Securing SIP Asterisk installations effectively is a “must” today and by taking a few easy steps you can go a long way towards a more secure phone system.
There are a few easy preventative steps that you can take which will make malicious intruders have a much harder time in abusing your SIP phone system. Unfortunately, there are some easily obtainable SIP scanners widely available that make it much easier today for hacking into a ]system. It was not long ago when these attempts were fairly prevalent and some systems were compromised allowing culprits to make thousands of toll calls at the owners expense. Since that time awareness of potential SIP vulnerabilities has increased and many installations of Asterisk have been “hardened”, but many others may not have been. For those we recommend the following easy steps that will make any attempts to exploit an easy target much more difficult, and in most cases not worth the effort.
5 Steps to securing Asterisk
- Change default passwords. Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows good password rules. Others that are part of the [email protected] such as the maint login should be changed right away as well. Additionally, disable the Alt+F9 access which bypasses directly to the administration console.
- Do not use the extension number as the SIP name. While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker.
- Use strong passwords. Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust. Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case.
- Limit access to SIP authentication. By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses. This can be done by using permit= and deny=in the sip.conf file.
- Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
- Disable International Calling. Most attempts at using a hacked phone system (not only Asterisk) is to make International calls. An easy way to limit liability from fraudulent charges is to have your Phone or SIP provider disable International calling on your account.