11 Steps to Secure your Asterisk PBX

1. Physically secure your IP PBX and network hardware.

Physical security is critical and commonly overlooked. Be sure access to your hardware is limited to
only those with appropriate access permissions, actually require access, and most importantly, know
what they are doing!  We tech's like to play around with stuff, but that's why we have labs.

2. Never, Never, Never use the default passwords on any system. (Use Strong Passwords)
If you are truly concerned about PBX security, you will take this one piece of advice seriously!
 Password security is easy and by far the best way to stop the top 99% of all hacks as it is easily the
most common way hackers enter IP PBX systems. 

When installing your IP PBX, the very first step should be to replace both the username and passwords
of any account with administrator access. Secondly, when creating user accounts, be sure not to use or
allow easy to guess passwords like “1234”, “password”, “companyname1” etc.  

Also, be sure to use a strong and unique password.  This can't be stressed enough.  As tempting and
simple as it may be to use your business name with a single digit added to the end of it, don't do it.  You
would be surprised what these password detectors can figure out with just a little information. 

3. Never use the same username and password on your extensions.

This is another VERY common issue, especially within the Asterisk community.  Using password 101
for extension 101 is asking for big trouble.  DON’T DO IT!
An example of what NOT to do on your extensions: 
; sip.conf  
[101] 
username=101 
secret=101
host=dynamic 

4. Place your PBX behind a firewall

Lets’s face it, working on your PBX from home or allowing co-workers access to the system remotely is
necessary and often unavoidable.  However, doing it correctly can be the difference between security
success and total and utter failure.  VPNs are a good way to limit access and enable co-worker remote
 management. Placing your PBX behind a firewall and Restrict remote access to your IP PBX to specific
IP Address will greatly discourage even the most determined hacker.  While hardware firewalls typically
provide the most security, software firewalls can be just as effective and much cheaper (many are free).
  
Firewalls, of course, are only as good as the rules defined within them.  So be sure to only activate
ports that are absolutely essential to run your PBX. Block anonymous WAN requests (P-I-N-G).  Let's
face it; if they can find you, they can hack you.

When possible, place your IP PBX on a LAN with Network Address Translation (NAT).  NAT basically
gives your IP PBX a private IP Address and makes it much more difficult to gain access to from the
internet.  While it may be easy to simply disable NAT for simplicity (especially when you run into that
pesky one-way audio issue, don't do it.  Take the time to set it up correctly, and you'll be glad you did.

5. Use the “permit=” and “deny=” lines in sip.conf

Use the “permit=” and “deny=” lines in sip.conf to only allow a small range of IP addresses access to
extension/user in your sip.conf file. This is true even if you decide to allow inbound calls from
“anywhere” (default), it won't let those users reach any authenticated elements!

6. Keep inbound and outbound routing separate (asterisk)

This is probably the biggest cause and source of toll fraud.  By keeping your inbound call routing in a
different context than your outbound routing, if an intruder does happen to make it into your system, he
can’t get back out again.  

7. Limit registration by extensions to your local subnet.

Restrict the IP addresses your extensions can register onto the local subnet.  Asterisk PBXs can use
the ACL (permit/deny) in SIP.conf to block IP addresses.  This can fend of brute force registration
attempts.

8. Disable channels and services that are not in use

Disable channels that you aren’t using like skinny and MGCP.  For Asterisk PBXs, you can “unload”
these modules in the /etc/modules.conf file like this:
 noload => chan_mgcp.so
noload => chan_skinny.so 
noload => chan_oss.so

9. Make it harder for sip scanners (Set “alwaysauthreject=yes” )

Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling
a sip scanner which extensions are valid by rejecting authentication requests on existing usernames
with the same rejection details as with nonexistent usernames.  If they can't find you they can't hack
you!

Another way to make it hard for SIP scanners is to install a SIP port firewall.  This will block “scanning”
of port 5060 and 5061 and can disable the attempting endpoint for a specific time when it detects a
violation.

10. Limit and restrict routing and phone number dial plans
Restrict calling to high-cost calling destination and don’t allow calling to 0900 + Premium numbers)

11. Audit your system security regularly

Once you’ve reached this point, it's not a bad idea to put your Hacker hat on, and have a try at your
own system.  Think like a hacker and try to look for weaknesses or holes in your system security.  It is a
good idea to review your system security regularly.  Don’t sleep on security… you can guaranty that
thieves aren’t.