1. Avoid collect calls. Some countries such as Brazil uses automated systems for collect calls. If you use an IVR it won’t hang up on the automated message. Do not accept collect calls on your IP PBX if you use an auto-attendant system.
2. Dial plan easy mistakes: Don’t put everything in the default context. If you have an auto-attendant system in the same context of your ISDN trunks, the user being attended can dial external numbers charging YOU
.
3. External access for SIP or IAX2 soft-phones. Use the permit/allow commands to limit the access only into the private network. Permit phones to register in the public network in an individual basis. Use strong passwords for these phones. Use automatic provisioning if possible with randomly generated passwords.
4. Use md5secret in the peer and user authentication. If someone has access to your dial plan, he can copy every single password and use it to dial. He can even use your PBX as their main trunk. With md5secret you can protect your password even if someone else has access to your configuration files.
5. Take care when using allowguest=yes in the sip.conf file. Sure we want to receive SIP calls over the Internet. However if a call comes from the Internet and can’t find a peer/user it will use the context of the general section. If this context allows access to toll trunks, you could possibly have a big trouble. Think of someone doing the following call sip:
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
. Is your PBX completing these calls? If yes, your toll charges can be huge in the end of the month. Use allowguest=no or know exactly what you are doing.
6. Run Asterisk with a user different than root, but please don’t use Asterisk with the password Asterisk. I’m telling you this because I did it.
7. Autocreatepeer=yes in the sip.conf file is evil. Don’t do it. It is not required anymore, use insecure=invite with host=ipaddress in the peer definition.
8. Put a guest account in your iax.conf file pointing to a safe context (without toll trunks), or even a dummy context if you don’t want to receive anonymous calls from the Internet.
9. Don’t embed passwords in your dial plan. IAX and SIP allow you to create a dial string with a password (iax2/user:password@host/extension@context or sip/user:password@host). Use peer entries in the sip.conf or iax.conf (using md5secret=) files instead of embedding the password in the extensions.conf. Remember dial plan execution can be being logged on a file or worst being logged in the screen of the main datacenter monitor with your passwords being shown.
10. Don’t allow external access to the manager interface (tcp port 5038) configured in the manager.conf file. Someone else can use your manager interface to generate calls using the originate command. Protect your system with an Asterisk Manager Proxy and use a stronger security access method (SSL).
