I've now setup SIP for: - internal softphones - registering with external providers (like FWD) for making calls - receiving calls from theese providers For the latter step, it was necessary to forward ports from my NAT to the asterisk server: 5060 + range of ports mentioned in rtp.conf. I was just wondering about how to make this setup as secure as possible. Here's what I've done so far: 1. defined a default context in sip.conf which cannot access any real extension. sip.conf: [general] context=from-unknown-sip extensions.conf: [from-unknown-sip] exten => _.,1,CONGESTION 2. for peers, defined a context which does not provide access to outside lines. sip.conf: [fwd.pulver.com] type=peer username=688426 fromuser=688426 secret=xxxxxxxxxx host=fwd.pulver.com port=5060 nat=yes canreinvite=no insecure=very context=sip-external disallow=all allow=ulaw 3. for peers, defined insecure=very which should check that the incoming call comes from the same IP as was registered. 4. for internal softphones, which can make outgoing calls, limited registrations to a specific network address using deny/permit sip.conf: [31] type=friend callerid="31@sip.michaweb.net" <31> host=dynamic deny=0.0.0.0/0.0.0.0 permit=192.168.2.32/255.255.255.255 context=sip-internal secret=xxxxxxxxxxxx disallow=all allow=ulaw allow=alaw Anything else I can do to improve security? I specifically don't want anyone external to be able to make calls. As I've opened port 5060 + rtp.conf ports only for the purpose of receiving calls from services I have registered with, I don't want any external phones to be able to register via this route. Is there any risk of this if someone can guess a password (maybe unlikely but given time this could happen). Thanks, John
You could make your FWD sonfigs even more secure by switching to IAX (you have to register with them for it) and then you can use RSA keys (already in your * distro) to prevent faking of connections. Check with the FWD site. Ther's a howto on there. I use this method and I like it alot. Especially as the IAX trunk allows me to have more than one concurrent call and takes up very little extra network overhead. Mark John Fawcett wrote:> I've now setup SIP for: > - internal softphones > - registering with external providers (like FWD) for making calls > - receiving calls from theese providers > > For the latter step, it was necessary to forward ports from my NAT > to the asterisk server: 5060 + range of ports mentioned in rtp.conf. > > I was just wondering about how to make this setup as secure as > possible. Here's what I've done so far: > > 1. defined a default context in sip.conf which cannot access any > real extension. > sip.conf: > [general] > context=from-unknown-sip > > extensions.conf: > [from-unknown-sip] > exten => _.,1,CONGESTION > > 2. for peers, defined a context which does not provide access to > outside lines. > > sip.conf: > [fwd.pulver.com] > type=peer > username=688426 > fromuser=688426 > secret=xxxxxxxxxx > host=fwd.pulver.com > port=5060 > nat=yes > canreinvite=no > insecure=very > context=sip-external > disallow=all > allow=ulaw > > 3. for peers, defined insecure=very which should check that the > incoming call comes from the same IP as was registered. > > 4. for internal softphones, which can make outgoing calls, > limited registrations to a specific network address using > deny/permit > > sip.conf: > [31] > type=friend > callerid="31@sip.michaweb.net" <31> > host=dynamic > deny=0.0.0.0/0.0.0.0 > permit=192.168.2.32/255.255.255.255 > context=sip-internal > secret=xxxxxxxxxxxx > disallow=all > allow=ulaw > allow=alaw > > Anything else I can do to improve security? > > I specifically don't want anyone external to be able to make calls. > > As I've opened port 5060 + rtp.conf ports only for the purpose of > receiving calls from services I have registered with, I don't want > any external phones to be able to register via this route. > Is there any risk of this if someone can guess a password (maybe > unlikely but given time this could happen). > > Thanks, > John > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users >-- Mark, G7LTT/KC2ENI Randolph, NJ http://www.g7ltt.com
Block sip on a firewall between * and the public internet, and then create rules for your peers IP range. This assumes you know the IP that all peers and client use; if not just block from regions of the world you do not need to connect to/from. We find that most hack attempts come from one well known region, so we block the entire IP range routed to that region. Also, add noload= for the voip protocols you do not use in modules.conf. You are far better off even if you do things like limiting the connections to the ENTIRE ip range of your local Cable/DSL providers. Prevents folks in the rest of the world from even trying to connect. Toll fraud is huge, it looks like you have done the basics, but you should take additional steps many other would call unnecessary since you will get the bill if someone gets it.> -----Original Message----- > From: asterisk-users-bounces@lists.digium.com [mailto:asterisk-users- > bounces@lists.digium.com] On Behalf Of John Fawcett > Sent: Monday, August 15, 2005 3:22 AM > To: asterisk-users@lists.digium.com > Subject: [Asterisk-Users] Security and SIP > > I've now setup SIP for: > - internal softphones > - registering with external providers (like FWD) for making calls > - receiving calls from theese providers > > For the latter step, it was necessary to forward ports from my NAT > to the asterisk server: 5060 + range of ports mentioned in rtp.conf. > > I was just wondering about how to make this setup as secure as > possible. Here's what I've done so far: > > 1. defined a default context in sip.conf which cannot access any > real extension. > sip.conf: > [general] > context=from-unknown-sip > > extensions.conf: > [from-unknown-sip] > exten => _.,1,CONGESTION > > 2. for peers, defined a context which does not provide access to > outside lines. > > sip.conf: > [fwd.pulver.com] > type=peer > username=688426 > fromuser=688426 > secret=xxxxxxxxxx > host=fwd.pulver.com > port=5060 > nat=yes > canreinvite=no > insecure=very > context=sip-external > disallow=all > allow=ulaw > > 3. for peers, defined insecure=very which should check that the > incoming call comes from the same IP as was registered. > > 4. for internal softphones, which can make outgoing calls, > limited registrations to a specific network address using > deny/permit > > sip.conf: > [31] > type=friend > callerid="31@sip.michaweb.net" <31> > host=dynamic > deny=0.0.0.0/0.0.0.0 > permit=192.168.2.32/255.255.255.255 > context=sip-internal > secret=xxxxxxxxxxxx > disallow=all > allow=ulaw > allow=alaw > > Anything else I can do to improve security? > > I specifically don't want anyone external to be able to make calls. > > As I've opened port 5060 + rtp.conf ports only for the purpose of > receiving calls from services I have registered with, I don't want > any external phones to be able to register via this route. > Is there any risk of this if someone can guess a password (maybe > unlikely but given time this could happen). > > Thanks, > John > > _______________________________________________ > Asterisk-Users mailing list > Asterisk-Users@lists.digium.com > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users