asterisk & IP-PBX Security Tips - nurango - ContactCenterWorld.com Blog
Linux and SIP hack attempts are all too common. There are dozens of stories out there including a client of mine that incurred $18,000 in losses. Here are a few tips on securing your IP-PBX Phone System.
1) Make sure all passwords are changed from the defaults immediately.
mysql asterisk --execute="UPDATE mysql.user SET Password=PASSWORD('XXXX') WHERE User='root';"
mysql asterisk --execute="FLUSH PRIVILEGES;"
- Don’t forget the Admin passwords if any through the Admin GUI.
- Only login with a standard user account and use “sudo” when needed.
- Consider changing the SSH port to something other than 21
- Use Complex SIP Passwords for Extensions and Trunks!
2) If using VoIP -
- Use IP AUTHENTICATION with your SIP Provider!! Avoid registrations with passwords at ALL costs if you can!
- Instead of using a registration string use “Qualify=yes”.
3) Things to notice in your CLI: "Pinball activity”.
Multiple Messages such as "wrong password for ext xx" or "attempting to register but host is not dynamic" etc. Basically random messages with IP’s that you do not recognize. Don’t confuse them with your remote agents though! Use IPtables to block malicious IPs.
iptables -A INPUT -s x.x.x.x -j DROP (add blocked IP)
> /etc/init.d/iptables save (save settings)
To allow ONLY specific IPs
iptables -A INPUT -s “friendlyip.1” -j ACCEPT
iptables -A INPUT -s “friendly.ip.2” -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -j ACCEPT # yes, accept connections from localhost.
iptables -A INPUT -s 0/0 -j DROP
- Don’t Ban yourself! Add your remote IP if needed and your ISP/Router/Gateway.
4) There are more root password hack attempts than SIP registration hacks due to linux hack attempts versus targeted SIP hack attempts. Lock down remote SSH wrong password attempts.
1. Open /etc/pam.d/sshd in a text editor.
2. Right before @include common-auth, add the following on its own line:
auth required pam_tally.so deny=3 unlock_time=120
3. Right before @include common-account, add the following on its own line:
account required pam_tally.so reset
- See also: /var/log/auth.log and /var/mail/root for unauthorized access and attempts.
5) Disable un-needed services such as FTP, TFTP, and any other remote access services not needed.
6) Install Fail2Ban - Scans log files like /var/log/pwdfail or /var/log/apache/error_log and bans IPs that make too many password failures. It also updates firewall rules to reject the IP addresses.
7) Restrict Default Access -
1) Bind your mysql server to localhost. To do this you need to edit /etc/my.cnf and set "bind_address=127.0.0.1"
2) Enable host based access on your httpd.conf. If you are using the apache server on your local network only, it would be wise to do a bind address to the local network interface
8) Asterisk Based -
1) Edit /etc/asterisk/manager.conf and change 0.0.0.0 to 127.0.0.1
2) Ensure "allowtransfer=no" in /etc/asterisk/sip.conf
Good luck and safe calling!
Download pdf version
Publish Date: December 16, 2014 5:00 AM
|All Suppliers||Get Listed|
(VIEW OUR PAGE)
HigherGround develops data collection, information storage, and interaction analytics solutions that easily transform data into actionable intelligence, enabling operational optimization, enhanced per...
(VIEW OUR PAGE)
Advanced AI technology and Natural Language Processing delivered to clients in the Cloud that harnesses both voice and digital conversations. The focus is on building an environment where intelligent ...
(VIEW OUR PAGE)
CTI Software is the creator of custom application called Davos, which complements the telephone client solutions with intelligent features such as automated call attendant, call recording and archivin...
View more from nurango
Recent Blog Posts:
|The Benefits of SIP Trunking? ..and why you should be in the know.||March 15, 2016 5:00 AM|
|Should you Consider Free Phone Service?||December 8, 2015 5:00 AM|
|VoIP for the Startup Company||April 20, 2015 5:00 AM|
|Securing asterisk using Fail2Ban||April 20, 2015 5:00 AM|
|asterisk & IP-PBX Security Tips||December 16, 2014 5:00 AM|
|VoIP vs Analog? Some Clarity||December 16, 2014 5:00 AM|
|5 Reasons You Need an IP-PBX||December 16, 2014 5:00 AM|