Seven steps to improve security Asteriska
If any of you have ever wondered why the number of attacks on SIP terminals has increased significantly, the answer will be simple: “childish pranks”. In the past few months, the number of new software that easily attacks Asterisk and SIP terminals has increased significantly. There are many easily accessible network scanners that detect SIP devices and scan them for valid extensions, and then try to find a password for them.
Now you can step by step and immediately solve most of the problems related to the security of your SIP host.
It seems to me that the VoIP community is interested in integrating solutions based on Asterisk with a dynamic protection system (community “blacklists” are sharply discussed in forums), but this does not mean that you should expect any new program or solution to protect your VoIP infrastructure . You can take measures right now to protect your Asterisk server from the ever-increasing number of attacks! Methods and remedies already exist - just apply them and you will sleep at night more calmly!
')
Step one
Do not accept authentication requests from the SIP network from all IP addresses. To do this, use the options "permit =" and "deny =" in the sip.conf configuration file to resolve the correct subset of IP addresses for each SIP user. Even when you receive incoming calls from “anyone” (option in the [default] section), do not allow these users access to the elements that require authentication.
Step Two
Always set the alwaysauthreject = yes option in sip.conf. This option was first introduced in Assetrisk 1.2, but still has the default value of “no”. Setting the option to “yes” should reject incorrect authentication for both the non-legitimate username and the incorrect password, which prevents the attacker from detecting the existing extension using the brute-force attack.
Step Three
Use strong passwords for SIP objects. This step is probably the most important in the organization of SIP network security. Do not create passwords that consist of two words, do not add the number 1 to the word from the dictionary. If you had seen how difficult and intelligent the means of selecting passwords would be, you would understand how easy it is to avoid such trivial entanglement of modern processors! Use the characters, numbers and letters of upper and lower case, and make the password a minimum of 12 characters!
Step Four
Block the port of the Asterisk Management Interface (AMI). In the configuration file manager.conf, use the lines “permit =” and “deny =” to narrow incoming connections to the management interface only for trusted hosts. As in the “strong password” phase, create complex passwords with a length of at least 12 characters.
Step five
Limit the number of simultaneous calls for a feast to two sessions (call-limit option)! So you limit the actions of fraudsters who have already picked up the correct username and password. Make sure that legitimate users keep their passwords secret, and not write down the password directly on the SIP phone! Sometimes it happens!
Step Six
Make sure the username is different from the extension. While the internal number, for example “1234”, can correspond to the user name with the same name “1234”, it is best to create the SIP user name that corresponds to the MAC address of the user's network card or combination of the internal number to which the user corresponds, and md5 addition. This can be done as follows directly from the shell command line:
md5 -s ThePassword5000
Step Seven
Make sure the [default] context is safe. Do not allow authenticated users to fall into a context in which you can make a paid call! Allow only a limited number of calls to go through the [default] context (you can use the GROUP function as a counter). Ban all non-authenticated calls (if you don’t have any such) by setting the “allowguest = no” option in the [general] section of the sip.conf file. And the best thing to do is not to have any entries in [default], except for one - Hangup.
Conclusion
The above seven basic steps of protection allow you to protect most Asterisk installations, but there are still other steps that are more complex. For example, the fail2ban utility allows you to prohibit (“ban”) the use of server resources by the end SIP device after exceeding the established limit of registration attempts on the server. It is very necessary and useful setting your VoIP system.
If you are interested to see an example of how the utilities of scanning, hacking and selecting passwords through the GUI interface work, you can watch this video clip
Basic protection methods allow you to protect your SIP infrastructure from basic attacks using the “brute force” method, i.e., a trivial search of dictionaries. Most attackers are incompetent people who have powerful tools for hacking network infrastructure. For them, this means easy money on those people who have not paid due attention to the security of SIP infrastructure. Asterisk has some built-in tools to prevent the most obvious attacks on the server, but the most effective methods of protection are still complex user passwords and unknown system user names.
