securing asterisk

In the last couple of years voip pbx are under some serious attacks. This is mainly because of tools being published over the net. For example watch the following clip to see how easy it is even for a pc-newbie to attack unprotected systems

here are some things you can do to harden the security on your asterisk server

Strong passwords

Assigning extension 100 the secret 100 is not the wisest thing to do.

Try assigning secrets with at least 8 characters long with a combination of lower and upper case letters, numbers and punctuation symbols.

Restrict ip addresses per extension

If you know from which ip address or network the client will connect to the pbx you can use permit/deny options in sip_additional.conf for use per sip extension or sip_general_custom.conf for the whole server

the format is

192.168.1.10/255.255.255.255 for a single ip

or

192.168.1.0/255.255.255.0 for a network

firewall

If your server is behind a hardware firewall or you are using software firewall such as iptables, use it to restrict the ip addresses that can connect to the server. Unfortunately this will not come in handy if you have extensions connecting from dynamic ip addresses or connecting from different places.

Fail2ban

fail2ban is a great tool for preventing brute force attacks.
Here is what you must do in centos distribution.
Enable rpmforge repo if you haven’t done already.

Here you’ll find the procedure for enabling rpmforge

then you can install it

yum install fail2ban

enable monitoring for asterisk in the configuration file

vi /etc/fail2ban/jail.conf

add at the end of the file

[asterisk-iptables]

enabled  = true
filter   = asterisk
action   = iptables-allports[name=ASTERISK, protocol=all]
logpath  = /var/log/asterisk/full
maxretry = 2

then create the regex for the rule

vi /etc/fail2ban/filter.d/asterisk.conf

and insert

# Fail2Ban configuration file
#
#
# : 250 $
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
# before = common.conf

[Definition]

#_daemon = asterisk

# Option:  failregex
# Notes.:  regex to match the password failures messages in the logfile. The
#          host must be matched by a group named "host". The tag "" can
#          be used for standard IP/hostname matching and is only an alias for
#          (?:::f{4,6}:)?(?P\S+)
# Values:  TEXT
#

failregex = NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Wrong password
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - No matching peer found
            NOTICE.* .*: Registration from '.*' failed for '<HOST>' - Username/auth name mismatch
            NOTICE.* .*: No registration for peer '.*' \(from <HOST>\)
            NOTICE.* .*: Host <HOST> failed MD5 authentication for '.*' (.*)
            NOTICE.* .*: Failed to authenticate user .*@<HOST>.*

# Option:  ignoreregex
# Notes.:  regex to ignore. If this regex matches, the line is ignored.
# Values:  TEXT
#
ignoreregex =

start the service

service fail2ban start

and you’re done.


Leave a Comment

NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>