Asterisk hacked

[willow3]

Hi all!

Hope y'all had a very merry Christmas!

Like the subject indicates I got my asterisk hacked the other day resulting in a huge phone bill. I had a look at the phones in the system and the auto generated SIP passwords seem very difficult to guess. Yet someone succeeded. In the call log I could see that there were calls placed from all extensions in my system. Apparently someone took the pain to crack all of my passwords, which surprised me a bit.

I had a peek at the firewall, and maybe some of you guys can shed some light on how this works. There is a rule to open up port 5060 for udp. This seems inevitable if you want to place and receive external calls. But I guess this also opens up a security risk?

Just as a test I removed this rule to see what would happen. To my surprise, external calls still work. Is this normal? I did a quick reload router. Maybe I need to restart the core? Besides, the firewall used, is it a separate LMCE firewall or is it the kernel built-in one? I launched gufw and it indicated that the kernel firewall was turned off.

Is the general recommendation to have a strict dial plan to avoid having hackers placing calls to expensive phone numbers? Or do I have some security problem with my system that I am not aware of?

Any suggestions or information is welcome!

Happy new year everyone!

Regards

[pw44]

Are you using fail2ban?

[willow3]

Nope, but thanks for the tip. Would that tool be able to stop unauthorized attempts to register SIP extensions to asterisk?

[purps]

Sorry to hear this happened to you, I feel your pain http://forum.linuxmce.org/index.php/topic,12011.0.html

Cheers,
Matt.

[bongowongo]

I have no experience with astrisk at all, but wouldn't the log tell you this? Is it possible to flag activity like calling to madagascar for an hour is not something that I do every week.

[pw44]

Nope, but thanks for the tip. Would that tool be able to stop unauthorized attempts to register SIP extensions to asterisk?

Yes, after some trial. Take a look at the tutorial http://wiki.linuxmce.org/index.php/Fail2ban_-_A_tool_against_brute_force

[willow3]

Sorry to hear this happened to you, I feel your pain http://forum.linuxmce.org/index.php/topic,12011.0.html

Cheers,
Matt.

I am sorry you lost money too, man. Thanks for the link though. It contains good advice. From the information that you guys have provided, I think the following measures are appropriate:

- Configure fail2ban to stop brute force against SIP extensions. (According to wiki)
- Employ a restrictive set of dial patterns for your outgoing route
- Subscribe to a dial plan with a limited number of monthly minutes or credits or whatever

I did none of these, which gave me a good security lesson worth $300. Btw, the only reason it did not cost me $30000 or $300000 is that my VOIP provider automatically detected the calls as an "unusual usage" and blocked all outgoing international calls for my phone number. I did not know they had this functionality, they do not advertise it. But I am happy they did that.

I am still confused that gufw says the firewall is disabled. And that external calls work even if I removed the rule for port 5060 in the web admin. Any ideas on that?

all the best

[pw44]

Or like me, who have two voip services:
1) sipgate, with no credit, only to receive calls,
2) voipcheap, with € 10,00 credit, to place calls.
If someone is able, bypassing fail2ban and firewall to place calls, it will stop in € 10,00
But even € 10,00 i'm not willing to give away to some jerk, so fail2ban, firewall and strong and log sip extension passwords are in use.

You removed 5060 rules, but did you block incoming traffic from outside to this port?

[willow3]

Or like me, who have two voip services:
1) sipgate, with no credit, only to receive calls,
2) voipcheap, with € 10,00 credit, to place calls.
If someone is able, bypassing fail2ban and firewall to place calls, it will stop in € 10,00
But even € 10,00 i'm not willing to give away to some jerk, so fail2ban, firewall and strong and log sip extension passwords are in use.

You removed 5060 rules, but did you block incoming traffic from outside to this port?

I thought that was the purpose of the firewall rule itself. How do I do that?

[pw44]

I thought that was the purpose of the firewall rule itself. How do I do that?

Deny incoming traffic to all ports by all protocols (tcp, udp, etc), enabling only the ones you really need.
And if you want your SIP service, allow the incoming traffic to your 5060 port to the ip of your SIP provider.
It can be done in your router (if you use tomato, dd-wrt, for example) or directly in your linuxmce box.

You can take a look at iptables manual and also linuxmce firewall tutorial.



Also check with your SIP provider if they allow more than one connection by userid. If they do, the attacker may do it against the provider, not against your asterisk, impersonating you.

[Foxi352]

Only open udp port 5060 for your provider's asterisk, SER or whatever VoIP server IP ...

[Techstyle]

I also recently lost my 10GBP credit with sipgate.co.uk to hackers but not via Asterisk.  There was no calls in the call logs but the credit was gone.  Make sure both your password with your provider and your extensions are rock solid.

[willow3]

Thanks for all advice guys! The intrusion was done in my asterisk server, hence I am responsible. A peek in the asterisk logs confirmed that it was a brute force attack, fail2ban should solve this. I followed the instruction on the wiki provided by pw44. To test the asterisk jail I tried to register to an extension with a SIP soft phone on a computer in my local network. I registered three times with incorrect password. The attempts were correctly logged in the asterisk log, but looking in the fail2ban log I could see that the ban did not kick in. Do I have trouble shooting to do, or is there an explanation to this? (I did not include the computers IP to the ignore list).

regards

[pw44]

Thanks for all advice guys! The intrusion was done in my asterisk server, hence I am responsible. A peek in the asterisk logs confirmed that it was a brute force attack, fail2ban should solve this. I followed the instruction on the wiki provided by pw44. To test the asterisk jail I tried to register to an extension with a SIP soft phone on a computer in my local network. I registered three times with incorrect password. The attempts were correctly logged in the asterisk log, but looking in the fail2ban log I could see that the ban did not kick in. Do I have trouble shooting to do, or is there an explanation to this? (I did not include the computers IP to the ignore list).

regards

To see if it was blocked, try iptables -L -v, you should see something like:
5091 2125K DROP       all  --  any    any     173.193.194.106-static.reverse.softlayer.com  anywhere
Where DROP indicates reject any attempt from the given ip/address.

But remember that the configuration have a directive (ignoreip), to prevent any device in your internal network to be blocked.
Otherwise, please carefully check the fail2ban configuration, and remember that fail2ban SHALL be restartded AFTER /usr/pluto/bin/Network_Firewall.sh, because it clears and starts all the iptables rules for linuxmce, so the tutorial presents a hack for it, as described bellow:

For LinuxMCE, there is needed "patch", while fail2ban is not part of the distribution.
When LinuxMCE starts, it runs /usr/pluto/bin/Network_Firewall.sh, and this is done AFTER /etc/init.d/fail2ban is started.
So, edit /usr/pluto/bin/Network_Firewall.sh and add the following at the END of this file:
/etc/init.d/fail2ban restart

And remember to check and include this hack every time you updates linuxmce, because it's is not kept during the scripts updates.

I hope this helps.

[willow3]

Yep, I can now see that it works. Thanks a lot. However, the asterisk security kind of bothers me. Did you read this?

http://forums.asterisk.org/viewtopic.php?p=159984

Seems like all extensions created by lmce is of type friend. Looks like an unnecessary security risk. I changed them to peer. The system still works and now it should supposedly be more secure. (However not 100%).

This little lesson has taught me that what is installed default in lmce is a real security nightmare...