Translation of an article by John Todd from Digium.
Information collected and prepared by the team of the company " MyAsterisk "
Now you can step by step and immediately solve most of the problems related to the security of your SIP host.
It seems to me that the VoIP community is interested in integrating solutions based on Asterisk with a dynamic protection system (community “blacklists” are sharply discussed in forums), but this does not mean that you should expect any new program or solution to protect your VoIP infrastructure . You can take measures right now to protect your Asterisk server from the ever-increasing number of attacks! Methods and remedies already exist - just apply them and you will sleep at night more calmly!
')
Step one
Do not accept authentication requests from the SIP network from all IP addresses. To do this, use the options "permit =" and "deny =" in the sip.conf configuration file to resolve the correct subset of IP addresses for each SIP user. Even when you receive incoming calls from “anyone” (option in the [default] section), do not allow these users access to the elements that require authentication.
Step Two
Always set the alwaysauthreject = yes option in sip.conf. This option was first introduced in Assetrisk 1.2, but still has the default value of “no”. Setting the option to “yes” should reject incorrect authentication for both the non-legitimate username and the incorrect password, which prevents the attacker from detecting the existing extension using the brute-force attack.
Step Three
Use strong passwords for SIP objects. This step is probably the most important in the organization of SIP network security. Do not create passwords that consist of two words, do not add the number 1 to the word from the dictionary. If you had seen how difficult and intelligent the means of selecting passwords would be, you would understand how easy it is to avoid such trivial entanglement of modern processors! Use the characters, numbers and letters of upper and lower case, and make the password a minimum of 12 characters!
Step Four
Block the port of the Asterisk Management Interface (AMI). In the configuration file manager.conf, use the lines “permit =” and “deny =” to narrow incoming connections to the management interface only for trusted hosts. As in the “strong password” phase, create complex passwords with a length of at least 12 characters.
Step five
Limit the number of simultaneous calls for a feast to two sessions (call-limit option)! So you limit the actions of fraudsters who have already picked up the correct username and password. Make sure that legitimate users keep their passwords secret, and not write down the password directly on the SIP phone! Sometimes it happens!
Step Six
Make sure the username is different from the extension. While the internal number, for example “1234”, can correspond to the user name with the same name “1234”, it is best to create the SIP user name that corresponds to the MAC address of the user's network card or combination of the internal number to which the user corresponds, and md5 addition. This can be done as follows directly from the shell command line:
md5 -s ThePassword5000
Step Seven
Make sure the [default] context is safe. Do not allow authenticated users to fall into a context in which you can make a paid call! Allow only a limited number of calls to go through the [default] context (you can use the GROUP function as a counter). Ban all non-authenticated calls (if you don’t have any such) by setting the “allowguest = no” option in the [general] section of the sip.conf file. And the best thing to do is not to have any entries in [default], except for one - Hangup.
Conclusion
The above seven basic steps of protection allow you to protect most Asterisk installations, but there are still other steps that are more complex. For example, the fail2ban utility allows you to prohibit (“ban”) the use of server resources by the end SIP device after exceeding the established limit of registration attempts on the server. It is very necessary and useful setting your VoIP system.
If you are interested to see an example of how the utilities of scanning, hacking and selecting passwords through the GUI interface work, you can watch this video clip
Basic protection methods allow you to protect your SIP infrastructure from basic attacks using the “brute force” method, i.e., a trivial search of dictionaries. Most attackers are incompetent people who have powerful tools for hacking network infrastructure. For them, this means easy money on those people who have not paid due attention to the security of SIP infrastructure. Asterisk has some built-in tools to prevent the most obvious attacks on the server, but the most effective methods of protection are still complex user passwords and unknown system user names.
Translation of an article by John Todd from Digium.
Information collected and prepared by the team of the company " MyAsterisk "
Source: https://habr.com/ru/post/145024/
All Articles