asterisk users - Oct 2016 - Feature access codes

Hi. Kinda new to the area and I would like some help please.  I have asterisk 11
in my system and I have 10 users and 12 DIDs. One did routed to each user and 2
DIDs for faxing. Everything works fine but I do not have call transfer between
extensions and feature access codes. I have read somewhere that enabling call
transfer can be a security hole for sip attackers.<br>
<br>
I would appreciate any help available, please.<br>
<br>

On Sat, 15 Oct 2016, tux john wrote:
> Hi. Kinda new to the area and I would like some help please. I have 
> asterisk 11 in my system and I have 10 users and 12 DIDs. One did routed 
> to each user and 2 DIDs for faxing. Everything works fine but I do not 
> have call transfer between extensions and feature access codes. I have 
> read somewhere that enabling call transfer can be a security hole for 
> sip attackers.
Are these incoming calls copper or VOIP?

If you only accept copper calls, make sure Asterisk is only listening to 
127.0.0.1 and enforce this policy with another layer dropping any incoming 
SIP packets at the firewall.

If you only intend to accept calls from your ISP, configure Asterisk to 
only accept calls from your ISP, and enforce this policy at the firewall.

If you accept calls from everyone, re-think your definition of
'everyone.'
It probably does not include Iraq, North Korea, China, Russia, etc. 
Configure Asterisk and your firewall accordingly.

Beyond this, follow 'best practices' (google for sip best practices -- 
John Todd did a list years back, Nerdvittles probably will also be a good 
resource) like long, random user names and passwords, only allow needed 
features to each class of users, etc.

-- 
Thanks in advance,
-------------------------------------------------------------------------
Steve Edwards       sedwards at sedwards.com      Voice: +1-760-468-3867 PST
             https://www.linkedin.com/in/steve-edwards-4244281