Secure Your VoIP System while allowing externals

Discussion in 'General' started by sunshinenetworks, Nov 17, 2010.

  1. sunshinenetworks

    Joined:
    Aug 10, 2010
    Messages:
    12
    Likes Received:
    0
    Hi Guys,

    We recently made a new post on how to secure Asterisk ( or Elastix ) using a new portknocking technique. This new technique is easy to install by admins and doesn't require any configuration by the end-user, while still keeping your port 5060 ( or other port, if you changed your default SIP port ) closed.

    http://www.sunshinenetworks.com.au/how- ... knock.html

    I'd appreciate feedback and comments. Special note to Dicko : your input is greatly appreciated, if you have time to read the article and test this out, please let us know if you encounter any problems or spot any typo's. I read you had some problems with Chinese portscanners, perhaps this technique can help.
     
  2. dicko

    Joined:
    Oct 24, 2008
    Messages:
    4,099
    Likes Received:
    0
    Coincidentally I had just finished reading that, (apres your previous fail2ban post).

    Your solution is ingenious and effective, I wish I'd thought of it :)

    My soltion to get the Chinese/Vietnamese/Turkish/Indonesian cluster voip hacker bots of my back was to basically DROPping huge chunks of /8 networks , I am currently transitioning to CSF, which enables a similar functionality to Fail2Ban by parsing the logs with regex'es, it seems less inertial. I will use your idea as part of that CSF script, it is far more granular.

    Using the sip secrets perhaps through md5sum or perhaps an added field more like a bogus sip header and scripting out the ACCEPTS from mysql extension tables will certainly be very effective, both for SIP and IAX2, you made me put my thinking hat on and start looking closely at the SIP packets on my remote phones for secure recognizable strings!

    Thanks a lot and ++karma

    regards

    dicko
     
  3. Lee Sharp

    Joined:
    Sep 28, 2010
    Messages:
    332
    Likes Received:
    0
    Very nice concept! (Karma +1 as well)

    I would remove step one. It is covered elsewhere, and you can link to it, but it confuses the issue.

    Also, I see a lot of questions like "How do I configure this in th endpoint configurator?" coming up... :) One of those thing I will have to answer as well. :)

    And is it going to be on your global HowTo list? http://www.sunshinenetworks.com.au/how-to.html
     
  4. sunshinenetworks

    Joined:
    Aug 10, 2010
    Messages:
    12
    Likes Received:
    0
    Thanks for the karma guys.

    As Lee suggested, I have removed the port changing part, and used standard port 5060 in the article, this indeed makes for much easier reading. All (public) articles that we publish are on our HowTo list.
     
  5. rphenix

    Joined:
    Feb 25, 2009
    Messages:
    25
    Likes Received:
    0
    Its a very cool concept now I dont need my users to establish vpn's if they are on dynamic ip's B)
     
  6. nsumner

    Joined:
    Sep 16, 2009
    Messages:
    6
    Likes Received:
    0
    It's a great concept I am going to probably implement early next week. About 3 months ago I had an attack on my PBX because a vendor left a "test" extension that was supposed to have been deleted on the system (they used it for testing for 15 minutes and then just neglected to delete it.

    Since then I have done a fair bit of work to make sure it doesn't happen again. Although the damage was relatively low at about $500 (my supplier noticed the pattern was irregular and terminated the line until they could get me on the phone). It was still too much.

    This should seriously help and make it very difficult for the casual attacker to get through.
     

Share This Page