Hello all,
Just to let you know, we have seen two attempted SIP hack attacks over the last month. The attacker floods the asterisk server with registration requests in the hope that one will pass. If it does then a remote phone is registered to the server and used to dial international or premium rate lines. In one case, the attacker attempted to register extension numbers 1 thru 10000, one after the other (obviously under program control). In each case, the hacker was using the assumption that the extension number and asterisk password were the same.
So.... If you have remote phones attached to your server then you should consider doing some, or preferably all, of the following;
If you run SARK/SAIL...
- For REMOTE PHONES - make sure that passwords do not match the extension number and that they are strong passwords. SAIL will automatically generate a strong password for you when you create a new extension (versions prior to 2.2.1-631 did not do this). If you do have some cases where extension and password are the same then change the password, commit it and restart the phone. The phone should automatically pick up its new provisioning data and restart normally with the new password.
- Implement Class Of Service to prevent anyone dialling premium rate numbers.
- Consider a Class Of Service restriction to limit phones to dialling only local & emergency numbers at night time (which is when the bogus phone calls usually occur)
If you run some other Asterisk GUI, or vanilla Asterisk...
- you will probably need to manually inspect your remote phones and passwords and change them accordingly. This will likely necessitate reprogramming/reprovisioning the phones
- Products like FreePBX and its numerous derivatives/superlatives don't support Class Of Service or outbound number class barring so you may need to do a bit of legwork to find a solution which prevents dials to high rate number classes.
You aren't going to stop these attacks but you can make life very difficult for an aggressor by taking just a few minor precautions. You shouldn't need to worry about locally attached phones because a remote attacker probabaly won't be able to handle the natting necessary to log in as a local over your firewall.
Best
S