Topic: IMPORTANT! - ALL Asterisk USERS - READ THIS NOW!!

[SARK devs]

Hello all,

Just to let you know, we have seen two attempted SIP hack attacks over the last month.  The attacker floods the asterisk server with registration requests in the hope that one will pass.  If it does then a remote phone is registered to the server and used to dial international or premium rate lines.  In one case, the attacker attempted to register extension numbers 1 thru 10000, one after the other (obviously under program control).  In each case, the hacker was using the assumption that the extension number and asterisk password were the same. 

So....  If you have remote phones attached to your server then you should consider doing some, or preferably all, of the following;

If you run SARK/SAIL...

• For REMOTE PHONES - make sure that passwords do not match the extension number and that they are strong passwords.  SAIL will automatically generate a strong password for you when you create a new extension (versions prior to 2.2.1-631  did not do this). If you do have some cases where extension and password are the same then change the password, commit it and restart the phone.  The phone should automatically pick up its new provisioning data and restart normally with the new password.
• Implement Class Of Service to prevent anyone dialling premium rate numbers.
• Consider a Class Of Service restriction to limit phones to dialling only local & emergency numbers at night time (which is when the bogus phone calls usually occur)

If you run some other Asterisk GUI, or vanilla Asterisk...

• you will probably need to manually inspect your remote phones and passwords and change them accordingly.  This will likely necessitate reprogramming/reprovisioning the phones
• Products like FreePBX and its numerous derivatives/superlatives don't support Class Of Service or outbound number class barring so you may need to do a bit of legwork to find a solution which prevents dials to high rate number classes.

You aren't going to stop these attacks but you can make life very difficult for an aggressor by taking just a few minor precautions.  You shouldn't need to worry about locally attached phones because a remote attacker probabaly won't be able to handle the natting necessary to log in as a local over your firewall.



Best

S

[David Harper]

Thanks for the heads up. Am I correct in saying that this only affects customers with remote extensions configured? What about SAIL to SAIL trunks?

[SARK devs]

Hi David

Yes - remote connections are the main problem.  A SAIL-SAIL trunk could be compromised but it's a lot less likely because they don't use extension numbers.  However, no harm in ceating a strong password if you use these trunks.   

Best

S

[madadam]

Hi guys,

Thanks for the heads up. I have one small suggestion (feature request) and one question.

Firstly the suggestion. Can you place the "Phone location" on the summary table on then Extensions page? I have a lot of phones and it would help to see at a glance which are "local" and which are "remote".

Secondly I always specify the Mac Address of any remote phones. When a remote phone authenticates does the mac address need to match?

Cheers,

Adam

[SARK devs]

I think we can put that in for you...  Sarkinternal is "on the bench" now as it happens (recording stuff) so I'll see if they can squeeze it in.  On reflection, provided you have dynamic proxying turned on, you can tell anyway because the "UP" icon is different for locals and remotes.

Just as an aside - do you all understand dynamic proxying and what it does?  It's probably one of the most powerful features in SAIL, particulary if you have a lot of phones to look after.

Mac address does not need to match but if you specify one then SAIL will place a provisioning file for the phone (if it is a supported model) into the main Ibay so that the phone can remote provision itself if required.

Best

S

[madadam]

Ahhh, gosh!

I shouldn't admit it here publicly but I had assumed that providing a MAC address in SAIL was like setting up a network with reserved IP on the DHCP server or as a way to authenticate a request to join the network.

Thanks for the heads up.

Adam

[iam]

For those who have zap/dahdi PSTN lines...

I can make outgoing calls from my notebook with xlite and PUBLIC internet address through my pbx with dahdi pstn connection regardless of if extension configured as remote or local.

So in that case just to set nat to no or yes with local/remote option isn't enough ...
Change passwords for strong for all the extensions if you open registrations to internet....

Sincerely

[matsk]

Is it possible to implement a trap for "many failed registrations" that could warn the admin?

[SARK devs]

Yes you could run a cron job to grep the asterisk messages log and set a threshold based upon how many hits you get.

S

[matsk]

Hmm, I think that a deriviate function is better than a static value. A deriviate can see a sudden increase of attempt's whitch a static value will miss.

The weekend is saved, writing script and polish and paint the sailboat

/M

[SARK devs]

Code: [Select]

I think that a deriviate function is better than a static value.
Much better, but more work.

Let us know how you get on or if you need anything.



Best

S