Securing your Asterisk Phone System
SIP Asterisk phone system installations effectively is an absolute must
to prevent unauthorized intruders from making calls that will cost you
money. There are several stories where hackers took over a vulnerable
system where the costs to the company were quite large, something you want
to prevent. Taking a few simple precautions go a long way towards a
making a more secure phone system. These steps are a must for most
installations; a few easy preventative steps that make malicious intruders
have a much harder time in abusing your SIP phone system.
Unfortunately, there are obtainable SIP scanners widely available that make
it quite easy for hackers to locate a system and then use known tests to
obtain access, plus computer resources make brute force attempts more
effective. Once they gain access they use the extension to make
thousands of toll calls at the companies' expense. Fortunately
awareness of potential SIP vulnerabilities has increased and most
installations of Asterisk have been hardened through a few steps.
Securing an Asterisk PBX with these easy steps.
- Always change default passwords. This is a must
for both Asterisk and the Asterisk Core. Default passwords make for
easy access. Change all of them including the Linux defaults, such
as root and password. Others that are part of the FreePBX such as
the maint should be changed. Additionally, disable the Alt+F9 access
which bypasses directly to the administration console. Use good
password rules and require all employees to adhere to good practice.
- Protect your server with iptables.
- Do not use the extension number as the SIP name.
Convenience plays to the hacker's hand. Trying the extension number
as a way to enter will be the first guess of an attacker Use strong
passwords. Brute force attacks, where large numbers of word or
number sequences are tried have become easier and quicker to launch.
Make your system is more secure by using long passwords with a combination
of letters, numbers, and symbols using upper and lower case.
- Limit access to SIP authentication. An option
that will reject non-rusticated requests to valid usernames is
alwaysauthreject=yes in the sip.conf file. This option will reject
bad authentication requests on valid usernames with the same rejection
information as with invalid usernames, denying remote attackers the
ability to detect existing extensions with brute-force guessing attacks.
- Use Non-normal ports for Internet access.
Change normal ports to ones that are unusual to make a another road block
on any attempt to access your system.
- Disable International Calling. Most hackers
that have accessed a phone system use it to make International calls.
An easy way to limit liability from fraudulent charges is to have your
Phone or SIP provider disable International calling on your account, if
you don't regally need to call Internationally. If you do call
Internationally set up a additional request for a password requirement
with your carrier if possible. You can also use the FreePBX Outbound Route
option to prompt for a password for outbound routes to international
numbers and 900 numbers.
Fail2ban offers a way to protect system breaches that occur from any host
IP that makes too many failed login attempts or performs any other unwanted
action within a time frame defined by the administrator. Once the
threshold of failed breach attempts is reached that IP address will be
banned for a time period or it can be configured to send an email
notification of the activity. Fail2ban does offer protection from the
hacker who tries several different password tries and has stopped many such
hacks. It is definitely a good tool to use. However, it has been
noted that Fail2ban can be lacking if a sophisticated brute force denial of
service attack is placed against your server.
Security is an on-going endeavor
As any network person can attest, security is an on-going problem.
Things change and with that change new tools or precautions are required.
That is not to say that some of the best security measures are the easiest,
good strong passwords, using company rules that require security as part of
everyday business, and keeping your network behind a firewall.