As attacks become more sophisticated over time, it's crucial to ensure your Asterisk system is as secure as possible.
To make brute-force attacks on your system more difficult by not revealing valid extensions on your system, add the following line to the appropriate *.conf file—for example, sip.conf or sip_general_custom.conf:
alwaysauthreject=yesTo bind your Asterisk phone system to communicate on a non-standard port, add the following line to the appropriate conf file—for example, sip.conf or sip_general_custom.conf. By implementing this, your system will no longer communicate on port 5060, and will instead use the value specified by
####, where####is your SIP communication port:bindport=####If you are using Outbound Allowed IPS and not using SIP credentials in the PBX, remove the username and password from your Flowroute peer details.
Install and configure Fail2ban so that IPs attempting authentication with your Asterisk PBX system will be blocked from contacting your system.
If possible, reduce the default RTP port range your Asterisk phone systems uses. If you are not using more than 100 concurrent connections, you can reduce the RTP range in /etc/asterisk/rtp.conf from
10000-20000down to19000-20000. This reduces the number of open ports on your system.Change the default ARI, AMP, and FOP passwords in the amportal.conf. It is ideal to lock-out the AMI port—the default is 5038 using IP Tables from anyone outside your network.
NOTE: This file only exists on systems which have the FreePBX installed.
Ensure that your Asterisk phone system uses strong passwords and that no blank password is set as a default password. You can generate strong passwords from any of the following sites:
Use a Firewall to restrict traffic from and into your system. For example, this might be done using IP Tables. See IP Tables for information on using IP Tables.
Review your system logs as well keep your system patched and up-to-date from application flaws.