Has my sigate UK account been hijacked because of LMCE?

[purps]

I recently discovered that all of my credit on my sipgate UK account has gone, and it is due to "service charges" by sipgate. Looking at an itemised bill (see attached) it would appear that a number of calls to foreign numbers have been made, none of which by me.

Firstly, does anybody know how this could have happened? And is it as a result of using LMCE with the phone line?

I wouldn't call the amount of money that has been lost "insignificant", so I am keen to get to the bottom of this.

Cheers,
Matt.

EDIT: The latest attacks were when the phone line in LMCE wasn't being used - the sipgate settings were on the phone itself and LMCE is just providing the networking. The previous set of attacks though could have been when the phone/phone line was set up within LMCE, I'm not sure.

[coley]

Matt,
It could be a brute force attack on your Asterisk server, it has happened to a few people on here.
Check the wiki for a possible solution: http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force

-Coley.

[purps]

How are these people able to do this? Do they know my sipgate password or just my phone number or what? What basic steps can I take to avoid this from happening (in addition to the link you posted, thanks for that)?

[coley]

Botnets are set up to scan blocks of ip addresses and then once an asterisk server is found they try to brute force the extension passwords.
There are auditing tools you can use to scan your own server, for example SIPViscious: http://code.google.com/p/sipvicious/wiki/GettingStarted

-Coley.

[purps]

It amazes me that they are able to use my sipgate account via asterisk when I can't even get the bloody thing to work myself!

Can it only have been done via asterisk? I don't have any extensions set up in asterisk, just the phone line itself is set up in LMCE web admin. At the moment my sipgate credentials are on the Gigaset, that is how we have been using the phone.

[fibres]

Hi Purps

As far as I know lmce automatically sets up extensions for the phones on each orbiter. Therefore on a default LMCE setup there are some phone extensions which may well have defaut and therefore unsecure passwords.

If this is the case and you have set your asterisk server to connect to your trunk then they would be able to easilly connect to your lmce core asterisk as an extension and make calls through your trunk.

Fail2ban is good to stop brute force attacks, however it is not a direct replacement for good strong passwords.

I run a number of public asterisk servers including a VOIP Telecom in the UK mainly in the Business/Call Centre area and we have had no issues without using fail2ban. However I am strict about using good secure passwords for all extensions. We see regular brute force attacks onto our sip servers but have never had one get through.

There maybe should be a disclaimer on the asterisk side of LMCE to make sure all passwords are secure and the risks involved with connecting to your trunk.
Luckily you were on sipgate a prepaid service which would only allow them to use what credit you had. Had that been connected to a postpay voip provider or even with a Card directly to your home phone line the cost could have been a lot higher.

Regards

[daballiemo]

Another solution would be to prevent anybody but your provider to connect to Asterisks. I arranged that via my router and iptables

rgds

Han

[fibres]

Yes

Although make sure you allow all of your providers servers in otherwise you may have issues with incoming calls.

Some providers use multiple servers and inbound calls could come from one of a number of servers.
Also be aware that some providers use different servers for signalling and media. So you may get a call request sip message from one server at your provider but the call itself, the sound will come from a different IP!!

Regards

[purps]

Some very good advice there, thanks guys.

I realise extensions are set up automatically. One of the problems I have with my installation is that the extensions are not registering with asterisk (from looking at the freePBX main page), but the line and trunk was registered - would that be enough for them to use it? Or do they HAVE to have access to an extension?

I will of course set even stronger passwords where I can, but in the case of the SIP password supplied by sipgate.co.uk, it's only 6 characters long and made up of capital letters. I can't change it to my own password; I can only generate a new one. Should I be worried about this password specifically? Everyone is talking about passwords for the extensions, but as I said, these were not set up.

[fibres]

Hi

As the password is random letter, even though it is only 6 characters long, there are still a lot of combinations.
I would expect sipgate to have security in place that would detect and stop brute force attacks on users accounts. I have in the past had a number of sipgate accounts without any issues.

If the line and trunk is registers then yes. I am guessing in the freePBX admin there are some extensions configured. If these have weak passwords and they managed to brute force one of these extensions then they would be able to make calls out of your registered trunks.

What extensions are you trying to register? I am guessing you are trying to get the gigaset to register to the asterisk on LMCE?

Regards

[ladekribs]

Hi Purps,

The same thing happened to me, the prepaid account was used by, as it seems many users, calling different countries.
I tried to figure out what kind of numbers that where called, and most of the was "demo" subscriptions for testing VOIP.

I thought that one had to open the firewall if someone external should be able to call via LinuxMCE? and in that case the
the person using my account would have to go via the provider, how can they then use my account when LinuxMCE already is
 registered with the provider?

when the sip client is registering with the provider, is the userid and password encrypted or plain text?

I asked for a new password for the account and the new one was much longer.

anyway, i asked the provider if I could see the log of IP addresses using my account, they informed me that I had to file
 a report to the police, and that the police the would then contact the provider to investigate, been waiting since July.

Regards Stefan

[purps]

If the line and trunk is registers then yes. I am guessing in the freePBX admin there are some extensions configured. If these have weak passwords and they managed to brute force one of these extensions then they would be able to make calls out of your registered trunks.

I will reiterate, no extensions were set up in freePBX, not IP phones, nor MD softphones, nothing at all, it was literally just the line and trunk. You reckon they could still use my account even in this situation?

[ladekribs]

Purps,

I have looked at my freepbx log and I found that one of my extensions was used, it had a weak password ( I expected that the firewall was closed so it would not matter) learned a lesson but are there more pit falls?

You said you had just the line and trunk, is the "line" an extension? had it also a weak password?


Regards Stefan

[fibres]

I would guess you are refering to line and trunk as the same thing?

Does lmce not create some default extensions by default? Had you removed these?

No without an extension they shouldnt have been able to call.

Ladekribs, which log file showed this and where is it located. I am not hugely familiar with freePBX.

I would guess that sip port 5060 is open on the lmce firewall by default. As if it was blocked could cause problems with calls coming in from the provider.


Regards

[purps]

LMCE did not create those extensions, that is a separate problem that I have been having with my installation of LMCE. Again, there were no extensions set up in freePBX.