Steps to Protecting the Asterisk IP PBX

By Susan J. Campbell, TMCnet Contributing Editor

The idea of an open-source communication platform is gaining considerable attention as companies seek proven methods to reduce operation costs. With Asterisk (News - Alert) or IP PBX, however, there can be concerns regarding the security of the platform. Fortunately, by following a few guidelines, your network can be protected.

According to this XELOG report, the first step to protecting the IP PBX (News - Alert) or Asterisk platform is to verify the validity of the provider. Ensuring the company with which you do business is legitimate is an essential step. This provider offers guidelines on how to identify a VoIP fraud company on their blog.

It’s also important to check the security and safety guidelines of the Asterisk provider and then act on their recommendations to protect the platform. All last patches should also be installed, whether the IP PBX is Asterisk, 3CX, Avaya, Elastix (News - Alert), Trixbox, Cisco, MyPBX, Lync or other offerings.

While companies should always avoid the use of default passwords on any system, they still do it. Passwords should be strong and changed. Likewise, remote access should be restricted to the system from only one IP address.

If possible, the provider also recommends that companies always install the IP PBX on a NAT LAN to make it difficult to get into the IP PBX from the outside world. To do so with Asterisk, they recommend putting the box behind the NAT router so it can initiate and maintain registered connects with outside SIP providers.

All extensions on the Asterisk platform should have different usernames and passwords. It’s also important to make sure passwords on internal extensions are difficult to guess, and to keep routing on inbound calls different from that on outbound calls.

The Asterisk platform is more protected when the IP addresses are restricted according to extensions that can be registered. Channels not in use should be disabled and Asterisk should be prevented from telling a SIP scanner which extensions are valid numbers and which are not.

Restrictive dial plans should be used, as well as non-numeric logins for all extensions. The Asterisk LOG file – found here: /var/log/asterisk/messages – can be read to determine what happened if the platform is breached and if hackers got in or not.

Lastly, a SIP port firewall should be installed to prevent “fast scanning” of the port 5060 and blacklist the endpoint for one hour if something like this is taking place.

The important point is to ensure the IP PBX, whether it is Asterisk or not, is protected at all times to ensure optimal business continuity.

Related Asterisk Articles