Dave Walker
2009-May-03 04:31 UTC
[asterisk-users] SIP Extension Registration and Security
<html><body><span style="font-family:Verdana; color:#000000; font-size:10pt;"><br>Greetings,<br><br>I am trying to harden an Asterisk box without affecting the staff too much. The cheap Linksys router forwards ports 5060-5080, 10000-35000 and 22 to the Asterisk box. The road warriors were connecting directly to Asterisk via our public IP which allowed their soft-phone passwords to be broad-casted in clear text. This was never a problem but it still bothered me so I setup a SSL VPN appliance. The staff was suppose to start connecting via VPN then authenticating with Asterisk. <br><br>The staff still continued to connect via our public IP despite my pleads and concerns. Tonight I decided to adjust everyone's extension to prevent soft-phones from authenticating outside of our subnet. (<i>See deny/permit statements in sip.</i><i>conf excerpt at the bottom of this email</i>). <br><br>I also SSH into the Asterisk box but I disabled password authentication and enabled RSA certificate authentication.<br><br>Does filtering peer authentication by subnet (as seen below) really prevent unauthorized peers from authenticating? Are there any other recommended changes to prevent unauthorized access? <br><br>I know if someone really wants access to our server then I am sure they will find a way. I'm just trying to make a reasonable effort. <br><br>Thank you for your thoughts!<br><br>[200]<br>deny=0.0.0.0/0.0.0.0<br>type=friend<br>secret=secret<br>qualify=yes<br>port=5060<br>pickupgroup=<br>permit=192.168.10.0/255.255.255.0<br>nat=yes<br>mailbox=200@default<br>host=dynamic<br>dtmfmode=rfc2833<br>dial=SIP/200<br>context=from-internal<br>canreinvite=no<br>callgroup=<br>callerid=device <200><br>accountcode=<br>call-limit=50<br><br><br></span></body></html>