Our asterisk server was compromised. some calls were made to Asia countries last weekend.
Thought we have improved our network configuration, we still want to determine how the intrusion was done, we think there are clues in our asterisk log files.
but we don't know what to look for, based in a default asterisk:
Best Answer
This is how I secure my Asterisk server, which has been in production continuously since 2006.
Firewall
Open inbound ports only for necessary services. (You do have to open a wide range for RTP streams, but this generally isn't an issue since nothing normally listens within that port range.)
22/tcpssh (for management, of course)4520/udpDUNDi (if you are using DUNDi)4569/tcpIAX2 (if you are using IAX)5060/udpSIP registration10000-20000/udpRTP - media transportSome devices have a much narrower range of ports they use for RTP streams. For instance certain Cisco (formerly Linksys/Sipura; part numbers begin with PAP, SPA or WRP) devices only use
16384-16482.Extensions
If possible, restrict the IP address ranges from which SIP clients are allowed to connect. If this is deployed in an office, restrict connections to port 5060 to IP addresses within the locations(s) where the phones are located. If you must accept connections from Internet addresses not within your control, consider blocking country-specific IP address ranges.
Do not use the SIP extension number as the username. If your SIP clients support it, give them all names instead.
Set strong passwords for all SIP extensions. This should be obvious, but isn't always so.
From reading the logs attached to your previous question, I was able to determine that you had a SIP extension defined with the username
1, with a secret so easy to guess that the attacker got it correct on the first attempt. The extension probably had no secret defined at all.Use
alwaysauthreject=yesinsip.conf. This prevents attackers from being able to determine if a SIP extension exists via brute force.Use
allowguest=noinsip.conf. This prevents unauthenticated clients from making calls.Administration
Change all default passwords for your UNIX users, your databases, and your administrative front-ends such as FreePBX.
Set
bindaddr = 127.0.0.1inmanager.confto ensure that the Asterisk management interface is not open to the world.Other
Install fail2ban. I have it configured to block after two failed attempts, but if you have full control of all your devices such that they would never fail to login correctly, you could set it to block after one failed attempt.
If you do not need to make international calls, then have your SIP trunking provider disable the capability at their end. You can also configure your asterisk server not to route such calls.
This should cover the basics, and will keep you out of trouble for the most part. If you deploy any unusual services or write your own custom configurations, you may need to do some additional work to secure them.