HOW to protect youIP PBX?
This is an important issue and besides normal ICT protection (to protect against Trojans, Spyware, viruses and hacking into mail /webservers) this should be a constant item for each ICT manager to be aware of. It all starts with awareness.
Besides our own security guidelines and blogs we collected some very good information to help you here. If you act on this in the described ways you and your IP PBX are pretty safe.
Ready? Let’s go.
1. NEVER, we repeat NEVER use the default passwords on any system for Administrator access. Restrict REMOTE access to the systems from only 1 IP address
2. If you CAN, always install your IP PBX on a NAT LAN (local area network with NAT / private IP addresses) – this makes it hard to get into the IP PBX from the outside world
Read here to do this with Asterisk:http://forums.asterisk.org/viewtopic.php?t=74786 (also LOTS of other good tips)
Summary from that page:
‘Put the Asterisk box behind a NAT router, the system will not be contactable from the outside, but can initiate and maintain registered connections with SIP providers on the outside. That is the simplest way to make your asterisk box secure "enough" whilst still being able to make and recieve calls over the net. It wont work with external handsets, you may need to look at a low latency / SIP/RTP friendly VPN such as Open VPN to give you that functionality’.
3. Don’t use the same username and password on your extensions. Also make sure the internal extensions have difficult to ‘guess’ passwords.
4. Keep the inbound call routing in a different context to your outbound routing. That way, anyone who gets in, can’t get back out again. Common problem and biggest cause / source of toll fraud.
5. Restrict the IP addresses your extensions can register on to the local subnet using permit/deny in your sip.conf
6. Disable channels that you aren’t using (such as skinny and MGCP) and comment out ay default settings in the conf files
7. Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which are valid extension numbers.
8. If you do not have ‘external’ extensions, you can DISABLE access on port 5060 / 6060 for INCOMING traffic.
9. Use restrictive dial plans (disallow calling to 0900 + Premium numbers) and non-numeric logins for your extensions.
10. If you wonder what happened and / if hackers got in or not, read all in the Asterisk LOG file: /var/log/asterisk/messages
11. Read the comments from Chris onhttp://forums.asterisk.org/viewtopic.php?t=74786 (somewhere in the middle); many of the above info came from him (thanks Chris) and he describes all the .conf files to adjust to make it very secure.
12. Install a SIP port firewall. This will not allow "fast scanning" of port 5060 and will blacklist the endpoint for 1 hour if something like this is happening.
More info: http://www.voip-info.org/wiki/view/Asterisk+firewall+rules
Now…..you do NOT want to see this anymore do you? Read on!!
TESTING – TESTING 1 -2 – NOW YOU’RE GONNA TEST !
Now all that has been done you want (and need) to test if all is secure. If you think there is no tool available to test and hack into any Asterisk based server, think again. It exists. Dozens of these tools are around but one good one is SIPVICIOUS. It is a SIP SCANNER and checks HOW TO BREAK into your Asterisk box.
If you followed all steps above….and in the article below nobody would ever be able to get in anymore
It doesn’t matter we tell it here because every hacker already knows this tool. So now we are going to USE THAT TOOL to see if you are secure. And that is what we want to know isn’t it?
Check it all on http://sysadminman.net/blog/2009/hacking-and-securing-your-asterisk-server-592 à installation steps and some more things to take care of are all included on that page.