Some time ago, this blog post appeared on the internet. Many users asked us if AskoziaPBX provides the same security mechanisms. Here’s a best practice guide.
AskoziaPBX supports manually defined dial patterns. These can also be used to only allow calls to certain destinations. When using the dial pattern 0049, only calls to Germany are allowed. If restricting country codes to certain countries is not an option, Humbug Fraud Detection is a good alternative. Humbug checks if calls are suspicious and contacts you.
AskoziaPBX automatically generates a a safe password for any new phone. Safe passwords consist of letters, numbers and special characters.
Brute force attacks are only possible when a server (in this case your phone system) is directly reachable. We recommend you to run AskoziaPBX behind a NAT firewall. This means that not anybody can contact the phone system, but only servers (or phones) which are already connected to AskoziaPBX. This way, nobody who knows the public IP address can access the system via port 5060. This way your phone system doesn’t become a target.
AskoziaPBX uses the option alwaysauthreject=yes, to not give attackers the chance to figure out internal numbers by trail and error. AskoziaPBX always replies the same way to authentication requests, no matter if the user name is correct or not. This way attackers can not find out potential user names.
AskoziaPBX uses the Domain of your VoIP provider to authenticate incoming calls. Incoming calls from other IP addresses are rejected.
Use an external Server SIP server to keep AskoziaPBX out of the line of fire.
This provides only minimal security. If your phone system has a public IP, these ports will sooner or later be found. Use your phone system behind a NAT firewall, as described in 3.
Create whitelists in the advanced settings of AskoziaPBX.
This can be done via manual configuration in the advanced settings. A better solution is Humbug Fraud Detection as described in 1.
AskoziaPBX allows you to deactivate phone and provider accounts with one click. Deactivate accounts which are not used.
AskoziaPBX provides the open interfaces AMI and SSH. There’s a number of monitoring tools available which use these interfaces.
Use the AskoziaPBX update system provided in the web interface. Askozia is one of the few distributions which use Asterisk 10 already, which provides a number of new security features.
Many providers offer prepaid plans. This limits the costs to a certain amount in case your phone system gets hacked after all.