On 31/01/12 16:16, Gilles wrote:
> Hello
> 
> To cut down on the number of hackers trying to break into an Asterisk
> server, I'd like to simply move the SIP port from the standard UDP
> 5060 to something non-standard.

Something more appropriate for your goal might be a move to TLS, it is
definitely needed for any external connectivity

This RFC provides some details:

http://tools.ietf.org/html/rfc5922

The bottom line is that external SIP peers must send you their cert when
they connect.  SIP hackers will need to identify themselves (e.g. with
credit card) to get a certificate, or they just won't be able to talk to
your server.  Obviously, this cuts out about 99% of the script kiddies.

As a further safety measure, you could use something like repro or
Kamailio as a SIP router to isolate your Asterisk from the public
internet.  All DNS SRV records would point at the SIP router, not
Asterisk.  Phones would register with the SIP router.  Calls would be
selectively routed to Asterisk (e.g. for voicemail)

--
_____________________________________________________________________
-- Bandwidth and Colocation Provided by http://www.api-digital.com --
New to Asterisk? Join us for a live introductory webinar every Thurs:
               http://www.asterisk.org/hello

asterisk-users mailing list
To UNSUBSCRIBE or update options visit:
   http://lists.digium.com/mailman/listinfo/asterisk-users

Reply via email to