Asterisk serve been hacked

Get help with installing, upgrading and running Asterisk.

Moderators: muppetmaster, Moderator, Support

Asterisk serve been hacked

Postby marco007 » Mon Jul 26, 2010 7:08 pm

Hi,

I need to help a costumer, his asterisk server which is in the DMZ was hacked in a manner that hackers made lots of phone calls to hot lines so the costumer got a huge phone bill. he asked me to help him harden asterisk, but before that I need to know how they hacked the server... any idea what to look for? I don know yet the version of asterisk the client uses. in those days now in learning lots of asterisk to be prepared next week, I need to to some forensics work on the asterisk server next week but I dont know what to look for. I AM ALMOST sure its a misconfiguration problem and that's all but what to look for in the configuration?

also a hardening security guide for asterisk? any idea where I can find a good one?

thanks a lot !

Marco
marco007
Newsterisk
 
Posts: 5
Joined: Mon Jul 26, 2010 7:03 pm

Re: Asterisk serve been hacked

Postby MrFidget » Mon Jul 26, 2010 8:28 pm

Loaded question....dial plans, IP tables & fail2ban, complex passwords and non numeric extensions etc

Step 1. Put it behind NAT for starters
Problem solved, mostly.....

Where are you located ?? there may be someone on the forum that can help who is located near by, whom you can call in to help.

Cheers
Chris
MrFidget
Oldsterisk
 
Posts: 131
Joined: Tue Jan 27, 2009 6:01 am

Re: Asterisk serve been hacked

Postby marco007 » Mon Jul 26, 2010 11:33 pm

hi

thanks...but your answer is very blur.. I dont understand.... please explain more... im located in buenos aires.


what I need to put behind nat? please explain more...



I use skype, can I call you throw skype? my user is juanb007

thanks

marco
marco007
Newsterisk
 
Posts: 5
Joined: Mon Jul 26, 2010 7:03 pm

Re: Asterisk serve been hacked

Postby david55 » Tue Jul 27, 2010 2:32 am

There are various documents included with Asterisk on good practice, one added quite recently.

As to telling you exactly how to hack Asterisk, I personally would not want to do that over a public channel, or without positively authenticating that you had a need to know.
david55
Moves Like Spencer
 
Posts: 12570
Joined: Fri Sep 26, 2008 5:03 am

Re: Asterisk serve been hacked

Postby ianplain » Tue Jul 27, 2010 2:42 am

Hi

Firstly go through the /var/log/asterisk logs and im guessing you will find may register attempts, The source IP will more than likely be from the Amazon Cloud.

You will need to add these IPs to your iptables./


Then in asterisk in the sip.conf if a phone doesnt need to register externally then set the ACL so it can only register from the known subnet, also make sure that you have in the general section of the sip.conf "alwaysauthreject=yes"

To be honest, If you don't know what to look for then you arnt really equipped to harden his server against attack. Dont take this the wrong way but you could end up costing him money if you get it wrong.

Ian
ianplain
Moves Like Spencer
 
Posts: 3089
Joined: Thu Dec 14, 2006 7:01 am
Location: Bath, UK

Re: Asterisk serve been hacked

Postby MrFidget » Tue Jul 27, 2010 5:42 am

Hi,

Sorry to be a little blury, saw your post, didn't give it enough time to cover things properly....however....

Simply:
Put the Asterisk box behind a NAT router, the system will not be contactable from the outside, but can initiate and maintain registered connections with SIP providers on the outside. That is the simplest way to make your asterisk box secure "enough" whilst still being able to make and recieve calls over the net. It wont work with external handsets, you may need to look at a low latency / SIP/RTP friendly VPN such as Open VPN to give you that functionality.


If....howver..... you have to use a public IP then here are some things you need to do to protect your Asterisk box.

1. Don't use the same username and passsword on your extensions. Common issue. eg
Code: Select all
; sip.conf
[202]
username=202
secret=202
host=dynamic

This is asking for trouble.

2. Keep the inbound call routing in a different context to your outbound routing. That way, any one who gets in, cant get back out again. Common problem and biggest cause / source of toll fraud.
Also always have a default context that can't go anywhere
Code: Select all
; sip.conf
[general]
; Make sure that all stray calls end up in default
context=default
; registrations
register => 9875554321:guessthis123@sip.myimaginaryprovider.net
; trunks
[sip-trunk]
username=9875554321
secret=guessthis123
host=sip.myimaginaryprovider.net
context=sip-in
; etc....

