SECURING ASTERISK BASE PHONE

System(Elastix,FreePBX,yeastar,zycoo) is an absolute must to prevent intruders from making calls that will cost you money.  There are several stories where hackers took over a vulnerable system where the costs to the company were quite large, something you want to prevent.  Taking a few simple precautions go a long way towards a making a more secure phone system.  These steps are a must for most asterisk base telephone system installation; a few easy preventative steps that make intruders have a much harder time in compromising your SIP phone system.  Unfortunately, there are free SIP scanners widely available that make it quite easy for hackers to locate a system and then use known flaws to obtain access, using various exploit tools like brute force.  Once they gain access they use the extension to make thousands of international calls using compromised sip server.   Fortunately, awareness of potential SIP vulnerabilities has increased and most installations of Asterisk have been hardened through a few steps.

5 Steps to Securing Asterisk base phone Securing Asterisk base phone Change default passwords.  Certain default passwords that come with Linux, such as root and password need to be changed to one that is unique and follows password complexity rules.   Additionally, disable the Alt+F9 access which bypasses directly to the administration console. Do not use the extension number as the SIP name.   While convenience plays a part in making the extension number the same as the SIP entry, this will be the first guess of an attacker.  Use strong passwords.  Brute force attacks, where large numbers of word or number sequences are tried have become easier and quicker to launch now that processors are more robust.  Make your systems more secure by using long passwords with a combination of letters, numbers, and other symbols using both upper and lower case. Limit access to SIP authentication.   By restricting which IP addresses can access each user in the sip.conf file you can limit allowable requests to a reasonable set of IP addresses.  This can be done by using permit= and deny= in the sip.conf file.  Set your system to reject bad authentication requests. An option that will reject non-rusticated requests to valid usernames is alwaysauthreject=yes in the sip.conf file. This option will reject badhttp://netmateit.com