All you need to know about IP Phone Systems · Best practices for secure VoIP telephony

Best practices for secure VoIP telephony

Some time ago, this blog post appeared on the internet. Many users asked us if AskoziaPBX provides the same security mechanisms. Here’s a best practice guide.

best practices for secure IP telephony

1. Use Dialplan Wildcards

AskoziaPBX supports manually defined dial patterns. These can also be used to only allow calls to certain destinations. When using the dial pattern 0049, only calls to Germany are allowed. If restricting country codes to certain countries is not an option, Humbug Fraud Detection is a good alternative. Humbug checks if calls are suspicious and contacts you.

2. Safe usernames and passwords

AskoziaPBX automatically generates a a safe password for any new phone. Safe passwords consist of letters, numbers and special characters.

3. Prevent bruteforce attacks with scripts like fail2ban

Brute force attacks are only possible when a server (in this case your phone system) is directly reachable. We recommend you to run AskoziaPBX behind a NAT firewall. This means that not anybody can contact the phone system, but only servers (or phones) which are already connected to AskoziaPBX. This way, nobody who knows the public IP address can access the system via port 5060. This way your phone system doesn’t become a target.

4. Always the same error messages for authentication requests

AskoziaPBX uses the option alwaysauthreject=yes, to not give attackers the chance to figure out internal numbers by trail and error. AskoziaPBX always replies the same way to authentication requests, no matter if the user name is correct or not. This way attackers can not find out potential user names.

5. SIP-Domains instead of IP addresses

AskoziaPBX uses the Domain of your VoIP provider to authenticate incoming calls. Incoming calls from other IP addresses are rejected.

6. SIP proxy for incoming calls

Use an external Server SIP server to keep AskoziaPBX out of the line of fire.

7. Change SIP and IAX ports

This provides only minimal security. If your phone system has a public IP, these ports will sooner or later be found. Use your phone system behind a NAT firewall, as described in 3.

8. whitelist fix IP addresses and use them for authentication

Create whitelists in the advanced settings of AskoziaPBX.

9. Limit number of outgoing calls

This can be done via manual configuration in the advanced settings. A better solution is Humbug Fraud Detection as described in 1.

10. Regular checks

AskoziaPBX allows you to deactivate phone and provider accounts with one click. Deactivate accounts which are not used.

11. Monitor

AskoziaPBX provides the open interfaces AMI and SSH. There’s a number of monitoring tools available which use these interfaces.

12. Always use the latest software version

Use the AskoziaPBX update system provided in the web interface. Askozia is one of the few distributions which use Asterisk 10 already, which provides a number of new security features.

13. Use prepaid

Many providers offer prepaid plans. This limits the costs to a certain amount in case your phone system gets hacked after all.

Common questions about IP Phone Systems, PBX and VoIP