; extensions
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions

Code: Select all
; extensions.conf
[extensions]
; ONly our local extensions have access to this context
; Call our local extensions
exten => _2XX,1,Dial(SIP/${EXTEN})

; Dial out unrestricted access for any handset (min 4 digits)
exten => _XXXX.,1,Dial(SIP/sip-trunk/${EXTEN})

[sip-in]
; All calls via our SIP provider end up here
; inbound rings all phones
exten => s,1,Dial(SIP/201&SIP/202&SIP/203)

; If we have a call from our provider go astray, dump it
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()

; No access to any outside lines

[default]
; All stray calls will end up here
; unless we want anonamous SIP calls, dump the call
exten => i,1,Answer()
exten => i,n,Playback(tt-somethingiswrong)
exten => i,n,HangUp()

; However we may want someone to call SIP://25@mywanipaddress.net to be able to call in
exten => 25,1,Dial(SIP/201&SIP/202&SIP/203)


3. Use something like fail2ban. This is a similar script I quickly googled.
http://www.teamforrest.com/blog/171/asterisk-no-matching-peer-found-block/

4. Restrict the IP addresses your extensions can register on to the local subnet using permit/deny in your sip.conf
Code: Select all
; sip.conf
[202]
username=202
secret=lesschanceofgettinghacked
context=extensions
; Deny all
deny=0.0.0.0/0.0.0.0
; But permit from local LAN
permit=192.168.0.0/255.255.255.0
; And maybe from 1 WAN address where the handset can be sometimes
permit=203.0.0.1/255.255.255.255


5. Disable channels that you aren't using (such as skinny and MGCP) and comment out ay default settings in the conf files
Code: Select all
; modules.conf
noload => chan_skinny.so
noload => chan_ooh323.so
noload => chan_mgcp.so


That should keep you busy. But, if you can get away with it, put the box behind NAT.

Cheers
Chris

BTW: We get 2 to 3 hack attacks a fortnight now. Its a never ending battle, however by using restrictive dial plans and non numeric logins for our extensions, we have avoided all grief save for the machine and network resouerces used during the scans. We have managed to deal with those too by blocking out chunks of dodgy address space in the firewall tables.
MrFidget
Oldsterisk
 
Posts: 131
Joined: Tue Jan 27, 2009 6:01 am

Re: Asterisk serve been hacked

Postby marco007 » Tue Jul 27, 2010 2:49 pm

Chris !!! thanks so much !!!

your respond is great !!

helped me alot I will follow the steps you told me when I will be at the client.

any idea how can I figure out the way the hackers came in?

thnaks !!

marco
marco007
Newsterisk
 
Posts: 5
Joined: Mon Jul 26, 2010 7:03 pm

Re: Asterisk serve been hacked

Postby MrFidget » Tue Jul 27, 2010 3:31 pm

/var/log/asterisk/messages will tell all

Good luck and use NAT :wink:

Chris
MrFidget
Oldsterisk
 
Posts: 131
Joined: Tue Jan 27, 2009 6:01 am

Re: Asterisk serve been hacked

Postby marco007 » Sat Jul 31, 2010 7:15 pm

hi !!

why NAT will protect the server more?

I read some info about Nating the Asterisk server but I understand that its very complicated to put it behind a FIrewall beacuse of all the high ports the FW admin needs to open, right?

what about using SBC? is it safer? but its very expensive...

and what about protecting the Asterisk server just with access lists on the edge router and not using NAT, it is ok?

thanks a lot and sorry for all the questions, I just need neet to bring to the client a satisfying solution...

MArco
marco007
Newsterisk
 
Posts: 5
Joined: Mon Jul 26, 2010 7:03 pm

Re: Asterisk serve been hacked

Postby MrFidget » Sun Aug 01, 2010 6:16 am

NAT makes sure that nothing gets inside from outside, unless explicitly requested by somthing inside.

You can recieve calls because your Asterisk will register with your ITSP and mantain the connection through NAT, however if I was scanning for your PBX, I wouldn't see it, as there are no open ports on your WAN connection.

It does stop anonamous SIP calls, which is useful in stopping SPIT (SPAM over Internet Telephony ??)

Does that make sense ??

Cheers
Chris
MrFidget
Oldsterisk
 
Posts: 131
Joined: Tue Jan 27, 2009 6:01 am

Re: Asterisk serve been hacked

Postby marco007 » Mon Aug 02, 2010 8:41 am

ok cheris now I got it.

thanks again !

juan
marco007
Newsterisk
 
Posts: 5
Joined: Mon Jul 26, 2010 7:03 pm

Re: Asterisk serve been hacked

Postby HotelHiit » Wed Aug 11, 2010 12:26 am

Now, the difference between the two (Asterisk and AsteriskNOW) besides the built-in OS and no built-in OS is the GUI. AsteriskNOW comes with a web GUI (which only works with Firefox, ironically enough) and it's brother, Asterisk, is configuration file editing on the Asterisk PBX server.

Another nice thing about Asterisk(NOW) is that home users can use any old computer that can at least run Linux to use as the PBX server. Larger entities such as companies will obviously have to use higher grade equipment to support more users, but all in all, it's pretty much the same software. I'm playing with AsteriskNOW on an old computer.


Hotel
Motel
HotelHiit
Newsterisk
 
Posts: 1
Joined: Wed Aug 11, 2010 12:18 am


Return to Asterisk Support

Who is online

Users browsing this forum: No registered users and 1 guest