Seguridad en PBX - Wiki

Seguridad en PBX

From Wiki

Revision as of 18:42, 5 September 2011 by George (Talk | contribs)
Jump to: navigation, search

Basados en la perspectiva de los miles de usuarios que tenemos en nuestro servicio, la mayoría de los casos de accesos no autorizados para hacer llamadas, pueden ser evitados siguiendo las siguientes sugerencias:

1. Utilizar contraseñas mas fuertes: Una de las cosas que la mayoría de la gente hace después de instalar su PBX, es crear una extensión con una fácil contraseña. Evite utilizar una contraseña corta o débil para sus extensiones, utilice al menos 8 caracteres e incluya mayúsculas, minúsculas a lo largo de sus dígitos. Recuerde cambiarlas periódicamente, al menos cada 2 ó 3 meses.

2. Internet Público: Evite dejar su sistema PBX, adaptadores ATA y teléfonos IP abiertos a Internet. No utilice el modo DMZ en su ruteador y no redireccione los puertos a su equipo a menos de que esté absolutamente seguro de lo que hace. Esto es necesario solo en algunos casos y solo déjelos abiertos a internet si tiene la experiencia para poder manejar la seguridad de su equipo adecuadamente.

3) Asterisk Tweak: If you are using an Asterisk based PBX, add the following line to the sip.conf file under the [general] section and issue a reload

alwaysauthreject = yes 

What this parameter does, is that it will always return an authentication error instead of a .404 not found:., even when the extension doesn't exist. This steps-up the difficulty for brute force scanners when they are attacking your PBX.

4) Trixbox, PBX In a Flash and other web interface based PBX: Change the default password. Different flavors of PBX installs come with default administration passwords. Make sure to change the default passwords immediately after your installation and also make sure the web interface is not reachable from the internet.

5) PBX Dial Plan: Do you make international calls? If no, do not allow international calls to be placed from your PBX. In Asterisk, remove ._011.. Or .00_. . Never use ._... If you are only calling a few countries on a regular basis, enable these countries only. For example: The only country you're calling is UK? Only configure _01144. In your dialplan.

6) Use additional caution while travelling: Do you plan on using a soft phone at a random internet cafe? Make sure you remove your login details after using it, and uninstall the software if possible.

7) Asterisk and Fail2ban: As an additional step you can install an additional security tool such as fail2ban, which is a free brute force detection system, it scans the log files of your PBX and then takes action based on the entries of those logs. ( We also offer the optional service of installing fail2ban into your Asterisk PBX. A trained linux Asterisk professional can install it on your system for a one time fee of $150 USD.

8) Have your PBX Equipment listen to a different port than 5060: If your PBX is open to the internet, you can drastically reduce scan / brute force attempts by using a different SIP Port for incoming connections.

9) Account restrictions: offer new options that can help for the security, refer to Main Menu >> Account Settings >> select the tab "Account Restrictions" ( These settings define the restrictions the system will use when you place calls to either USA48, Canada or International Numbers. It is strongly suggested to use the restrictions by country, this tool will help you to avoid having calls to countries that you do not intend to reach at all.

There are various other measures that you can perform to secure your VoIP equipment, however this article covers some of the most important aspects. The technology and the methods used by abusers keep evolving constantly. By meeting the recommendations on this article you will have a more secure PBX system.

Personal tools
Actions Wiki Blog
Guides (English)
Guides (Français)
Guías (Español)