Is your Asterisk Server Secure?

Do you know?
You can be responsible for  thousands of dollar of calls made out of your asterisk?
Your system can be used to spam people.
Your system can be used for fraudulent activities.
Your customers can be out of service until you realized the problem and fix it.

How?
Weak passwords on extensions.
Allow registration from unknown networks.
Weak Root passwords for your System.
Weak password for Admin accounts.

So by now you must have understand why it is so important to secure you VoIP system. Not only to save you from all the monetary losses but also to protect you from all the legal or ethical issues.

Here are few important thing that you must do.

- Have strong password
- Allow registration only from trusted networks.
- Put a limit on extensions on the type of calls they can make.
- Put a limit of extension no of calls or number of minutes they can make in a day.
- Running automated scripts to monitor the activity on your system on all the extensions.

This link has nice tips.
http://blogs.digium.com/2009/03/28/sip-security/
Here I copy pasted important steps.

1) Don’t accept SIP authentication requests from all IP addresses. Use the “permit=” and “deny=” lines in sip.conf to only allow a reasonable subset of IP addresess to reach each listed extension/user in your sip.conf file.  Even if you accept inbound calls from “anywhere” (via [default]) don’t let those users reach authenticated elements!
2) Set “alwaysauthreject=yes” in your sip.conf file. This option has been around for a while (since 1.2?) but the default is “no”, which allows extension information leakage.  Setting this to “yes” will reject bad authentication requests on valid usernames with the same rejection information as with invalid usernames, denying remote attackers the ability to detect existing extensions with brute-force guessing attacks.
3) Use STRONG passwords for SIP entities. This is probably the most important step you can take.  Don’t just concatenate two words together and suffix it with “1″ – if you’ve seen how sophisticated the tools are that guess passwords, you’d understand that trivial obfuscation like that is a minor hinderance to a modern CPU.  Use symbols, numbers, and a mix of upper and lowercase letters at least 12 digits long.
4) Block your AMI manager ports. Use “permit=” and “deny=” lines in manager.conf to reduce inbound connections to known hosts only.  Use strong passwords here, again at least 12 characters with a complex mix of symbols, numbers, and letters.
5) Allow only one or two calls at a time per SIP entity, where possible. At the worst, limiting your exposure to toll fraud is a wise thing to do.  This also limits your exposure when legitimate password holders on your system lose control of their passphrase – writing it on the bottom of the SIP phone, for instance, which I’ve seen.
6) Make your SIP usernames different than your extensions. While it is convenient to have extension “1234″ map to SIP entry “1234″ which is also SIP user “1234″, this is an easy target for attackers to guess SIP authentication names.  Use the MAC address of the device, or some sort of combination of a common phrase + extension MD5 hash (example: from a shell prompt, try “md5 -s ThePassword5000″)
7) Ensure your [default] context is secure.  Don’t allow unauthenticated callers to reach any contexts that allow toll calls.  Permit only a limited number of active calls through your default context (use the “GROUP” function as a counter.)  Prohibit unauthenticated calls entirely (if you don’t want them) by setting “allowguest=no” in the [general] part of sip.conf.
I hope this will keep you away from some troubles.
-Jai