We spend our time searching for security and hate it when we get it.
Security for your Asterisk system is critical, especially if the system is exposed to the Internet. There is a lot of money to be made by attackers in exploiting systems to make free phone calls. This chapter provides advice on how to provide stronger security for your VoIP deployment.
If you expose your Asterisk system to the public Internet, one of the things you will almost certainly see is a scan for valid accounts. Example 26-1 contains log entries from one of the authors’ production Asterisk systems. This scan began with checking various common usernames, then later went on to scan for numbered accounts. It is common for people to name SIP accounts the same as extensions on the PBX. This scan takes advantage of that fact. This leads to our first tip for Asterisk security:
Tip #1: Use non-numeric usernames for your VoIP accounts to make them harder to guess. For example, in parts of this book we use the MAC address of a SIP phone as its account name in Asterisk.
Example 26-1. Log excerpts from account scanning
[Aug 22 15:17:15] NOTICE chan_sip.c: Registration from '"123"<sip:firstname.lastname@example.org>' failed for '220.127.116.11:5061' - No matching peer found [Aug 22 15:17:15] NOTICE chan_sip.c: Registration from '"1234"<sip:email@example.com>' failed for '18.104.22.168:5061' - No matching peer found [Aug 22 15:17:15] NOTICE chan_sip.c: ...