Stop asterisk from being hijacked

[greenhornet]

There is currently a lot of malicious activity being targeted at asterisk phone systems.  In the default settings, it's easy to find an unregistered extension and take over that extension.  In the case of LinuxMCE, the extension and the 'secret' registration password are the same.

It's fairly easy to throw random registration attempts at the box and wait for a good response.

blocking external SIP traffic with a firewall with not work because you would also be blocking legit registrations to SIP providers you have accounts with.

How can the 'secret' phone registration password be changed on devices like orbiter embedded phones so that when they're off, no one else can assume the role just by matching extension and password?

It's fairly easy to change the 'secret' on SIP devices but I cannot find the password location in the orbiter embedded devices.  Of course, one can change the EXTENSION password on the asterisk side by accessing the phone config but this will break service to the orbiter as it will no longer be able to register without the correct password.

[Marie.O]

The device template #1759 needs to be changed to allow the addition of a password, and the simplephone app has to be changed accordingly.

[nosebreaker]

Well, could you use an access-list to only allow traffic from your phone provider?  Is that something that would work or would you need off-site extensions or something?  I'm not sure if LMCE uses iptables but it appears to have some sort of access-list control.

[donpaul]

Wow, what a HUGE vulnerability.

[tschak909]

Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom

[dlewis]

A friend of mine from www.voipcoop.org suggested Fail2Ban to help with these types of security issues. Here is the info: http://www.voip-info.org/wiki/view/Fail2Ban+(with+iptables)+And+Asterisk

Let me know if you guys try to install/get it working

[donpaul]

Indeed, anybody wanna help us fix it? or just gawk at it?

-Thom

LOL, I am trying.

[greenhornet]

It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.

[dlewis]

It should be noted that current versions of FreePBX / Trixbox have the ability to restrict registrations by ip/subnet.  This feature can be found on the extension settings page.
Solving this problem could be done by updating the version of FreePBX included.  I know that is not as simple as it sounds but it might be the best course of action.

Have you tried to update FreePBX within LinuxMCE?

[tschak909]

Good call, anyone want to take a crack at this?

-Thom

[LegoGT]

I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]

asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

[dlewis]

I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]

asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

I think it's still worth a try to upgrade FreePBX / Asterisk...

[tschak909]

I've added an entry to /etc/hosts.allow for Asterisk and it seems to get the job done:

Code: [Select]

asterisk : proxy01.sipphone.com : allow
asterisk : 192.168.80. : allow
asterisk : localhost : allow
asterisk : ALL : deny

Before, I was able to easily connect the N800 SIP phone app from any external network and make dialed calls using default extension info (for example: 200,200). Now I can at least limit that access to specific hosts (or none at all) but I'm not sure if there are any security loopholes still open. Am I missing anything obvious by not trying to upgrade FreePBX and locking it down there?

Can you open a ticket on trac.linuxmce, and attach the new hosts.allow, so we can graft it into the system?

-Thom

[dlewis]

We should omit the 'sipphone.com' aspect since that's custom...

[tschak909]

Good call, we'll make it part of the template. Some thought will need to be made.

Since we can reference the gateway host in the database once configured, we can have scripts automatically do an SNR on hosts.allow to close things up nicely.

-Thom