Search

Monday, August 27, 2012

Some security tips for Asterisk deployment

Unless your Asterisk server is purely for internal use, you will
inevitably face the potential threats from hackers who look for security
loopholes to abuse your system.

Here are some protection measures that we should consider.

1. Disallow guest call unless you really need it

In the [general] section of sip.conf, set allowguest=no

2. Always reject with '401 Unauthorized' for unauthorized INVITE or
REGISTER, instead of letting the requester know whether there was a
matching peer.

In [general] section of sip.conf, set alwaysauthreject = yes

3. Make use of permit= and deny= in sip peer definition to restrict
which clients we will accept.

4. Empty the [default] context

5. We always use strong password in our sip entities.

6. If we really need to enable AMI on a public ip address, make use of
the permit and deny to restrict which client can access Asterisk via AMI.

7. Sip username should be different from the extensions. That would
make guessing less easy.

8. Deploy iptables and fail2ban. We can then monitor the asterisk log
file to spot intruders and block them accordingly.

9. We can also change the port (default 5060) that Asterisk listens to.
(bindport=5060 in sip.conf). This approach applies when we only need
to handle known peers such as branch offices or remote extensions.

No comments:

Post a Comment