LinuxMCE Forums

General => Users => Topic started by: greenhornet on April 23, 2009, 08:39:52 pm

Title: Stop asterisk from being hijacked
Post by: greenhornet on April 23, 2009, 08:39:52 pm
There is currently a lot of malicious activity being targeted at asterisk phone systems.  In the default settings, it's easy to find an unregistered extension and take over that extension.  In the case of LinuxMCE, the extension and the 'secret' registration password are the same.

It's fairly easy to throw random registration attempts at the box and wait for a good response.

blocking external SIP traffic with a firewall with not work because you would also be blocking legit registrations to SIP providers you have accounts with.

How can the 'secret' phone registration password be changed on devices like orbiter embedded phones so that when they're off, no one else can assume the role just by matching extension and password?

It's fairly easy to change the 'secret' on SIP devices but I cannot find the password location in the orbiter embedded devices.  Of course, one can change the EXTENSION password on the asterisk side by accessing the phone config but this will break service to the orbiter as it will no longer be able to register without the correct password.
Title: Re: Stop asterisk from being hijacked
Post by: posde on April 24, 2009, 10:42:20 am
The device template #1759 needs to be changed to allow the addition of a password, and the simplephone app has to be changed accordingly.
Title: Re: Stop asterisk from being hijacked
Post by: nosebreaker on April 24, 2009, 03:35:47 pm
Well, could you use an access-list to only allow traffic from your phone provider?  Is that something that would work or would you need off-site extensions or something?  I'm not sure if LMCE uses iptables but it appears to have some sort of access-list control.
Title: Re: Stop asterisk from being hijacked
Post by: donpaul on April 24, 2009, 10:48:55 pm
Wow, what a HUGE vulnerability.
Title: Re: Stop asterisk from being hijacked
Post by: tschak909 on April 25, 2009, 03:42:25 am
Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on April 25, 2009, 04:23:52 am
A friend of mine from www.voipcoop.org suggested Fail2Ban to help with these types of security issues. Here is the info: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

Let me know if you guys try to install/get it working
Title: Re: Stop asterisk from being hijacked
Post by: donpaul on April 28, 2009, 05:59:54 am
Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom

LOL, I am trying.
Title: Re: Stop asterisk from being hijacked
Post by: greenhornet on May 03, 2009, 05:29:51 pm
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on May 03, 2009, 05:31:48 pm
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.

Have you tried to update FreePBX within LinuxMCE?
Title: Re: Stop asterisk from being hijacked
Post by: tschak909 on May 03, 2009, 05:32:42 pm
Good call, anyone want to take a crack at this?

-Thom
Title: Re: Stop asterisk from being hijacked
Post by: LegoGT on May 03, 2009, 07:50:30 pm
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on May 03, 2009, 07:58:37 pm
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

I think it's still worth a try to upgrade FreePBX / Asterisk...
Title: Re: Stop asterisk from being hijacked
Post by: tschak909 on May 03, 2009, 08:50:28 pm
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Can you open a ticket on trac.linuxmce, and attach the new hosts.allow, so we can graft it into the system?

-Thom
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on May 03, 2009, 08:54:23 pm
We should omit the 'sipphone.com' aspect since that's custom...
Title: Re: Stop asterisk from being hijacked
Post by: tschak909 on May 03, 2009, 08:56:40 pm
Good call, we'll make it part of the template. Some thought will need to be made.

Since we can reference the gateway host in the database once configured, we can have scripts automatically do an SNR on hosts.allow to close things up nicely.

-Thom
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on May 03, 2009, 08:59:22 pm
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Good points Thom... LegoGT, please still make the trac entry with the notes/comments referenced by myself and Thom.
Title: Re: Stop asterisk from being hijacked
Post by: LegoGT on May 04, 2009, 02:08:12 am
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Good points Thom... LegoGT, please still make the trac entry with the notes/comments referenced by myself and Thom.

No problem. I'll add it tonight.
Title: Re: Stop asterisk from being hijacked
Post by: dlewis on May 04, 2009, 03:12:07 pm
A reason why we should work on the security of our asterisk installation:

http://www.usken.no/2009/03/26/get-the-password-from-any-sip-device-its-fully-possible/

Linksys SPA2102 is one of the devices they successfully penetrated.
Title: Re: Stop asterisk from being hijacked
Post by: tschak909 on May 04, 2009, 03:15:33 pm
oh _yeah_

-Thom
Title: Re: Stop asterisk from being hijacked
Post by: LegoGT on May 04, 2009, 05:11:03 pm
This was my first submission to Trac so be easy on me! I think it's in there correctly (http://svn.linuxmce.org/trac.cgi/ticket/188 (http://svn.linuxmce.org/trac.cgi/ticket/188)) but let me know if I missed something so I can do it properly next time.