System exposed to the Internet are target for malicious users that try to discover security holes and take advantage of them. Of course, Asterisk servers are not the exception and usually get involved into heavy attacks.
If your Asterisk box is facing the Internet and you are being constantly flooded with break-in attempts, you might want to follow these steps in order to secure your Asterisk Server:
(Last Updated: 16 March, 2013)
- If a system does not have to connect to your Asterisk box, bock it, either using a hardware firewall or software firewall.
The point is, “that which is not explicitly allowed is prohibited”. As Paul Russell said: “block everything, then open up holes as necessary”. Block every VoIP request by default (e.g SIP REGISTER packages), then open your box to the system that really should connect to your server.Normally, attackers tend to go away if the target is blocking them, otherwise, they could just sit there and keep going and going. They might not succeed but the bandwidth consumption will be a problem for you.
- If you do not need a service running in your Asterisk box, do not enable it, whether or not you have blocked access to it.
- Use Fail2Ban in order to prevent brute force attacks.
- Someone points out that these types of attacks happen on servers that fit a digital signature. You might want to change your signature and change default ports.
- Use a VoIP blacklist project in order to know which rank of IP’s to block.
- Do not just only worry about the bad guy you stopped, you should also worry about the bad guy that might already be inside (a trojan in the M$ Winblows box with the softphone) and that now has credentials that will not be flagged by Fail2Ban.You might want to implement some sort of monitoring/alert system based on outbound call volume, simultaneous initiated calls, out of average call duration, etc.
- I really should not be mentioning it (because it is obvious) but, Ok, here I go: use strong passwords, I mean, really strong passwords.
- Consider using the MAC address of your devices as its name in sip.conf.
- Use strict pattern matching, FILTER() application or some sort of validation in your dialplan so not unallowed character reaches your Dial() application.
- And last, never, -repeat-: never, by any means, forget about your ‘default‘ context in your config files (specially in extensions.*). You can empty them if you want, but whatever you do, make sure you don’t leave a security hole there.
These steps will not guarantee you a 100% full-bulletProof Asterisk box, but they will definitively help you out (our your client) in avoiding a $30K phone bill.