System information
CHAPTER 26
Security
We spend our time searching for security and
hate it when we get it.
—John Steinbeck
Security for your Asterisk system is critical, especially if the system is exposed to the
Internet. There is a lot of money to be made by attackers in exploiting systems to make
free phone calls. This chapter provides advice on how to provide stronger security for
your VoIP deployment.
Scanning for Valid Accounts
If you expose your Asterisk system to the public Internet, one of the things you will
almost certainly see is a scan for valid accounts. Example 26-1 contains log entries from
one of the authors’ production Asterisk systems.
*
This scan began with checking various
common usernames, then later went on to scan for numbered accounts. It is common
for people to name SIP accounts the same as extensions on the PBX. This scan takes
advantage of that fact. This leads to our first tip for Asterisk security:
Tip #1: Use non-numeric usernames for your VoIP accounts to make them harder to
guess. For example, in parts of this book we use the MAC address of a SIP phone as its
account name in Asterisk.
Example 26-1. Log excerpts from account scanning
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from
'"123"<sip:123@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from
'"1234"<sip:1234@127.0.0.1>' failed for '203.86.167.220:5061' - No matching peer
found
[Aug 22 15:17:15] NOTICE[25690] chan_sip.c: Registration from
* The real IP address has been replaced with 127.0.0.1 in the log entries.
565