VoIP Mailing List Archives

[duncan at e-simple.co.nz]

Hi All

For the scenario of a single asterisk server that needs to serve clients
on the net, as well as local office clients, I would be very interested
in people's views of the best method to handle security to prevent net
based attacks while still allowing the client access.

Some of the challenges I see are:
- preventing brute force and bot type attacks
- monitoring for unusual events and notifying and acting appropriately
- limiting damage if someone does get in
- avoiding a Denial or degradation of service on your asterisk platform
- making it easy for staff to use

Some of this can be done with
- firewall control - but its hard to limit where your clients will come
from, besides restricting ports
- scripts monitoring logs, I saw a recipe for checking password failures
then blocking that ip after x failures, I imagine this could get quite
sophisticated
- using separate restrictions for offnet users but this kind of makes it
harder for the staff members.
- using a proxy in front of asterisk for SIP, to limit the available
extensions and minimise the scanning impact on the asterisk box. I am
hoping this could detect and prevent illegitimate or poorly formed
requests or unknown user agents. Staff should be using a standard set.
- using iax softclients to shift the attack requirements - I don't know
much about how well these work
- running all clients over a vpn e.g open vpn, but this is not so good
for wireless handsets or other devices that can't do a vpn

I am interested in all views and recommendations

Thanks very much

Cheers Duncan