Stop asterisk from being hijacked

[dlewis]

I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]

asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Good points Thom... LegoGT, please still make the trac entry with the notes/comments referenced by myself and Thom.

[LegoGT]

I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]

asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Good points Thom... LegoGT, please still make the trac entry with the notes/comments referenced by myself and Thom.

No problem. I'll add it tonight.

[dlewis]

A reason why we should work on the security of our asterisk installation:

http://www.usken.no/2009/03/26/get-the-password-from-any-sip-device-its-fully-possible/

Linksys SPA2102 is one of the devices they successfully penetrated.

[tschak909]

oh _yeah_

-Thom

[LegoGT]

This was my first submission to Trac so be easy on me! I think it's in there correctly (http://svn.linuxmce.org/trac.cgi/ticket/188) but let me know if I missed something so I can do it properly next time.