Securing your asterisk server.

The perfect solution is not to connect it to the internet, but this is not an option for many.

If your provider supports NAT put your asterisk server behind the NAT.

Do not use Trixbox CE, sorry Fonality, The distribution has not been updated in years and has many vulnerabilities specially due to poor php programing.

If you need asterisk PBX use freePBX with the latest asterisk version. The freePBX source code is well maintain and mostly up to date. I would change a thing or two in it, but overall this is my recommendation for PBX.

If you need a predictive dialer use vicidial.

If you need a billing, use a2billing.

My point is, do not install more software that you are going to use it, like some easy all in one outdated ISO images

Now, some basic security:
Do not create extensions with type friend. Use type peer.
Always use permit/deny in your extension configuration, do not permit=0.0.0.0/0.0.0.0
It is a good idea to create alphanumeric extensions and for easy dialing add sip alias.
Limit outbound concurrent calls limit for each extension, as well as for each trunk
Use strong passwords, and NEVER create the extension without a password.

For any services that you are going to run, bind only to ip address that you are going to use it on.

If AMI is enabled, as usually is always use permit/deny setup, do not permit=0.0.0.0/0.0.0.0, you may change the port from default 5038.

If Asterisk mini web server is used you may wish to change the other then default 8088 port.

use different SIP port like 5078, or 6012. Most if not all hardphones and softphones can be configured to use other then default 5060 SIP port.

Do the same for IAX, but not every hardphone and softphone can be configured to different port than default 4569

in sip.conf [general] add:
allowguest=no
alwaysauthreject=yes

do not put anything in default context.

Install and configure fail2ban, granted, due to some asterisk versions log limitation this is not a perfect solution, but it will protect your server from many brute-force attacks.

For Asterisk versions before 10.x you may apply a patch to chan_sip.c to report properly, or you may do following:
add this line to your rc.local or boot.local
ngrep -D -W none -i '403 Forbidden..Via:' port 5060 | while read line; do echo "[`date +%Y-%m-%d' '%H:%M:%S`] $line" |egrep -h '403 Forbidden..Via:' | egrep -o '^.*From:' ; done >> /var/log/asterisk/messages &
and add following line to /etc/fail2ban/filter.d/asterisk.conf
SIP/2.0 403 Forbidden..Via:.*;received=<HOST>;rport=.*
I is crude, but it works using minimal ammout of resources

Firewall; I will assume that you will be using iptables on the same server.
To minimize CPU load only block a interface to internet and ports that are potentially at risk and proper protocol.
If this is an option block :
sip port, iax port, mysql port, AMI port, web port, secure web port, ssh port, ftp port vpn port from the world, but allow trusted IPs only:

#lo
/sbin/iptables -I INPUT -s 127.0.0.1 -j ACCEPT
/sbin/iptables -I INPUT -i eth0 -s 123.123.123.123/29 -j ACCEPT #my local wan
#local network
/sbin/iptables -I INPUT -i eth0 -s 10.10.10.0/24 -j ACCEPT # my local lan
/sbin/iptables -I INPUT -i eth0 -s 192.168.1.0/24 -j ACCEPT # my local lan
#voip provider
/sbin/iptables -I INPUT -i eth0 -s 122.122.122.122/24 -j ACCEPT
#my home office
/sbin/iptables -I INPUT -i eth0 -s 121.121.121.121 -j ACCEPT
#satellite office
/sbin/iptables -I INPUT -i eth0 -s 60.60.60.60 -j ACCEPT

#drop all
/sbin/iptables -A INPUT -i eth0 -p udp --dport 5060 -j DROP #sip port
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 5038 -j DROP #ami port
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 80 -j DROP #web
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 22 -j DROP #ssh
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 3306 -j DROP #mysql
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 21 -j DROP #ftp
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 1723 -j DROP #vpn
/sbin/iptables -A INPUT -i eth0 -p tcp --dport 443 -j DROP #secure web

Of course some of these may not be an option for you.

limit number or REGISTER request:
iptables -A INPUT -i eth0 -m string --string "REGISTER sip:" --algo bm --to 65 -m hashlimit --hashlimit 4/minute --hashlimit-burst 1 --hashlimit-mode srcip,dstport --hashlimit-name sip_r_limit -j ACCEPT
#block known scanners:
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "friendly-scanner" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sundayddr" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipsak" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipvicious" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "iWar" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sip-scan" --algo bm
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "VaxSIPUserAgent" --algo bm
#windows command name client sipcli used to scan as well.
iptables -I INPUT -j DROP -p udp --dport 5060 -m string --string "sipcli" --algo bm

#Block ntp ddos:
iptables -A INPUT -s 0/0 -d 0/0 -p udp --source-port 123:123 -m state --state ESTABLISHED -j ACCEPT
iptables -A OUTPUT -s 0/0 -d 0/0 -p udp --destination-port 123:123 -m state --state NEW,ESTABLISHED -j ACCEPT

IF your system gets compromised minimize your losses; do not setup auto refill by your voip provider.

This is work in progress and any input is welcome.


[ home | search | report | warranty | statistics | register | members | install | secure asterisk | commercial services ]

Copyright 2014 VoipPlus