Author Topic: Stop asterisk from being hijacked  (Read 3498 times)

greenhornet

  • Veteran
  • ***
  • Posts: 59
    • View Profile
Stop asterisk from being hijacked
« on: April 23, 2009, 08:39:52 pm »
There is currently a lot of malicious activity being targeted at asterisk phone systems.  In the default settings, it's easy to find an unregistered extension and take over that extension.  In the case of LinuxMCE, the extension and the 'secret' registration password are the same.

It's fairly easy to throw random registration attempts at the box and wait for a good response.

blocking external SIP traffic with a firewall with not work because you would also be blocking legit registrations to SIP providers you have accounts with.

How can the 'secret' phone registration password be changed on devices like orbiter embedded phones so that when they're off, no one else can assume the role just by matching extension and password?

It's fairly easy to change the 'secret' on SIP devices but I cannot find the password location in the orbiter embedded devices.  Of course, one can change the EXTENSION password on the asterisk side by accessing the phone config but this will break service to the orbiter as it will no longer be able to register without the correct password.

posde

  • Administrator
  • LinuxMCE God
  • *****
  • Posts: 3045
  • Wastes Life On LinuxMCE Since 2007
    • View Profile
    • My Home
Re: Stop asterisk from being hijacked
« Reply #1 on: April 24, 2009, 10:42:20 am »
The device template #1759 needs to be changed to allow the addition of a password, and the simplephone app has to be changed accordingly.

nosebreaker

  • Guru
  • ****
  • Posts: 202
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #2 on: April 24, 2009, 03:35:47 pm »
Well, could you use an access-list to only allow traffic from your phone provider?  Is that something that would work or would you need off-site extensions or something?  I'm not sure if LMCE uses iptables but it appears to have some sort of access-list control.

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #3 on: April 24, 2009, 10:48:55 pm »
Wow, what a HUGE vulnerability.

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #4 on: April 25, 2009, 03:42:25 am »
Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #5 on: April 25, 2009, 04:23:52 am »
A friend of mine from www.voipcoop.org suggested Fail2Ban to help with these types of security issues. Here is the info: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

Let me know if you guys try to install/get it working

donpaul

  • Guru
  • ****
  • Posts: 300
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #6 on: April 28, 2009, 05:59:54 am »
Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom

LOL, I am trying.

greenhornet

  • Veteran
  • ***
  • Posts: 59
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #7 on: May 03, 2009, 05:29:51 pm »
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #8 on: May 03, 2009, 05:31:48 pm »
It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.

Have you tried to update FreePBX within LinuxMCE?

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #9 on: May 03, 2009, 05:32:42 pm »
Good call, anyone want to take a crack at this?

-Thom

LegoGT

  • Regular Poster
  • **
  • Posts: 29
    • View Profile
    • Medium Rare Brain
Re: Stop asterisk from being hijacked
« Reply #10 on: May 03, 2009, 07:50:30 pm »
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?
A brain dump of my neverending projects: http://MediumRareBrain.com

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #11 on: May 03, 2009, 07:58:37 pm »
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

I think it's still worth a try to upgrade FreePBX / Asterisk...

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #12 on: May 03, 2009, 08:50:28 pm »
I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]
asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Can you open a ticket on trac.linuxmce, and attach the new hosts.allow, so we can graft it into the system?

-Thom

dlewis

  • Guru
  • ****
  • Posts: 401
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #13 on: May 03, 2009, 08:54:23 pm »
We should omit the 'sipphone.com' aspect since that's custom...

tschak909

  • LinuxMCE God
  • ****
  • Posts: 5501
  • DOES work for LinuxMCE.
    • View Profile
Re: Stop asterisk from being hijacked
« Reply #14 on: May 03, 2009, 08:56:40 pm »
Good call, we'll make it part of the template. Some thought will need to be made.

Since we can reference the gateway host in the database once configured, we can have scripts automatically do an SNR on hosts.allow to close things up nicely.

-Thom