asterisk users - May 2009 - SIP Extension Registration and Security

<html><body><span style="font-family:Verdana; color:#000000;
font-size:10pt;"><br>Greetings,<br><br>I am trying to
harden an Asterisk box without affecting the staff too much. The cheap Linksys
router forwards ports 5060-5080, 10000-35000 and 22 to the Asterisk
box.&nbsp; The road warriors were connecting directly to Asterisk via our
public IP which allowed their soft-phone passwords to be broad-casted in clear
text.&nbsp;&nbsp; This was never a problem but it still bothered me so I
setup a SSL VPN appliance.&nbsp; The staff was suppose to start connecting
via VPN then authenticating with Asterisk. <br><br>The staff still
continued to connect via our public IP despite my pleads and concerns.&nbsp;
Tonight I decided to adjust everyone's extension to prevent soft-phones from
authenticating outside of our subnet.&nbsp;&nbsp; (<i>See
deny/permit statements in sip.</i><i>conf excerpt at the bottom of
this email</i>).&nbsp; <br><br>I also SSH into the
Asterisk box but I disabled password authentication and enabled RSA certificate
authentication.<br><br>Does filtering peer authentication by subnet
(as seen below) really prevent unauthorized peers from authenticating?&nbsp;
Are there any other recommended changes to prevent unauthorized
access?&nbsp; <br><br>I know if someone really wants access to
our server then I am sure they will find a way.&nbsp; I'm just trying to
make a reasonable effort. <br><br>Thank you for your
thoughts!<br><br>[200]<br>deny=0.0.0.0/0.0.0.0<br>type=friend<br>secret=secret<br>qualify=yes<br>port=5060<br>pickupgroup=<br>permit=192.168.10.0/255.255.255.0<br>nat=yes<br>mailbox=200@default<br>host=dynamic<br>dtmfmode=rfc2833<br>dial=SIP/200<br>context=from-internal<br>canreinvite=no<br>callgroup=<br>callerid=device
<200><br>accountcode=<br>call-limit=50<br><br><br></span></body></html>