|
greenhornet
|
 |
« on: April 23, 2009, 07:39:52 pm » |
|
There is currently a lot of malicious activity being targeted at asterisk phone systems. In the default settings, it's easy to find an unregistered extension and take over that extension. In the case of LinuxMCE, the extension and the 'secret' registration password are the same.
It's fairly easy to throw random registration attempts at the box and wait for a good response.
blocking external SIP traffic with a firewall with not work because you would also be blocking legit registrations to SIP providers you have accounts with.
How can the 'secret' phone registration password be changed on devices like orbiter embedded phones so that when they're off, no one else can assume the role just by matching extension and password?
It's fairly easy to change the 'secret' on SIP devices but I cannot find the password location in the orbiter embedded devices. Of course, one can change the EXTENSION password on the asterisk side by accessing the phone config but this will break service to the orbiter as it will no longer be able to register without the correct password.
|
|
|
|
|
Logged
|
|
|
|
|
posde
|
|
« Reply #1 on: April 24, 2009, 09:42:20 am » |
|
The device template #1759 needs to be changed to allow the addition of a password, and the simplephone app has to be changed accordingly.
|
|
|
|
|
Logged
|
|
|
|
|
nosebreaker
|
|
« Reply #2 on: April 24, 2009, 02:35:47 pm » |
|
Well, could you use an access-list to only allow traffic from your phone provider? Is that something that would work or would you need off-site extensions or something? I'm not sure if LMCE uses iptables but it appears to have some sort of access-list control.
|
|
|
|
|
Logged
|
|
|
|
|
donpaul
|
|
« Reply #3 on: April 24, 2009, 09:48:55 pm » |
|
Wow, what a HUGE vulnerability.
|
|
|
|
|
Logged
|
|
|
|
|
tschak909
|
|
« Reply #4 on: April 25, 2009, 02:42:25 am » |
|
Indeed, anybody wanna help us fix it? or just gawk at it?
-Thom
|
|
|
|
|
Logged
|
|
|
|
|
|
|
donpaul
|
|
« Reply #6 on: April 28, 2009, 04:59:54 am » |
|
Indeed, anybody wanna help us fix it? or just gawk at it?
-Thom
LOL, I am trying. |
|
|
|
|
Logged
|
|
|
|
|
greenhornet
|
|
« Reply #7 on: May 03, 2009, 04:29:51 pm » |
|
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet. This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included. I know that is not as simple as it sounds but it might be the best course of action.
|
|
|
|
|
Logged
|
|
|
|
|
dlewis
|
|
« Reply #8 on: May 03, 2009, 04:31:48 pm » |
|
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet. This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included. I know that is not as simple as it sounds but it might be the best course of action.
Have you tried to update FreePBX within LinuxMCE? |
|
|
|
|
Logged
|
|
|
|
|
tschak909
|
|
« Reply #9 on: May 03, 2009, 04:32:42 pm » |
|
Good call, anyone want to take a crack at this?
-Thom
|
|
|
|
|
Logged
|
|
|
|
|
LegoGT
|
|
« Reply #10 on: May 03, 2009, 06:50:30 pm » |
|
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done: asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny
Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there? |
|
|
|
|
Logged
|
|
|
|
|
dlewis
|
|
« Reply #11 on: May 03, 2009, 06:58:37 pm » |
|
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done: asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny
Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there? I think it's still worth a try to upgrade FreePBX / Asterisk... |
|
|
|
|
Logged
|
|
|
|
|
tschak909
|
|
« Reply #12 on: May 03, 2009, 07:50:28 pm » |
|
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done: asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny
Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there? Can you open a ticket on trac.linuxmce, and attach the new hosts.allow, so we can graft it into the system? -Thom |
|
|
|
|
Logged
|
|
|
|
|
dlewis
|
|
« Reply #13 on: May 03, 2009, 07:54:23 pm » |
|
We should omit the 'sipphone.com' aspect since that's custom...
|
|
|
|
|
Logged
|
|
|
|
|
tschak909
|
|
« Reply #14 on: May 03, 2009, 07:56:40 pm » |
|
Good call, we'll make it part of the template. Some thought will need to be made.
Since we can reference the gateway host in the database once configured, we can have scripts automatically do an SNR on hosts.allow to close things up nicely.
-Thom
|
|
|
|
|
Logged
|
|
|
|
|
