Page Contents
- PBX Configuration - adjust the settings of your PBX to minimize obvious attack surfaces
- Integrated Security - add software which integrates with your specific PBX to improve security
- Layered Security - Add software/hardware around your PBX to improve security
Integrated Security
SecAst
SecAst is an intrusion detection and prevention system designed specifically to protect Asterisk phone systems against intrusion and fraud. SecAst uses a variety of techniques to detect intrusion attempts, halt ongoing attacks, and prevent future attacks. SecAst is available in three editions, including a free edition. SecAst can be downloaded from www.generationd.com or checkout the wiki page SecAst (Asterisk Intrusion Detection and Prevention)Fail2Ban
Fail2Ban is a free utilitiy which looks at log files for records of failures (to register, etc.) and then add their source IP to iptables.See security warning regarding fail2ban - don't depend on it.Layered Security
If you are looking to add layers around your PBX with generic protection:Hardware Firewall
Most Asterisk boxes should be located behind a hardware firewall. Configure the firewall to block traffic from anyone that doesn't need to connect to you. Allow your VoIP provider, any remote phones/users, and others that may need to connect, but keep the restrictions as tight as possible. If you do have remote users, lock your firewall down to only allow those users to connect if possible, rather than opening it to the entire internet. If you have mobile users this may not be an option however.Other services, such as SSH should be blocked by the hardware firewall.