One of the worst things that can happen to you when using Asterisk is to be a victim of toll fraud. With all these new technologies and IP PBXs connected to the Internet you are now open to all kinds of dangerous attacks. Some users on the Internet can be targeting your system to make calls for free. The calls are free for them, but very expensive to you. See some security tips here on how to avoid these calls.
1. Use strong passwords. Never, ever use the default password and easy passwords such as 1234, 0000 and so on. Eight characters, 1 letter uppercase and one symbol is the minimum. Utilities such as svcrack (www.sipvicous.org) can automatically scan your server for weak passwords.
2. Use a utility such as fail2ban to ban IPs trying to guess passwords. A good tutorial on how to do it can be found at http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk.
3. Consider the use of TLS/SRTP. Search for ucsnif and you are going to see how easy is to eavesdrop a phone call. If the subject is confidential TLS/SRTP is mandatory.
4. Adopt a damage control strategy. Do not allow International or other expensive calls for all users. Select only the most common destinations. Recently, a friend was attacked and the some call were made to Egypt. Nobody on its company would ever need to call Egypt, so why keep it enabled. Spend a little more time in the dialplan and specify only the destinations your company really uses.
5. Dial plan easy mistakes: Don’t put everything in the default context. If you have an auto-attendant system in the same context of your ISDN trunks, the user being attended can dial external numbers charging YOU. Whan using Asterisk use the function FILTER to allow only numbers, take care with the dialplan injection vulnerability http://www.securiteam.com/securitynews/5BP380K19G.html
6. Avoid collect calls. Some countries such as Brazil uses automated systems for collect calls. If you use an IVR it won’t hang up on the automated message. Do not accept collect calls on your IP PBX if you are using an auto-attendant system.
7. External access for SIP or IAX2 soft-phones. Use the permit/allow commands to limit the access only into the private network. Permit phones to register in the public network in an individual basis. Use strong passwords for these phones.
8. Use md5secret in the peer and user authentication. If someone has access to your dial plan, he can copy every single password and use it to dial. He can even use your PBX as their main trunk. With md5secret you can protect your password even if someone else has access to your configuration files.
9. Take care when using allowguest=yes in the sip.conf file. Sure we want to receive SIP calls over the Internet. However if a call comes from the Internet and can’t find a peer/user it will use the context of the general section. If this context allows access to toll trunks, you could possibly have a big trouble. Think of someone doing the following call sip: 011314567890@yourdomain.com This e-mail address is being protected from spambots. You need JavaScript enabled to view it . Is your PBX completing these calls? If yes, your toll charges can be huge in the end of the month. Use allowguest=no or know exactly what you are doing.
10. Run Asterisk with a user different than root, but please don’t use Asterisk with the password Asterisk. I’m telling you this because I did it.
11. Put a guest account in your iax.conf file pointing to a safe context (without toll trunks), or even a dummy context if you don’t want to receive anonymous calls from the Internet.
12. Don’t embed passwords in your dial plan. IAX and SIP allow you to create a dial string with a password (iax2/user:password@host/extension@context or sip/user:password@host). Use peer entries in the sip.conf or iax.conf (using md5secret=) files instead of embedding the password in the extensions.conf. Remember dial plan execution can be being logged on a file or worst being logged in the screen of the main datacenter monitor with your passwords being shown.
13. Don’t allow external access to the manager interface (tcp port 5038) configured in the manager.conf file. Someone else can use your manager interface to generate calls using the originate command. Protect your system with an Asterisk Manager Proxy and use a stronger security access method (SSL).
14. Take care with TFTP provisioning, hackers can easily attack your TFTP server (Search TFTPTheft) and the provisioning files have the passwords in plain text. Prefer encrypted schemes when using auto provisioning such as https:
15. Avoid IP phones directly connected to the Internet. The web interface of these phones can be easily attacked. Once in the phone, the attacker can find a way to export the passwords (In some phones, just the backup to text option is enough).
16. Replace all Trixbox/Elastix/FreePBX default passwords. Elastix 1.6 not properly updating FreePBX Admin password. Admin password for Elastix does NOT effect the default username and password for FreePBX.
