
(I can't take credit for this... I found it shared on-line by someone else.)
Secondly, disable the "guest" account in your sip.conf (allowguest=no).
I recognize that this is enabled by default for the sake of convenience,
but it's a nasty pitfall for those who are unaware of it.
Lastly, in sip.conf set "alwaysauthreject = yes" in order to avoid
revealing to a brute-force attacker when they have hit on a valid username.
I'm sure there are many other good habits to follow that others here
could share, but those come to mind with respect to the problem you've
experienced.
Thanks,
Lee.
More information about the asterisk-users
mailing list