Seven steps to improve security Asteriska

    If any of you ever wondered why the number of attacks on SIP terminals has increased significantly, the answer will be simple: "childish pranks." In the past few months, the number of new software that easily attacks Asterisk and SIP terminals has grown significantly. There are many easily accessible network scanners that detect SIP devices and scan them for valid extension numbers, and then try to find a password for them.

    Now you can step by step and immediately solve most of the problems associated with the security of your SIP host.

    image

    It seems to me that the VoIP community is interested in integrating Asterisk-based solutions with a dynamic protection system (community blacklists are hotly discussed in the forums), but this does not mean that you should expect any new program or solution to protect your VoIP infrastructure . You can take measures right now to protect your Asterisk server from an ever-increasing number of attacks! Methods and means of protection already exist - just apply them and you will sleep more calmly at night!

    Step one
    Do not accept authentication requests from the SIP network from all IP addresses. To do this, use the “permit =” and “deny =” options in the sip.conf configuration file to allow the correct subset of IP addresses for each SIP user. Even when you receive incoming calls from “anyone” (option in the [default] section), do not allow these users to access items that need authentication.

    Second step
    Always set the option “alwaysauthreject = yes” in sip.conf. This option was first introduced in Asetrisk version 1.2, but to this day it has a default value of "no". Setting the option to “yes” should reject incorrect authentication for both an illegitimate username and an invalid password, which prevents the attacker from detecting an existing extension using a “brute force” attack.

    Step three
    Use strong passwords for SIP objects. This step is perhaps the most important in securing a SIP network. Do not create passwords that consist of two words, do not add the number 1 to the word from the dictionary. If you saw how sophisticated and intelligent the means of password selection are, you would understand how much modern processors easily bypass such a trivial obfuscation! Use characters, numbers, and uppercase and lowercase letters, and make the password at least 12 characters long!

    Step Four
    Lock the Asterisk Management Interface (AMI) port. In the manager.conf configuration file, use the “permit =” and “deny =” lines to narrow down incoming connections to the management interface for trusted hosts only. As in the Strong Password phase, create complex passwords with a length of at least 12 characters.

    Step Five
    Limit the number of simultaneous calls for a feast with two sessions (call-limit option)! So you limit the actions of scammers who have already picked up the correct username and password. Make sure that legitimate users keep their passwords secret, and not write down the password directly on the SIP phone! Sometimes it happens!

    Step Six
    Make sure the username is different from the extension. While an extension number, such as “1234”, can match a username with the same name “1234”, it is best to create a SIP username that matches the MAC address of the user's network card or a combination of the extension that the user corresponds to and md5 add-on. This can be done as follows directly from the shell command line:

    md5 -s ThePassword5000

    Step Seven
    Make sure the [default] context is safe. Do not allow authenticated users to enter a context in which you can make a paid call! Allow only a limited number of calls to go through the [default] context (you can use the GROUP function as a counter). Deny all unauthenticated calls (if you shouldn’t have such calls at all) by setting the option “allowguest = no” in the [general] section of the sip.conf file. And it’s best to never have any entries in [default], except for one - Hangup.

    Conclusion
    The above seven basic protection steps allow you to secure most Asterisk installations, but still there are other steps that are more complex. For example, the fail2ban utility allows you to prohibit ("ban") the use of server resources to the final SIP device, after exceeding the established limit of registration attempts on the server. This is a very necessary and useful setup for your VoIP system.

    If you are interested in seeing an example of how the scanning, hacking and password guessing utilities work through the GUI interface, you can watch this video clip



    Basic protection methods allow you to protect your SIP infrastructure from basic attacks using the brute force method, that is, banal enumeration of dictionaries. Most attackers are incompetent people with powerful tools to break into network infrastructure. For them, these are easy money tools for those people who did not pay due attention to the security of SIP infrastructure. The asterisk has some built-in tools to prevent the most obvious attacks on the server, but the most effective methods of protection are still complex user passwords and unknown system user names.

    Translation of John Todd's article from Digium.

    The information gathered and prepared team of the company " MyAsterisk "

    Also popular now: