System information

ManualsBrandsATech Machine ManualsComputer equipmentLIBRA-02 M

611

612

613

614

615

616

617

618

619

620

good idea to set ACLs to ensure that only devices on your local network can use the

accounts for the phones. Here is an example of doing that in /etc/asterisk/sip.conf:

[phoneA] ; Use a better account name than this.

type = friend

; Start by denying everyone.

deny = 0.0.0.0/0.0.0.0

; Allow connections that originate from 192.168.X.X to attempt

; to authenticate against this account.

permit = 192.168.0.0/255.255.0.0

The permit and deny options are accepted almost everywhere that connections to IP

services are configured. Another useful place for ACLs is in /etc/asterisk/man-

ager.conf, to restrict AMI accounts to the single host that is supposed to be using the

manager interface.

Tip #11: Use ACLs when possible on all privileged accounts for network services.

Another way you can mitigate security risk is by configuring call limits. The recom-

mended method for implementing call limits is to use the GROUP() and GROUP_COUNT()

dialplan functions. Here is an example that limits the number of calls from each SIP

peer to no more than two at a time:

exten => _X.,1,Set(GROUP(users)=${CHANNEL(peername)})

; *** This line should have no line breaks

same => n,NoOp(There are ${GROUP_COUNT(${CHANNEL(peername)})}

calls for account ${CHANNEL(peername)}.)

same => n,GotoIf($[${GROUP_COUNT(${CHANNEL(peername)})} > 2]?denied:continue)

same => n(denied),NoOp(There are too many calls up already. Hang up.)

same => n,HangUp()

same => n(continue),NoOp(continue processing call as normal here ...)

Tip #12: Use call limits to ensure that if an account is compromised, it cannot be used

to make hundreds of phone calls at a time.

Resources

Sometimes there are security vulnerabilities that require modifications to the Asterisk

source code to resolve. When those issues are discovered, the Asterisk development

team puts out new releases that contain only fixes for the security issues, to allow for

quick and easy upgrades. When this occurs, the Asterisk development team also pub-

lishes a security advisory document that discusses the details of the vulnerability. We

recommend that you subscribe to the asterisk-announce http://lists.digium.com/mail

man/listinfo/asterisk-announce mailing list to make sure that you know about these

issues when they come up.

Resources | 575