Securing Asterisk - Have I done enough?

General discussions about AsteriskNOW.

Moderators: Moderator, Support

Securing Asterisk - Have I done enough?

Postby emilh » Tue Jul 29, 2014 12:28 am

Hi everyone,

I have been tinkering with asterisk now for 3 weeks, and I have it working well so far. I just need to make some further changes to how it handles calls after hours etc.

I just want to check with you guys that have a better working knowledge and experience with asterisk to see if I perhaps missed anything security related.

This is what I have done to secure the system :
1 - Installed a firewall in front of the system, with port forwarding. I only allow port 5060 and the TRP ports I specified at 45000-45050.
2 - I have made sure that no other port is available from the internet. No web management, no SSH nothing.
3 - I have disabled wan ping so that it appears as it is a unused IP
4 - I use fail2ban with a very low threshold for errors (2 wrong attempts within 30 seconds gets you booted for 12.5 days. Any further failed authentication attempt gets you booted for 6 months)
5 - I have used long passwords for the extensions, as a example : 7hdf743df8yt3487g7fd87tf8423gtf342d and this is the shortest one used
6 - I have used different trunk names and passwords for incoming and outgoing calls (I have it working with 2 other Samsung PABX systems, all calling between each other)
7 - I have set the asterisk box to drop all packets not originating from IP addresses allocated to the country where it would work, in this case South Africa. All other packets from everywhere else would silently drop using iptables.

I have remote handsets that needs to register to the system, hence I could not cut access off completely.

I just need to know, what else should I do to secure the system?

I look forward to any feedback.

Thanks and kind regards,

Emil.
emilh
Newsterisk
 
Posts: 2
Joined: Tue Jul 29, 2014 12:20 am

Re: Securing Asterisk - Have I done enough?

Postby emilh » Wed Nov 26, 2014 3:22 am

Feedback time:

Attempts to breach have not succeeded. It seems that what I did was enough to prevent the system from being compromised.
emilh
Newsterisk
 
Posts: 2
Joined: Tue Jul 29, 2014 12:20 am

Re: Securing Asterisk - Have I done enough?

Postby malcolmd » Mon Dec 01, 2014 9:11 am

#7's probably going to get you a lot of mileage, simply because you're knocking out the US, Russia and China - three of the biggest origins for nefarious attempts on your server.
Malcolm Davenport
Digium, Inc. | Senior Product Manager
malcolmd
Moves Like Spencer
 
Posts: 3019
Joined: Wed Aug 03, 2005 3:53 pm
Location: Huntsville, AL, US


Return to AsteriskNOW General

Who is online

Users browsing this forum: No registered users and 6 guests