Get help with installing, upgrading and running a PBX such as Asterisk.
By vincent_uvanda
#402
Hi,

I am still a bit of a novice at this, I don't tend to use the command line interface on my trixbox. I am looking for some guidance / advise on trixbox security. See below:

Seven Easy Steps to Better SIP Security on Asterisk:

1) Don't accept SIP authentication requests from all IP addresses. Use the 'permit=' and 'deny=' lines in sip.conf to only allow a reasonable subset of IP addresses to reach each listed extension/user in your sip.conf file. Even if you accept inbound calls from anywhere (via [default]) don't let those users reach authenticated elements!

I assume this is in the sip_additional.conf file and needs changed on each extension.
Assuming I have a phone on local IP address 192.168.3.154 should I enter a permit range of 192.168.3.150/192.168.3.160 also do I use the deny - if so how?


2) Set 'alwaysauthreject=yes' in your sip.conf file. This option has been around for a while (since 1.2?) but the default is 'no', which allows extension information leakage. Setting this to 'yes' will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.

I have checked all the sip.conf files and can't find this line anywhere. I was going to add it to the sip_general_additional.conf is this the right location?

3) Use STRONG passwords for SIP entities. This is probably the most important step you can take. Don't just concatenate two words together and suffix it with '1' if you've seen how sophisticated the tools are that guess passwords, you'd understand that trivial obfuscation like that is a minor hindrance to a modern CPU. Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.

This is straight forward.

4) Block your AMI manager ports. Use 'permit=' and 'deny=' lines in manager.conf to reduce inbound connections to known hosts only. Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.

Currently I have the following:
deny=0.0.0.0/0.0.0.0
permit=127.0.0.1/255.255.255.0
Does this limit the ip addresses which are allowed to register as extensions? Is so should the permit line to changed to a range on my local network and what should be in the deny range?
Also what is the main purpose of this and what is the password for, If I change the password will it effect anything I do on the system.


5) Allow only one or two calls at a time per SIP entity, where possible. At the worst, limiting your exposure to toll fraud is a wise thing to do. This also limits your exposure when legitimate password holders on your system lose control of their passphrase & writing it on the bottom of the SIP phone, for instance, which I've seen.

I assume the refers to the call-limit=50 line at the bottom of each extension in the sip_additional.conf file. Can this simply be changed to 2?

6) Make your SIP usernames different than your extensions. While it is convenient to have extension '1234' map to SIP entry '1234' which is also SIP user '1234', this is an easy target for attackers to guess SIP authentication names. Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try 'md5 -s ThePassword5000')

This is straight forward.

7) Ensure your [default] context is secure. Don't allow unauthenticated callers to reach any contexts that allow toll calls. Permit only a limited number of active calls through your default context (use the 'GROUP' function as a counter.) Prohibit unauthenticated calls entirely (if you don't want them) by setting 'allowguest=no' in the [general] part of sip.conf.

How do I do this?

Any help or assistance on this would be appreciated, I an sure alot of other notices would also find this very useful.

Thanks Guys
By polarted
#403
Hi

I am using PBX in a Flash so my advice may not apply to Trixbox. As a further caveat I am self taught so use at your own risk

2. alwaysauthreject=yes is found in my system in sip_general.conf

4. I have each extension setup to allow the address of the ip phone for that extension only i.e. 192.168.1.201/255.255.255.0

Hope this helps a little
By vincent_uvanda
#404
When you limit the extension to having 1 IP address I assume this is in the permit= line on the extension. Do you use the deny line.

I assume if the machine is behind a netgear router with a firewall and no ports forwarded to it you don't need all of the security measures mentioned?
By polarted
#405
Hi Vincent

I do not use the deny line as there is no need AFAIK for this when using such a tight definition on the permit line.
I assume if the machine is behind a netgear router with a firewall and no ports forwarded to it you don't need all of the security measures mentioned?
I wouldn't dare to assume anything! and in this case that is incorrect. What some of the measures are trying to do is stop people dialling into your asterisk box (i.e. what you want people to do when calling you normally) and then hijacking your trunk out to voipfone and using it to dial international numbers.

For an example of this and other really useful security tips try this link http://nerdvittles.com/index.php?p=580

Rob

No problem, happy to hear that everything has been…

Thanks very much. Really appreciate it! :-D

Attached below is my latest OBIHAI UK configuratio…

System advice?

As you wanted 9 for an outside line, pretty sure t…