Am I Cracked?
Hi list!
Very strange… I ran the Asterisk CLI for other tasks, and suddenly I got this message:
== Using SIP RTP CoS mark 5
— Executing [000972592603325@default:1] Verbose(“SIP/192.168.20.120-0000002a”, “2,PROXY Call from 0123456 to 000972592603325”) in new stack
== PROXY Call from 0123456 to 000972592603325
— Executing [000972592603325@default:2] Set(“SIP/192.168.20.120-0000002a”, “CHANNEL(musicclass)
19 thoughts on - Am I Cracked?
stack my
Based on SIP packets coming in from IP addresses you don’t recognize, while you may not be hacked, you would seem to have people probing your system. One thing you can do at the firewall level is restrict inbound sip communications to only those from your external phone providers. Depending on their setup, they should be able to give you an IP, a range of IPs or a name that can be used (i.e. sip.myphoneprovider.com). If you restrict your inbound sip to that, it will be very helpful. Also, there are further steps you can take to harden your systems. An internet search will bring up many, but here are a couple of good ones:
http://blogs.digium.com/2009/03/28/sip-security/
http://www.ipcomms.net/blog/70-11-steps-to-secure-your-asterisk-ip-pbx http://nerdvittles.com/?pX0
Kevin Larsen schrieb:
I think, too, it’s someone probing my IP…
This is not really possible, since I’ll login on my Asterisk from many Providers…
OK, I set alwaysauthreject = yes and I discovered a allowguest, which I set to “no”, too. The PBX is behind a Firewall and I just allow UDP 5060 and 10000-10100. Now I log the SIP-pakets coming from Internet, too…
Hopefully I solved my problem…
Thanks Luca Bertoncello
(lucabert@lucabert.de)
set
Make sure you have solved the problem. You don’t want to get hit with a phone bill for calls from your location to Israel. Basically, they are hoping that you are running the equivalent of a mail server open relay. They are trying to use you to dial out to another number. You don’t want to pay for these calls.
The calls are being dumped into your default context. It’s not matching on your gotoif statements, so finally it is trying to execute this:
Dial(“SIP/192.168.20.120-0000002a”, “SIP/pbxluca/000972592603325,,R”) in new stack
Not sure what trunk pbxluca is, but if that is an outbound trunk, then this is very bad. The only reason it would fail then is if they have the outbound dial pattern wrong, which is a sure sign that you are open in the future to having someone make this kind of call in a way that does work and leaves you on the hook. Based on your email address, I am guessing you are in Germany. Looks like they almost have the correct outbound pattern for dialing from Germany to Israel. It should be 00972592603325 (notice the one less zero in the front). Please tell me that pbxluca is not an outbound dialing context? If it is, you need to fix this very quickly.
many < all So make a list of the 100 or so providers you have active accounts with. It’s still way less than ‘all.’ Also, I’m willing to bet you won’t be using providers from China, North Korea, Russia, Iraq, etc, etc, etc. (Sorry if that steps on anybody’s toes.) Look for address blocks (class A, B, C) that are allocated to geographic regions you do not have any providers. If you limit your ‘attack surface’ you make your security problem manageable.
Kevin Larsen schrieb:
Of course, but how can I test, if I am an “open relay”?
This is one of my outbound trunk…
How can I fix it? Of course, I need to be able to call any phone on this world… On a Mail-Server I’d restrict outgoing calls to authenticated users. I was sure, that Asterisk already do that, but I’m not sure anymore… How can I restrict it?
Thanks Luca Bertoncello
(lucabert@lucabert.de)
Get this file:
http://www.ipdeny.com/ipblocks/data/countries/all-zones.tar.gz
It has all of those blocks for all countries. I pick that up fresh every week and block specific countries that I don’t have clients in but seem to be hitting me hard.
If you don’t know how to do this I suggest that you shut down your Asterisk server until you find out. Using your cell phone while you get it straight could save you some serious coin.
