Security of a Asterisk based VoIP server is absolutely necessary when putting it into production. There is an unlimited number of hackers who are all the time looking for insecure Asterisk servers, and once they hack into one, they waste no time to compromise it for making expensive phone calls. It takes merely a few minutes to generate enough calls to cause a few hundred dollars worth of damage to the owner of a compromised server. Usually it takes a few hours before the owner of the server notices that something fishy is going on, but by that time the loss can already be a few thousand dollars.
There are various measures to secure a Linux server. As for the Asterisk part, international calling and expensive destinations MUST be disabled for all the new users by default, and only trusted users should be allowed to dial these destinations. This way even if such a server is compromised, the loss will be minimal.
Here we’ll discuss how to use Linux’s built-in firewall, which is called iptables, to secure a Linux server.
You should know that TCP/IP networks are very innocent and assume other people in the world are also equally innocent, and so they are not aware of bad hackers, criminals and similar inhabitants of the world. They welcome all the network traffic with open heart and offer them the best hospitality which they can.
This means that all the Linux servers are wide open to the network traffic by default and their network connections are completely insecure. They accept all the traffic on all the ports from all the IP addresses, and respond to all the requests.
Blocking access for all except for the selected ones
If the server doesn’t need to be accessed by everybody and only a selected few IPs or networks should be able to access it, then the first step should be to block ALL the network traffic. This must be done while logged onto the server locally, and not remotely, otherwise you would block your own self too.
iptables -P INPUT DROP
Next, allow the IP addresses which you would like to access the server, e.g. to give access to google.com at 173.194.32.104 do this:
iptables -I INPUT -s 173.194.32.104 -j ACCEPT
If you don’t have access to the server locally, and you are logged in via ssh or telnet, then you can do the following:
iptables -A INPUT -s ! 173.194.32.104 -j DROP
This will drop all incoming network traffic except from the given IP address. But be careful when using this command, because a mistake in the IP address will lock you out from the system.
If you want to allow your local network to access the server, and network address is 192.168.1.0 with netmask of 255.255.255.0, do this:
iptables -I INPUT -i eth1 -s 192.168.1.0/24 -j ACCEPT
If you have multiple network interfaces and you want to apply iptables rules to only selected one(s), do it like this, e.g. for eth0 it’ll be:
iptables -I INPUT -i eth0 -s 173.194.32.104 -j ACCEPT
Blocking access for SIP connections
To block an IP address accessing SIP port:
iptables -A INPUT -p TCP -s 173.194.32.104 --dport 5060 -j DROP
Or on the contrary, if you put an exclamation mark before the IP addresss, it’ll block all the SIP connections except for this one IP address:
iptables -A INPUT -p TCP -s ! 173.194.32.104 --dport 5060 -j DROP
This approach however is not very useful, because if you block a hacker from accessing one port, he may try to access other ports. So a hacker should be blocked altogether.
DROP vs REJECT
Using REJECT in the iptables notifies the hacker that he is being rejected. Our intention is that the hacker should not get any notification in response to his hack attemtp. This is why we use DROP. Otherwise we could have used something like
iptables -A INPUT -p TCP -s 173.194.32.104 --dport 5060 -j REJECT
Making it easier to understand
If the above syntax for iptables entries look a little confusing to understand, you can also enter it on the Linux command prompt like this:
iptables\ --append INPUT\ --match tcp\ --protocol tcp\ --dport 5060\ --source 173.194.32.104\ --jump DROP
This syntax is easier to understand.
To Make the Changes Permanent
Changes made in iptables are lost on a reboot. Through as a good system admin, you don’t reboot a Linux server except once in a few years probably, but for that moment you need to have all these changes saved.
On RedHat or Fedora systems or its clone CentOS, you can simply run:
service iptables save
On Debian or similar systems, including Ubuntu, do:
iptables-save > /etc/my.iptables.rules
And then open file /etc/network/interfaces, and add this line after ‘iface lo inet loopback’:
pre-up iptables-restore < /etc/my.iptables.rules
Best tutorial I found !!!!!!!!! Thanks
[...] This post was mentioned on Twitter by VoIP Monks, Zeeshan Zakaria. Zeeshan Zakaria said: New blog posting, Using iptables to secure a Linux based Asterisk installation against hack attempts – http://ilovetovoip.com/so [...]
[...] Read more: Securing Linux server using iptables « The World of VoIP, Asterisk … [...]
[...] link: Securing Linux server using iptables « The World of VoIP, Asterisk … Posted in: Server ADD [...]