Hello To cut down on the number of hackers trying to break into an Asterisk server, I'd like to simply move the SIP port from the standard UDP 5060 to something non-standard. Since this server must be able to receive INVITEs from any SIP UA (server or client), it appears that I must add an SRV record in the DNS so that they can locate the server and the port used to reach it. _sip._udp SRV 0 5060 host.tld. www.voip-info.org/wiki/view/DNS+SRV Are there pitfalls/traps I must pay attention to before going ahead and add that type of record in the DNS? What about internal SIP clients that register with Asterisk: Will they query the DNS to find the SIP port also, or must reconfigure them all to use the non-standard port Asterisk listens on? Thank you.
Daniel Pocock
2012-Jan-31 17:22 UTC
[asterisk-users] SRV record for non-standard SIP port?
On 31/01/12 16:16, Gilles wrote:> Hello > > To cut down on the number of hackers trying to break into an Asterisk > server, I'd like to simply move the SIP port from the standard UDP > 5060 to something non-standard.Something more appropriate for your goal might be a move to TLS, it is definitely needed for any external connectivity This RFC provides some details: http://tools.ietf.org/html/rfc5922 The bottom line is that external SIP peers must send you their cert when they connect. SIP hackers will need to identify themselves (e.g. with credit card) to get a certificate, or they just won't be able to talk to your server. Obviously, this cuts out about 99% of the script kiddies. As a further safety measure, you could use something like repro or Kamailio as a SIP router to isolate your Asterisk from the public internet. All DNS SRV records would point at the SIP router, not Asterisk. Phones would register with the SIP router. Calls would be selectively routed to Asterisk (e.g. for voicemail)