Is your PBX secure?
If you are reading this, you're probably like most of us... after many hours, or even several days of downloading software, setting up servers, configuring trunks and cracking open firewall ports, you finally achieve success - your PBX is working, and calls are passing. So, you wipe the sweat from your forehead, push away your ergonomic mesh-backed office chair with lumbar support and walk away pleased - not giving a second thought to security. Until one day, you log into your PBX and see the skull-and-bones call sign of some hacker that has decided to pay you’re perfectly running PBX a visit.
As a SIP trunking provider, our support team at IPComms sees this very scenario many more than we’d like to. For those PBX owners who are lucky, they’re only faced with hours of down time and a complete system rebuild. However, unlike getting your personal computer hacked, hacking into a PBX’s offers instant access to your wallet for anyone who enters in the form of free phone calls. Giving a well-informed hacker just a single night inside your unsecured PBX, and you could easily loose thousands.
Hopefully, you’re here proactively, and not after the damage has been done. But, if not, at least you have learned your lesson and plan to do things right this time.
While PBX security, like most other security, requires constant attention, and is a continuous work-in-progress, there are some basic common sense steps that you can perform that will safeguard your system from the most common of attacks.
As mentioned in our “What is Telecom Fraud” blog, most hackers are not looking for a long drawn out hack and would much rather move on to easier targets if you would only put up a little fight. So we’ve put together a list of “11 steps to secure your Asterisk® PBX”. While this list speaks directly to Asterisk PBX owners, many of the steps can easily be carried over to most other IP PBX (VoIP) manufactures.
11 Steps to Secure your Asterisk PBX
- BE SURE THAT YOUR IP PBX AND ACCESS TO YOUR NETWORK IS SECURE AND LIMITED ONLY TO THOSE WITH APPROPRIATE ACCESS PERMISSIONS.
Physical security is very important and commonly overlooked.
- NEVER, NEVER, NEVER USE THE DEFAULT PASSWORDS ON ANY SYSTEM.
This is probably the most common way hackers enter IP PBX systems. When installing your IP PBX, the very first step should be to replace both the username and passwords of any account with administrator access. Secondly, when creating user accounts, be sure not to use or allow easy to guess passwords like “1234”, “password”, “companyname1” etc.
- NEVER USE THE SAME USERNAME AND PASSWORD ON YOUR EXTENSIONS.
This is another VERY common issue especially within the Asterisk community. Using password 101 for extension 101, is asking for big trouble. DON’T DO IT!
Example of what NOT to do on your extensions:
- PLACE YOUR PBX BEHIND A FIREWALL
Lets’s face it, working on your PBX from home or allowing co-workers access to the system remotely is necessary and often unavoidable. However, doing it correctly can be the difference between security success and total and utter failure. VPNs are a good way to limit access and enable co-worker remote management. Placing your PBX behind a firewall and Restrict remote access to your IP PBX to specific IP Address will greatly discourage even the most determined hacker. While hardware firewalls typically provide the most security, software firewalls can be just as effective and much cheaper (many are free).
Firewalls, of course, are only as good as the rules defined within them. So be sure to only activate ports that are absolutely essential to run your PBX. Block anonymous WAN requests (P-I-N-G). Lets face it, if they can find you, they can hack you.
- MAKE IT PRIVATE – NAT IS YOUR FRIEND!
When possible, place your IP PBX on a lan with Network Address Translation (NAT). NAT basically gives your IP PBX a private IP Address and makes it much more difficult to gain access to from the internet.
- KEEP INBOUND AND OUTBOUND ROUTING SEPARATE (Asterisk)
This is probably the biggest cause and source of toll fraud. By keeping your inbound call routing in a different context than your outbound routing, if an intruder does happen to make it in to your system, he can’t get back out again.
- LIMIT REGISTRATION BY EXTENSIONS TO YOUR LOCAL SUBNET.
Restrict the IP addresses your extensions can register on to the local subnet. Asterisk PBXs can use the ACL (permit/deny) in SIP.conf to block IP addresses. This can fend of brute force registration attempts.
- DISABLE CHANNELS AND SERVICES THAT ARE NOT IN USE
Disable channels that you aren’t using like skinny and MGCP. For Asterisk PBXs, you can “unload” these modules in the /etc/modules.conf file like this:
noload => chan_mgcp.so
noload => chan_skinny.so
noload => chan_oss.so
- MAKE IT HARDER FOR SIP SCANNERS
Set “alwaysauthreject=yes” in your sip configuration file. What this does is prevent Asterisk from telling a sip scanner which are valid extension numbers. Install a SIP port firewall. This will block “scanning” of port 5060 and can disable the attempting endpoint for specific time when it detects a violation.
- LIMIT AND RESTRICT DIAL PLANS
Restrict calling to high-cost calling destination and don’t allow calling to 0900 + Premium numbers)
- AUDIT YOUR SYSTEM SECURITY REGULARLY
Once you’ve reached this point, its not a bad idea to put your Hacker hat on, and have a try at your own system. Think like a hacker and try to look for weaknesses or holes in your system security. It is a good idea to review your system security regularly. Don’t sleep on security… you can guaranty that thieves aren’t.
The above steps mainly focus on PBX calling and traffic security and does not cover topics related to software protection (e.g. protection against Spyware, Trojans or viruses). These are also very important and should also be taken into consideration when securing & protecting your PBX.