{"id":4972,"date":"2014-12-16T16:45:39","date_gmt":"2014-12-16T21:45:39","guid":{"rendered":"http:\/\/www.nurango.com\/new\/?p=4972"},"modified":"2023-02-01T21:40:20","modified_gmt":"2023-02-01T21:40:20","slug":"asterisk-ip-pbx-security-tips","status":"publish","type":"post","link":"https:\/\/www.nurango.ca\/blog\/asterisk-ip-pbx-security-tips","title":{"rendered":"asterisk &amp; IP-PBX Security Tips"},"content":{"rendered":"\n<h2 class=\"wp-block-heading\"><span style=\"color: #36abd8;\">Securing asterisk is a MUST if you plan to deploy and use it.<\/span><\/h2>\n\n\n\n<p>Linux and SIP hack attempts are all too common. There are dozens of stories out there including a client of mine that incurred $18,000 in losses. Here are a few tips on securing your IP-PBX Phone System.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\">&nbsp;<\/h4>\n\n\n\n<p><strong>1) <\/strong><strong>Make sure all passwords are changed from the defaults immediately.<\/strong><\/p>\n\n\n\n<p><strong>Root:<\/strong><br>&gt; passwd<\/p>\n\n\n\n<p><strong>Mysql:<\/strong><br>mysql asterisk &#8211;execute=&#8221;UPDATE mysql.user SET Password=PASSWORD(&#8216;XXXX&#8217;) WHERE User=&#8217;root&#8217;;&#8221;<br>mysql asterisk &#8211;execute=&#8221;FLUSH PRIVILEGES;&#8221;<\/p>\n\n\n\n<p>&#8211; <strong>Don\u2019t forget the Admin passwords if any through the Admin GUI.<\/strong><\/p>\n\n\n\n<p>&#8211; <strong>Only login with a standard user account and use \u201csudo\u201d when needed.<\/strong><\/p>\n\n\n\n<p><strong>&#8211; Consider changing the SSH port to something other than 21<br><\/strong><\/p>\n\n\n\n<p>&#8211; <strong>Use Complex SIP Passwords for Extensions and Trunks!<\/strong><br><strong>2) <\/strong><strong>If using VoIP &#8211;<\/strong><\/p>\n\n\n\n<p>&#8211; Use IP AUTHENTICATION with your SIP Provider!! Avoid registrations with passwords at ALL costs if you can!<br>&#8211; Instead of using a registration string use \u201cQualify=yes\u201d.<\/p>\n\n\n\n<p><strong>3) Things to notice in your CLI: &#8220;Pinball activity\u201d. <\/strong><\/p>\n\n\n\n<p>Multiple Messages such as <strong>&#8220;wrong password for ext xx&#8221;<\/strong> or <strong>&#8220;attempting to register but host is not dynamic&#8221;<\/strong> etc. Basically random messages with IP\u2019s that you do not recognize. Don\u2019t confuse them with your remote agents though! Use IPtables to block malicious IPs.<\/p>\n\n\n\n<p><strong>iptables -A INPUT -s x.x.x.x -j DROP (add blocked IP)<\/strong><\/p>\n\n\n\n<p><strong>(CentOS)<\/strong><\/p>\n\n\n\n<p>&gt; \/etc\/init.d\/iptables save (save settings)<\/p>\n\n\n\n<p><strong>(Debian)<br>To allow ONLY specific IPs<\/strong><\/p>\n\n\n\n<p>iptables -A INPUT -s \u201cfriendlyip.1\u201d -j ACCEPT<\/p>\n\n\n\n<p>iptables -A INPUT -s \u201cfriendly.ip.2\u201d -j ACCEPT<\/p>\n\n\n\n<p>iptables -A INPUT -s 127.0.0.1 -j ACCEPT # yes, accept connections from localhost.<\/p>\n\n\n\n<p><strong>Save&#8211;<br><\/strong>iptables -A INPUT -s 0\/0 -j DROP<\/p>\n\n\n\n<p><strong>&#8211;<\/strong> <strong>Don\u2019t Ban yourself! Add your remote IP if needed and your ISP\/Router\/Gateway.<\/strong><\/p>\n\n\n\n<p><strong>4) There are more root password hack attempts than SIP registration hacks due to linux hack attempts versus targeted SIP hack attempts. Lock down remote SSH wrong password attempts.<\/strong><\/p>\n\n\n\n<p><strong>1.<\/strong> Open \/etc\/pam.d\/sshd in a text editor.<\/p>\n\n\n\n<p><strong>2<\/strong>. Right before @include common-auth, add the following on its own line:<\/p>\n\n\n\n<p>auth required pam_tally.so deny=3 unlock_time=120<\/p>\n\n\n\n<p><strong>3.<\/strong> Right before @include common-account, add the following on its own line:<\/p>\n\n\n\n<p>account required pam_tally.so reset<\/p>\n\n\n\n<p><strong>&#8211; See also: \/var\/log\/auth.log and \/var\/mail\/root for unauthorized access and attempts.<\/strong><\/p>\n\n\n\n<p><strong>5) Disable un-needed services such as FTP, TFTP, and any other remote access services not needed.<\/strong><\/p>\n\n\n\n<p><strong>6) Install Fail2Ban &#8211; <\/strong>Scans log files like \/var\/log\/pwdfail or \/var\/log\/apache\/error_log and bans IPs that make too many password failures. It also updates firewall rules to reject the IP addresses.<\/p>\n\n\n\n<p><strong>7) Restrict Default Access<\/strong> &#8211;<br>1) Bind your mysql server to localhost. To do this you need to edit \/etc\/my.cnf and set &#8220;bind_address=127.0.0.1&#8221;<br>2) Enable host based access on your httpd.conf. If you are using the apache server on your local network only, it would be wise to do a bind address to the local network interface<\/p>\n\n\n\n<p><strong>8) Asterisk Based &#8211;<\/strong><br>1) Edit \/etc\/asterisk\/manager.conf and change 0.0.0.0 to 127.0.0.1<br>2) Ensure &#8220;allowtransfer=no&#8221; in \/etc\/asterisk\/sip.conf<\/p>\n\n\n\n<h5 class=\"wp-block-heading\">For blocking malicious SIP enumerations, you need to <a href=\"https:\/\/www.nurango.ca\/blog\/securing-asterisk-using-fail2ban\/\">install Fail2ban<\/a>with asterisk filters.<\/h5>\n\n\n\n<h2 class=\"wp-block-heading\">Good luck and safe calling!<\/h2>\n\n\n\n<p><strong><a title=\"IP-PBX Security Best Practices\" href=\"https:\/\/www.nurango.ca\/docs\/IP-PBX_Security-Tips.pdf\" target=\"_blank\" rel=\"noopener\">Download pdf version<\/a><\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Securing asterisk is a MUST if you plan to deploy and use it. Linux and SIP hack attempts are all too common. There are dozens of stories out there including a client of mine that incurred $18,000 in losses. Here are a few tips on securing your IP-PBX Phone System. &nbsp; 1) Make sure all passwords are changed from the defaults immediately.&hellip;<\/p>\n","protected":false},"author":1,"featured_media":4973,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[4],"tags":[5,3],"class_list":["post-4972","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-guides","tag-security","tag-voip"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/4972","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/comments?post=4972"}],"version-history":[{"count":2,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/4972\/revisions"}],"predecessor-version":[{"id":10238,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/posts\/4972\/revisions\/10238"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/media\/4973"}],"wp:attachment":[{"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/media?parent=4972"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/categories?post=4972"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nurango.ca\/blog\/wp-json\/wp\/v2\/tags?post=4972"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}