On 31/01/12 16:16, Gilles wrote: > Hello > > To cut down on the number of hackers trying to break into an Asterisk > server, I'd like to simply move the SIP port from the standard UDP > 5060 to something non-standard.
Something more appropriate for your goal might be a move to TLS, it is definitely needed for any external connectivity This RFC provides some details: http://tools.ietf.org/html/rfc5922 The bottom line is that external SIP peers must send you their cert when they connect. SIP hackers will need to identify themselves (e.g. with credit card) to get a certificate, or they just won't be able to talk to your server. Obviously, this cuts out about 99% of the script kiddies. As a further safety measure, you could use something like repro or Kamailio as a SIP router to isolate your Asterisk from the public internet. All DNS SRV records would point at the SIP router, not Asterisk. Phones would register with the SIP router. Calls would be selectively routed to Asterisk (e.g. for voicemail) -- _____________________________________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com -- New to Asterisk? Join us for a live introductory webinar every Thurs: http://www.asterisk.org/hello asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users