How do I secure my Asterisk server?
Solution 1:
This is how I secure my Asterisk server, which has been in production continuously since 2006.
Firewall
Open inbound ports only for necessary services. (You do have to open a wide range for RTP streams, but this generally isn't an issue since nothing normally listens within that port range.)
-
22/tcp
ssh (for management, of course) -
4520/udp
DUNDi (if you are using DUNDi) -
4569/tcp
IAX2 (if you are using IAX) -
5060/udp
SIP registration -
10000-20000/udp
RTP - media transport
Some devices have a much narrower range of ports they use for RTP streams. For instance certain Cisco (formerly Linksys/Sipura; part numbers begin with PAP, SPA or WRP) devices only use16384-16482
.
Extensions
If possible, restrict the IP address ranges from which SIP clients are allowed to connect. If this is deployed in an office, restrict connections to port 5060 to IP addresses within the locations(s) where the phones are located. If you must accept connections from Internet addresses not within your control, consider blocking country-specific IP address ranges.
Do not use the SIP extension number as the username. If your SIP clients support it, give them all names instead.
Set strong passwords for all SIP extensions. This should be obvious, but isn't always so.
From reading the logs attached to your previous question, I was able to determine that you had a SIP extension defined with the username 1
, with a secret so easy to guess that the attacker got it correct on the first attempt. The extension probably had no secret defined at all.
Use alwaysauthreject=yes
in sip.conf
. This prevents attackers from being able to determine if a SIP extension exists via brute force.
Use allowguest=no
in sip.conf
. This prevents unauthenticated clients from making calls.
Administration
Change all default passwords for your UNIX users, your databases, and your administrative front-ends such as FreePBX.
Set bindaddr = 127.0.0.1
in manager.conf
to ensure that the Asterisk management interface is not open to the world.
Other
Install fail2ban. I have it configured to block after two failed attempts, but if you have full control of all your devices such that they would never fail to login correctly, you could set it to block after one failed attempt.
If you do not need to make international calls, then have your SIP trunking provider disable the capability at their end. You can also configure your asterisk server not to route such calls.
This should cover the basics, and will keep you out of trouble for the most part. If you deploy any unusual services or write your own custom configurations, you may need to do some additional work to secure them.
Solution 2:
We had a similar problem some time back. In addition to Michael Hampton's answer. Three things we did fixed this.
1) Installing fail2ban. What this does is it scans log files looking for password failure attempts. Too many and it will firewall the IP's. It works for more than just asterisk, but SSH and any service you require.
2) Whitelist, or Black list IP's from countries you want/don't want to allow. e.g. Do you want to allow SIP access from China? You can get IP lists from nirsoft
3) If you're trunking or pairing to an upstream provider see if you can get a daily credit limit. This will limit the size of the bill you get from them should either of the first two fail. And if you do detect a problem, at least buy you some time before it really gets out of hand.
Solution 3:
I would add 'good monitoring' to the suggestions listed by other answers. Monitor the systems (suggested titles for checking logs are logwatch or logcheck). Look at available asterisk reporting tools (I don't know any titles but the item Asterisk Monitoring lists some) and see whether your upstream telephony provider can monitor your use and alert on unplanned increases of call costs.