Securing Asterisk PBX System

Securing your Asterisk Phone System

Securing Asterisk with good rules.Securing SIP Asterisk phone system installations effectively is an absolute must to prevent unauthorized intruders from making calls that will cost you money. There are several stories where hackers took over a vulnerable system where the costs to the company were quite large, something you want to prevent. Taking a few simple precautions go a long way towards a making a more secure phone system. These steps are a must for most installations; a few easy preventative steps that make malicious intruders have a much harder time in abusing your SIP phone system. Unfortunately, there are obtainable SIP scanners widely available that make it quite easy for hackers to locate a system and then use known tests to obtain access, plus computer resources make brute force attempts more effective. Once they gain access they use the extension to make thousands of toll calls at the companies' expense. Fortunately awareness of potential SIP vulnerabilities has increased and most installations of Asterisk have been hardened through a few steps.

Securing an Asterisk PBX with these easy steps.

  • Always change default passwords. This is a must for both Asterisk and the Asterisk Core. Default passwords make for easy access. Change all of them including the Linux defaults, such as root and password. Others that are part of the FreePBX such as the maint should be changed. Additionally, disable the Alt+F9 access which bypasses directly to the administration console. Use good password rules and require all employees to adhere to good practice.
  • Protect your server with iptables.
  • Do not use the extension number as the SIP name. Convenience plays to the hacker's hand. Trying the extension number as a way to enter will be the first guess of an attacker Use strong passwords. Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch. Make your system is more secure by using long passwords with a combination of letters, numbers, and symbols using upper and lower case.
  • Limit access to SIP authentication. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
  • Use Non-normal ports for Internet access. Change normal ports to ones that are unusual to make a another road block on any attempt to access your system.
  • Disable International Calling. Most hackers that have accessed a phone system use it to make International calls. An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account, if you don't regally need to call Internationally. If you do call Internationally set up a additional request for a password requirement with your carrier if possible. You can also use the FreePBX Outbound Route option to prompt for a password for outbound routes to international numbers and 900 numbers.

About Fail2ban

Fail2ban offers a way to protect system breaches that occur from any host IP that makes too many failed login attempts or performs any other unwanted action within a time frame defined by the administrator. Once the threshold of failed breach attempts is reached that IP address will be banned for a time period or it can be configured to send an email notification of the activity. Fail2ban does offer protection from the hacker who tries several different password tries and has stopped many such hacks. It is definitely a good tool to use. However, it has been noted that Fail2ban can be lacking if a sophisticated brute force denial of service attack is placed against your server.

Security is an on-going endeavor

As any network person can attest, security is an on-going problem. Things change and with that change new tools or precautions are required. That is not to say that some of the best security measures are the easiest, good strong passwords, using company rules that require security as part of everyday business, and keeping your network behind a firewall.