IT technologies have irreversibly flown into our daily lives and all organizations. Thus, a company may suffer huge losses due to intruders or so-called hackers. At the same time IT technology remains very attractive and functional. For example, Asterisk IP telephony has access to the Internet and may become an easy target for hackers. Consequently, when organizing IP telephony an organization must determine such risks as:

  • Interception of data – loss of privacy, misrepresentation
  • Breaking in a server using its vulnerabilities
  • DDoS attacks aimed at the service fault
  • Traffic flow resale

The last way is the best way to earn money for hackers. By hacking an IP network an attacker can redirect calls to expensive international numbers and transfer some money into his eWallet. So let’s look closer at this scheme.

There are traffic drain exchanges. A hacker registers at such exchange and gets a set of numbers assigned to him. Using some dummy servers the hacker is breaking an IP PBX and redirects calls to his own premium rate numbers. Calls are usually sent abroad (typically, Cuba, Palestine, Latvia, etc.).

Given that call rates are high hackers make good money. Due to the fact that sometimes telephony systems are poorly protected, hackers don’t find difficult to hack such systems without any financial losses. Since such kind of problem has become regular entrepreneurs misbelieve that Asterisk is not safe. However, this is not so since Asterisk has a number of security tools which beat competition. Nevertheless, Asterisk servers get cracked. Why is this happening? Unfortunately, there is no such magical button as “Protect”. Asterisk Security lies in a number of settings often overlooked in the process of the initial setup.

Asterisk VoIP Security Levels

When talking about Asterisk VoIP security we must keep in mind that IT environment is as important as Asterisk settings.

IP PBX protection includes:

  • Organization of network security
  • Network structure
  • Scanning of messages and logs
  • Asterisk adjustment
  • Plan for calls routing
  • Linux security settings
  • Security of peripheral devices
  • Administrative organization

Thus, the security problem of Asterisk is not entirely in competence of an administrator. Since there is a boxed version Asterisk, which is once set and never touched again, many people forget about the general organization of security and Asterisk is mistakenly called insecure.

Typical errors of inexperienced administrators:

  • Insecure passwords on internal numbers
  • No firewall, Iptables are disabled or not configured
  • No software updates
  • Standard passwords to the web interface and equipment
  • The network structure (if Asterisk has an external IP it can be attacked from the outside)
  • Settings error
  • Lack of constant monitoring

    When using systems of such level applying firewall is a must. Linux OS has a built-in firewall Iptables, but it’s not productive by default so it needs a professional adjustment. In addition, there is other firewall software and the main objective remains the same – a proper adjustment for effective protection.

    With the introduction of IP telephony administrators have to pay attention to the network scheme. Sometimes Asterisk is connected to the network in not the safest way. The fact that Asterisk is directly accessible from the Internet exposes it to danger. So any non-complex password or some old version vulnerability makes Asterisk attractive bait. In the best case a hacker will cause a denial of phone and in the worst case -a bill for international calls. Regular updates and complex passwords are not the best remedy. The risk of intrusion may be reduced by using a special firewall.

    The firewall passes outgoing traffic to a SIP provider and filters the return traffic according to the rules. Remote office users can work through VPN. Thus, Asterisk is no longer visible from the Internet.

    All authorized and unauthorized actions of IP PBX and Asterisk are recorded in a special register. Therefore, it is important to monitor logs in order to identify possible security threats. It is recommended to inspect multiple connections, guessing password attempts, sudden activity, etc. For such purposes we advise to use Fail2ban which can be combined with Asterisk, Apache, SSH and other services. The basic principle of logs analysis is “find and disable” which means analyzing any suspicious activity in the logs and blocking it at once.

    The register must be stored on a remote server in case an intruder tries to remove some data from the log files.

    As we mentioned earlier, Asterisk system is capable to protect itself through proper adjustment which may vary depending on the conditions of the system. Thus, you can set: restrictions on networks, the number of concurrent connections, change the default port and so forth.

    Dialplan is a plan of calls routing. With its proper configuration the system may become much more secure. This plan enables to allocate users’ rights. For example, Dialplan allows some users to make calls to international destinations or mobile phones, tries to record attempts to make prohibited calls and notifies users about their personal limits.

    This plan is very flexible and easy to adjust. In a nutshell, you can implement any ideas about the use of phone in your company.

    Asterisk is installed on a variety of Linux versions. As well as Asterisk, Linux OS has an ability to be customized for its self-defense. When you install Asterisk, it launches a set of modules that are not necessary at work. Such functions are recommended to be off. Similar functions of Linux must be also disabled. If the administrator tries to get remote access to the server, this connection must comply with all security rules.

    Equipment connected to Asterisk needs to be protected as well as the software. To protect the equipment it’s necessary to:
    • Carry out regular software update for devices
    • Place IP equipment on a separate VLAN
    • Hide the devices by firewall
    • Turn off the web interface
    • Change ports
    When everything is configured correctly, the hack is still possible but with a minimum probability. That is why some the following administrative measures are needed to be taken:
    • If you don’t use international calls – disable this function
    • Restrict the operator’s account
    • Securing PC and smartphones
    • Change passwords when administrators change
    • Staff training
    • Continuous monitoring and auditing
    When the whole Asterisk telephony system is properly configured it becomes the most protected system with great functionality and capabilities not inferior to such vendors as Cisco and Avaya. As for the bad hacking statistics of Asterisk we highlight that it can be explained by a lack of attention to safety settings on the stage of system setup.