Hi,
Sorry to be a little blury, saw your post, didn’t give it enough time to cover things properly…however…
Simply:
Put the Asterisk box behind a NAT router, the system will not be contactable from the outside, but can initiate and maintain registered connections with SIP providers on the outside. That is the simplest way to make your asterisk box secure “enough” whilst still being able to make and recieve calls over the net. It wont work with external handsets, you may need to look at a low latency / SIP/RTP friendly VPN such as Open VPN to give you that functionality.
If…howver… you have to use a public IP then here are some things you need to do to protect your Asterisk box.
- Don’t use the same username and passsword on your extensions. Common issue. eg
; sip.conf
[202]
username=202
secret=202
host=dynamic
This is asking for trouble.
- Keep the inbound call routing in a different context to your outbound routing. That way, any one who gets in, cant get back out again. Common problem and biggest cause / source of toll fraud.
Also always have a default context that can’t go anywhere
; sip.conf
[general]
; Make sure that all stray calls end up in default
context=default
; registrations
register => 9875554321:guessthis123@sip.myimaginaryprovider.net
; trunks
[sip-trunk]
username=9875554321
secret=guessthis123
host=sip.myimaginaryprovider.net
context=sip-in
; etc....
; extensions
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions
; extensions.conf
[extensions]
; ONly our local extensions have access to this context
; Call our local extensions
exten => _2XX,1,Dial(SIP/${EXTEN})
; Dial out unrestricted access for any handset (min 4 digits)
exten => _XXXX.,1,Dial(SIP/sip-trunk/${EXTEN})
[sip-in]
; All calls via our SIP provider end up here
; inbound rings all phones
exten => s,1,Dial(SIP/201&SIP/202&SIP/203)
; If we have a call from our provider go astray, dump it
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()
; No access to any outside lines
[default]
; All stray calls will end up here
; unless we want anonamous SIP calls, dump the call
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()
; However we may want someone to call SIP://25@mywanipaddress.net to be able to call in
exten => 25,1,Dial(SIP/201&SIP/202&SIP/203)
-
Use something like fail2ban. This is a similar script I quickly googled.
http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/
-
Restrict the IP addresses your extensions can register on to the local subnet using permit/deny in your sip.conf
; sip.conf
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions
; Deny all
deny=0.0.0.0/0.0.0.0
; But permit from local LAN
permit=192.168.0.0/255.255.255.0
; And maybe from 1 WAN address where the handset can be sometimes
permit=203.0.0.1/255.255.255.255
- Disable channels that you aren’t using (such as skinny and MGCP) and comment out ay default settings in the conf files
; modules.conf
noload => chan_skinny.so
noload => chan_ooh323.so
noload => chan_mgcp.so
That should keep you busy. But, if you can get away with it, put the box behind NAT.
Cheers
Chris
BTW: We get 2 to 3 hack attacks a fortnight now. Its a never ending battle, however by using restrictive dial plans and non numeric logins for our extensions, we have avoided all grief save for the machine and network resouerces used during the scans. We have managed to deal with those too by blocking out chunks of dodgy address space in the firewall tables.