As many of you may be Asterisk owners or maintainers I think this
mailing list is a good place to highlight the importance of making sure
security has been considered.
We have noticed an increase in compromised Asterisk systems lately
(on the positive side this is in part to do with increased popularity).
With installations on the 'up' it's expected that many less experienced
users will be installing without thinking about security. Unlike most
linux installs, a poorly installed Asterisk system can be an EXPENSIVE
The typical Asterisk attack is a port scan on 5060 followed by a brute
force registration attempts on extensions from 1000 to 1999. Often new
installers will test using 1000/test123, or similar, and forget all
Once compromised the hijacker will start auto-dialing a series of
international numbers which either generate revenue share (through the
many international offshore premium rate number suppliers) or you will
be helping a 'eastern' call shop get nice termination rates.
It's easy to run up a 5K bill over a weekend (I have seen it happen).
Here's a few tips to keeping your install safe
- change your sip port from default 5060 to something different, 5060 is
- make sure you have a correctly installed firewall/iptables
- don't use extensions that are easy to guess (like 1000 - scanners tend
to count from 0 to 9999)
- don't leave passwords like test123 or use dictionary words - min
random 8 letters is ok
- block all destinations, then open the ones you want to call
- monitor calls made on your asterisk system
- use completely separate dial-plans for incoming and outgoing trunks
- limit the channels your extension can call at once
If anyone wants to add some more ..please do.
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!