Asterisk Security Best Practices

I am looking for information on how to secure an asterisk server directly connected to the internet. All I need to do is connect to another hosted Asterisk server over an IAX trunk. The trunk is working but I frequently see random malicious attempts to connect over SIP. These connection attempts also impact performance. I have disabled guest connections but the problem persists.

Any help or direction on how to lock down an IAX only publicly accessible Asterisk server is appreciated.

Don’t load chan_sip! Even better, don’t build it. (You seem to suggest that there are no SIP devices.)

The best practices when you do have SIP are included in the documentation.

This sub-forum is for discussions, not support questions.

SIP attacks require that port 5060 is open, so you can also close it at the firewall.

allowguest = no doesn’t stop attacks; it just makes them fail sooner. Setting a default context that cannot do anything that you wouldn’t want an attacker to do, would be the second line of defence.

This article would help you a lot … y_Problems

Trixbox is a dead product and that article predates the Asterisk security log.

The document that the Asterisk source installation process strongly advises reading, and which every binary packager should also include and stress the importance of, can be found at: … ctices.txt

Everybody know that Tribox is a dead product

The Article title is Common Server Security Problems if you read the article you must notice even though is under the Trixbox Website the information on this article are tips for read the Asterisk logs in oder to indetify security breach

It fails to mention the security log. A fairly common, invalid, bug report is that the normal logs don’t identify the attacker, but that information is in the security log.

Also when I looked at it, it was saying very obvious things compared with the more specific information in the document that is included with all supported versions of Asterisk. If you don’t know that SIP servers listen on port 5060, you really should not be attempting to secure one by yourself.

You can use fail2ban or csf however there are still backdoor left opened :smile: . but i found both of them good enough along some other security measures like make the default context hangup. complex your user’s password.