Other Risk Mitigation

There are a couple more useful features in Asterisk that can be used to mitigate the risk of attacks. The first is to make use of the permit and deny options to build access control lists (ACLs) for privileged accounts. Consider a PBX that has SIP phones on a local network, but also accepts SIP calls from the public Internet. Calls coming in over the Internet are only granted access to the main company menu, while local SIP phones have the ability to make outbound calls that cost you money. In this case, it is a very good idea to set ACLs to ensure that only devices on your local network can use the accounts for the phones. Here is an example of doing that in /etc/asterisk/sip.conf:

[phoneA] ; Use a better account name than this.

type = friend

; Start by denying everyone.
deny =

; Allow connections that originate from 192.168.X.X to attempt
; to authenticate against this account.
permit =

The permit and deny options are accepted almost everywhere that connections to IP services are configured. Another useful place for ACLs is in /etc/asterisk/manager.conf, to restrict AMI accounts to the single host that is supposed to be using the manager interface.

Tip #11: Use ACLs when possible on all privileged accounts for network services.

Another way you can mitigate security risk is by configuring call limits. The recommended method for implementing call limits is to use the GROUP() and GROUP_COUNT() dialplan functions. Here is an example that limits the number of calls from each SIP peer to no more than two at a time:

exten => _X.,1,Set(GROUP(users)=${CHANNEL(peername)})

; *** This line should have no line breaks
    same => n,NoOp(There are ${GROUP_COUNT(${CHANNEL(peername)})} 
calls for account ${CHANNEL(peername)}.)

    same => n,GotoIf($[${GROUP_COUNT(${CHANNEL(peername)})} > 2]?denied:continue)
    same => n(denied),NoOp(There are too many calls up already.  Hang up.)
    same => n,HangUp()
    same => n(continue),NoOp(continue processing call as normal here ...)

Tip #12: Use call limits to ensure that if an account is compromised, it cannot be used to make hundreds of phone calls at a time.