Block sip on a firewall between * and the public internet, and then create rules for your peers IP range.
This assumes you know the IP that all peers and client use; if not just block from regions of the world you do not need to connect to/from. We find that most hack attempts come from one well known region, so we block the entire IP range routed to that region. Also, add noload= for the voip protocols you do not use in modules.conf. You are far better off even if you do things like limiting the connections to the ENTIRE ip range of your local Cable/DSL providers. Prevents folks in the rest of the world from even trying to connect. Toll fraud is huge, it looks like you have done the basics, but you should take additional steps many other would call unnecessary since you will get the bill if someone gets it. > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:asterisk-users- > [EMAIL PROTECTED] On Behalf Of John Fawcett > Sent: Monday, August 15, 2005 3:22 AM > To: [email protected] > Subject: [Asterisk-Users] Security and SIP > > I've now setup SIP for: > - internal softphones > - registering with external providers (like FWD) for making calls > - receiving calls from theese providers > > For the latter step, it was necessary to forward ports from my NAT > to the asterisk server: 5060 + range of ports mentioned in rtp.conf. > > I was just wondering about how to make this setup as secure as > possible. Here's what I've done so far: > > 1. defined a default context in sip.conf which cannot access any > real extension. > sip.conf: > [general] > context=from-unknown-sip > > extensions.conf: > [from-unknown-sip] > exten => _.,1,CONGESTION > > 2. for peers, defined a context which does not provide access to > outside lines. > > sip.conf: > [fwd.pulver.com] > type=peer > username=688426 > fromuser=688426 > secret=xxxxxxxxxx > host=fwd.pulver.com > port=5060 > nat=yes > canreinvite=no > insecure=very > context=sip-external > disallow=all > allow=ulaw > > 3. for peers, defined insecure=very which should check that the > incoming call comes from the same IP as was registered. > > 4. for internal softphones, which can make outgoing calls, > limited registrations to a specific network address using > deny/permit > > sip.conf: > [31] > type=friend > callerid="[EMAIL PROTECTED]" <31> > host=dynamic > deny=0.0.0.0/0.0.0.0 > permit=192.168.2.32/255.255.255.255 > context=sip-internal > secret=xxxxxxxxxxxx > disallow=all > allow=ulaw > allow=alaw > > Anything else I can do to improve security? > > I specifically don't want anyone external to be able to make calls. > > As I've opened port 5060 + rtp.conf ports only for the purpose of > receiving calls from services I have registered with, I don't want > any external phones to be able to register via this route. > Is there any risk of this if someone can guess a password (maybe > unlikely but given time this could happen). > > Thanks, > John > > _______________________________________________ > Asterisk-Users mailing list > [email protected] > http://lists.digium.com/mailman/listinfo/asterisk-users > To UNSUBSCRIBE or update options visit: > http://lists.digium.com/mailman/listinfo/asterisk-users _______________________________________________ Asterisk-Users mailing list [email protected] http://lists.digium.com/mailman/listinfo/asterisk-users To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
