How to Secure Asterisk (2025 Security Guide)

Parlona Blog

How to Secure Asterisk (2025 Security Guide)

January 15, 2025

AsteriskSecurityTLSSIPPBXVoIP

Securing Asterisk is essential for any production PBX—especially in 2025, when VoIP systems have become one of the most frequently targeted components in modern infrastructure. Asterisk sits at the heart of your communication stack, handles sensitive call data, and directly connects your internal network to the public internet. When misconfigured or left unprotected, it becomes an attractive target for attackers looking for easy entry points into corporate systems.

Without proper hardening, malicious actors can:

  • Hijack your PBX to make expensive international calls, causing thousands of euros in damage overnight
  • Register fake SIP endpoints, impersonate employees, or intercept inbound calls
  • Perform brute-force attacks to guess SIP credentials and gain unauthorized access
  • Exploit open ports or weak transport settings to flood your PBX with SIP scanners and automated botnets
  • Eavesdrop on conversations if SRTP/TLS is not enforced
  • Compromise the underlying server, potentially accessing internal networks and sensitive data
  • Trigger SIP INVITE floods, creating ringing storms or service degradation
  • Cause denial-of-service attacks, rendering phones unusable during peak business hours

For businesses, the consequences can be severe:

  • Financial loss through fraudulent call activity
  • Legal and compliance violations (especially in regulated industries)
  • Leakage of recorded conversations or personal customer data
  • Operational downtime of critical communication channels
  • Long-term damage to brand reputation and customer trust

This guide covers the most important Asterisk security best practices for 2025, including firewalling, TLS/SRTP encryption, Fail2Ban protection, secure PJSIP configuration, intrusion prevention, and practical methods to shield your PBX from SIP scanners, brute-force attacks, and VoIP-focused cyber threats.

🔥 Step 1: Enable Firewall Rules

sudo ufw allow 5060/udp
sudo ufw allow 10000:20000/udp
sudo ufw enable

🛡 Step 2: Disable Guest Access in PJSIP

Edit 

/etc/asterisk/pjsip.conf
:

[system]
type = system
allow_guest = no

🔐 Step 3: Enable TLS

sudo openssl req -new -x509 -days 365 -nodes -out asterisk.pem -keyout asterisk.key

In PJSIP:

transport=tls
protocol=tls
bind=0.0.0.0:5061

🚫 Step 4: Install Fail2Ban

sudo apt install fail2ban

Enable SIP jail:

sudo nano /etc/fail2ban/jail.local

[asterisk]
enabled = true
port = 5060,5061
filter = asterisk
logpath = /var/log/asterisk/messages

🧱 Step 5: Use Strong Passwords

  • Minimum 24 characters
  • Mix symbols, numbers, letters
  • No duplicates across endpoints

🛰 Step 6: Restrict IP Access

In each endpoint:

deny = 0.0.0.0/0.0.0.0
permit = 192.168.1.0/24

🎉 Conclusion

Your Asterisk server is now protected from most common attack vectors. Keep PJSIP tight, enforce TLS, and monitor logs.

← Back to blog

Contact Us

Parlona Logo