Very, very bad then.
You need to make sure that only registered phones can connect to your outbound trunks. Read the docs or hire someone but don’t wait. Shut down now, especially since this information is now on a public list. I
am sure that most people here are just looking out for you but it only takes one black hat.
a
relay. want matching on in
the the work you pattern
(notice
was
I am sure others can chime in, but first things first, you want inbound calls and outbound calls to be in different contexts. Don’t let your default context reach an outbound line. Your registered phones will be in a context that can call out which should be different from the default.
Also, make sure that your phones are registering with passwords (secret)
that are different than the extension number. Makes it harder to guess.
The big thing to keep in mind dialplan wise is to never let an inbound call have a path to loop back outbound. The two of the biggest vectors for fraud will be allowing a non-authenticated sip call to get outbound over your trunks and to have weak credentials that can be cracked that will let someone else impersonate your phones.
And you can still wipe out most fraud by restricting the IP addresses you let in from the outside world. I prefer to have the most restrictive communications I can and then fix it if I discover that something doesn’t work. Better to fail and fix than to permit and pay for it later. The providers I tend to like best not only give me what I need to restrict to their IP ranges, but also put in place restrictions on their end to only talk to my account from my external static IP address. That way someone could figure out my credentials, but if they can’t spoof my ip address it still won’t work. That is dependent on what the provider can do though.
As a practice, by default all the extensions you expose on the allowguest mode should lead inbound to your asterisk and should never pick any outbound trunk and dial out.
Your best option is to remove all outbound extensions from the default context, move them to default2 and set default extensions as honeypot to play monkeys tts wave file or reject the call.
Mitul Limbani
I’m guessing this is a small/home system? I suggest you install SecAst from this site: http://www.telium.ca It’s free for small office / home office and will deal with these types of attacks and more. It can also block users based on their Geographic location (based on the phone number it attempted to dial I suspect this is middle east), look for suspicious dialing patterns, etc.
If you still have allow guest enabled, then you should also follow the ‘securing asterisk’ steps from this site: http://www.voip-info.org/wiki/view/Asterisk+security
You’re definitely under attack (based on the 0123456 ID) so be sure to take preventative steps to avoid a $50k phone bill..
That would make a great T-shirt:
Deny and Fix
vs
Permit and Pay
Don’t enable ‘auto-replenish’ in your provider account and don’t keep a balance you can’t afford to lose.
2015-06-08 22:35 GMT+02:00 D’Arcy J.M. Cain:
+1 !
Zitat von Olivier:
I’m very sorry to write that, but these answers are really NOT helpful… I searched two days long how can I check it and didn’t found anything
useful…
Well, since I changed some configuration and use another port I don’t
have the problem, but I’m not sure if I did all what I need…
Could someone suggest me a way to check if my Asterisk is an “Open
Relay” that accept connections from every peer?
Thanks Luca Bertoncello
(lucabert@lucabert.de)
Someone on this list is bound to have the wherewithal to be able to do that.
All they will need to know is the IP address of your Asterisk server.
I suggest that if anyone offers to help you by remotely penetration-testing your system, you post “on-list” that you’ll contact them “off-list” to give them the server IP. That way, everyone gets to know that a deal has been established, but only the directly-concerned parties have all the necessary information.
A J is 100% correct. People hear are very helpful. Though you do not know who is just lurking and can cause some issues for you. I am willing to help, but you may find someone who focuses only on security, and would be a better asset.
Zitat von Keith Sloan:
Well, I’m not sure, that I understood what you and Stiles say… Anyway: if someone in the list can help me in such a penetration test,
I’d like to be contacted by him…
Thanks Luca Bertoncello
(lucabert@lucabert.de)
For such cases i created a dialplan in the default dialplan which blocks the ip of the hacker with iptables.
Zitat von Dereck D:
That’s interesting… Could you explain me how do you did it?
Thanks Luca Bertoncello
(lucabert@lucabert.de)