Security December 20, 2025 14 min read

Asterisk Security Hardening: Protect Your PBX from Attacks

Unsecured Asterisk systems are a prime target for toll fraud and abuse. This guide covers the essential security measures every Asterisk administrator should implement.

Common Threats to Asterisk Systems

Real Risk: Toll fraud costs the telecom industry $40+ billion per year. An unsecured Asterisk system can rack up thousands in international call charges within hours of compromise.

Brute Force Registration

Attackers try thousands of username/password combinations to register as a valid extension.

Toll Fraud

Once registered, attackers make expensive international calls through your trunk.

SIP Scanning

Automated scanners probe port 5060 for vulnerable SIP servers worldwide.

Eavesdropping

Unencrypted SIP/RTP can be intercepted on the network.

1. Firewall Configuration

The first line of defense is restricting which IPs can reach your SIP ports:

iptables rules 
# Allow SIP from IPComms
iptables -A INPUT -s 34.23.59.14 -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s 34.23.59.14 -p tcp --dport 5061 -j ACCEPT

# Allow RTP media ports from IPComms
iptables -A INPUT -s 34.23.59.14 -p udp --dport 10000:20000 -j ACCEPT

# Allow from your office/VPN (for softphones)
iptables -A INPUT -s YOUR_OFFICE_IP -p udp --dport 5060 -j ACCEPT
iptables -A INPUT -s YOUR_OFFICE_IP -p udp --dport 10000:20000 -j ACCEPT

# Drop all other SIP traffic
iptables -A INPUT -p udp --dport 5060 -j DROP
iptables -A INPUT -p tcp --dport 5060 -j DROP

Important: If you have remote workers using softphones, either use a VPN or add their IPs to the allowlist. Never leave port 5060 open to the entire internet.

2. Fail2Ban for SIP

Fail2Ban monitors your Asterisk logs for failed authentication attempts and automatically bans offending IPs:

/etc/fail2ban/jail.local 
[asterisk]
enabled  = true
filter   = asterisk
action   = iptables-allports[name=asterisk, protocol=all]
logpath  = /var/log/asterisk/messages
maxretry = 3
findtime = 300
bantime  = 86400
ignoreip = 34.23.59.14 127.0.0.1

Pro Tip: Always whitelist your SIP trunk provider's IP (34.23.59.14 for IPComms) in the ignoreip setting.

3. Strong Passwords

Never use extension numbers as passwords. This is the #1 vulnerability in Asterisk systems.

Bad Passwords

  • 100 (same as extension)
  • 1234
  • password

Good Passwords

  • xK9#mP2$vL7nQ4
  • Tr0ub4d&Loop#88
  • j7Hm!kN3pW9xR5v
Generate passwords 
# Generate a random 20-character password
openssl rand -base64 20 | tr -d '/+=' | head -c 20

4. Dialplan Context Security

The most dangerous misconfiguration is putting untrusted traffic in a context that allows outbound calling:

extensions.conf - Secure context design 
; INBOUND from trunk - NO outbound access
[from-ipcomms]
exten => _X.,1,NoOp(Inbound from trunk)
 same => n,Goto(internal,${EXTEN},1)

; INTERNAL context - authenticated extensions only
[internal]
exten => _1XX,1,Dial(PJSIP/${EXTEN},30)
include => outbound-allowed

[outbound-allowed]
; US/Canada only - block international by default
exten => _1NXXNXXXXXX,1,Dial(PJSIP/${EXTEN}@ipcomms)
exten => 911,1,Dial(PJSIP/911@ipcomms)

; NEVER do this:
; [default]
; exten => _X.,1,Dial(PJSIP/${EXTEN}@ipcomms)
; This allows ANYONE to make calls!

Critical: Never put trunk inbound traffic in a context that includes outbound dialing. And never use the default context for anything important.

5. Enable TLS and SRTP

TLS encrypts SIP signaling (protecting credentials) and SRTP encrypts the audio stream:

pjsip.conf - TLS transport 
[transport-tls]
type=transport
protocol=tls
bind=0.0.0.0:5061
cert_file=/etc/asterisk/keys/asterisk.crt
priv_key_file=/etc/asterisk/keys/asterisk.key
method=tlsv1_2

; Trunk endpoint with encryption
[ipcomms]
type=endpoint
transport=transport-tls
media_encryption=sdes
media_encryption_optimistic=yes

6. Use IP Authentication for Trunks

IP authentication is more secure than username/password registration for SIP trunks because there are no credentials to steal:

pjsip.conf - IP auth 
; No auth section needed - trust based on IP
[ipcomms]
type=endpoint
context=from-ipcomms
disallow=all
allow=ulaw
aors=ipcomms

[ipcomms-identify]
type=identify
endpoint=ipcomms
match=34.23.59.14

IPComms supports IP auth: Add your Asterisk server's public IP in the IPComms portal under trunk settings. No registration needed.

7. Monitor and Alert

  • Monitor concurrent calls: Alert if calls exceed your normal peak
  • Watch for international calls: Alert on any calls to unexpected country codes
  • Track registration failures: Spikes indicate brute force attempts
  • Check CDRs daily: Look for calls at unusual hours or to unusual destinations
  • Set spending limits: Configure your trunk provider to cap daily spend

IPComms Fraud Protection: IPComms includes automatic fraud detection that monitors for unusual call patterns and can automatically disable outbound calling if suspicious activity is detected.

Secure SIP Trunking with IPComms

IPComms provides TLS/SRTP encryption, IP authentication, and built-in fraud detection. Protect your calls from the trunk level up.

Get Started Trunk Setup Guide

Related Articles

Tutorial

PJSIP Trunk Setup Guide

 Education

SIP Trunking vs PRI

 Getting Started

Free SIP Trunk for Testing

 Tutorial

FreePBX SIP Trunk Setup