Greetings,
I am trying to harden an Asterisk box without affecting the staff too much. The cheap Linksys router forwards ports 5060-5080, 10000-35000 and 22 to the Asterisk box. The road warriors were connecting directly to Asterisk via our public IP which allowed their soft-phone passwords to be broad-casted in clear text. This was never a problem but it still bothered me so I setup a SSL VPN appliance. The staff was suppose to start connecting via VPN then authenticating with Asterisk.
The staff still continued to connect via our public IP despite my pleads and concerns. Tonight I decided to adjust everyone's extension to prevent soft-phones from authenticating outside of our subnet. (See deny/permit statements in sip.conf excerpt at the bottom of this email).
I also SSH into the Asterisk box but I disabled password authentication and enabled RSA certificate authentication.
Does filtering peer authentication by subnet (as seen below) really prevent unauthorized peers from authenticating? Are there any other recommended changes to prevent unauthorized access?
I know if someone really wants access to our server then I am sure they will find a way. I'm just trying to make a reasonable effort.
Thank you for your thoughts!
[200]
deny=0.0.0.0/0.0.0.0
type=friend
secret=secret
qualify=yes
port=5060
pickupgroup=
permit=192.168.10.0/255.255.255.0
nat=yes
mailbox=...@default
host=dynamic
dtmfmode=rfc2833
dial=SIP/200
context=from-internal
canreinvite=no
callgroup=
callerid=device <200>
accountcode=
call-limit=50
_______________________________________________ -- Bandwidth and Colocation Provided by http://www.api-digital.com --
asterisk-users mailing list To UNSUBSCRIBE or update options visit: http://lists.digium.com/mailman/listinfo/asterisk-users
