Archive for November, 2014

Securing Asterisk with IPTables

I’ve been running my phone system through Asterisk on Debian (Linux) for a number of years. I’d consider myself a novice to intermediate user of Linux, even though I’ve been tinkering with it for over a decade. I also don’t play with Asterisk very often, but like to get things set up comfortably from time to time so I can leave it alone for awhile.

I recently upgraded from Asterisk 1.6 to 11. In the move, I also spent some time taking a close look at the CLI, which caused me to notice a lot of attempts to either call extensions on my system that didn’t exist, or log in to extensions that didn’t exist. It was apparent that there were attempts being made to hack my system. It was time to dig deeper into security before someone succeeded.

In the past, by happenstance, I tended to avoid some practices that make it easier to hack an Asterisk system. The primary one being I didn’t put any extensions in the default context. Hackers seem to like to focus on that one, and with nothing there, there really is nothing to hack.

That wasn’t enough though. I really wanted to lock things down and prevent the attempts themselves. The best way, I found, was to bone up on IPTables, the most common firewall on Linux.

I took inventory of what I was doing with my system, and realized that there is only one outside account/system that I use that should need to connect to my system. I have a few phone numbers at IPKall.com, and need their server to be able to reach me if anyone should call one of my numbers. Everything else is internal to my home network.

Below is a set of rules that I put into my IPTables to allow in traffic from IPKall, but block anything else that is attempting to connect to this particular machine.

I should note that SIP is the only service that is open to the internet on this machine. Should I ever need to log in to it via SSH, I would do so by way of another machine on the internal network, either directly or by proxy.

The following is in a shell script. I know very little about IPTables, and learned quickly that the best way to ensure the rules behave as expected is to always start from scratch. If I need to change my rules, I’d do so in this script, and run it again once I’ve made my changes.

!/bin/bash

# First, I flush out the existing rules
iptables -F

# Next, allow all traffic on the localhost loopback interface
iptables -A INPUT -i lo -j ACCEPT

# Allow already established connections
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Allow tcp and udp traffic from IPKall and all traffic from the local network
iptables -A INPUT -p tcp -s 66.54.140.46 -j ACCEPT
iptables -A INPUT -p udp -s 66.54.140.46 -j ACCEPT
iptables -A INPUT -p all -s 192.168.1.0/24 -j ACCEPT

# Allow voice streaming for SIP from IPKall - Note I use a much more limited port range than the default
iptables -A INPUT -p all --destination-port 21000:21030 -s 66.54.140.46 -j ACCEPT

# Set default policies for everyone else (not IPKall or local)
# Disallow any connections on port 5060 (SIP), but allow all outgoing traffic
# Note that 5060 is the only port that forwards to this machine from outside the network,
# so any traffic on any other port would be blocked at the NAT router itself,
# never bothering this machine in the first place
iptables -A INPUT -p tcp --destination-port 5060 -j DROP
iptables -A INPUT -p udp --destination-port 5060 -j DROP
iptables -P OUTPUT ACCEPT

So there you go. This post is really for the benefit of people doing searches for Asterisk and IPTables, and I hope someone finds this useful.